SpringSecurity
入坑第一步:内存的权限验证与授权
构建依赖 pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.shaojie.authority</groupId>
<artifactId>authority</artifactId>
<version>1.0-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.0.RELEASE</version>
<relativePath/>
</parent>
<properties>
<java.version>1.8</java.version>
<maven.compiler.source>${java.version}</maven.compiler.source>
<maven.compiler.target>${java.version}</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<spring-cloud.version>Hoxton.RC1</spring-cloud.version>
</properties>
<!--管理依赖-->
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Hoxton.RC1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<!--lombok-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!--spring-data-jpa-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<!--lombok-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<!-- mysql -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<!-- druid 连接池 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.21</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
构建权限验证
package com.shaojie.authority.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/**
* @author ShaoJie
* @Date 2019/10/25
*/
@Configuration
// 启动 SpringSecurity 的过滤器链
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* 授权
*
* @param auth
* @throws Exception
*/
// 代替配置文件 <security:authentication-manager></security:authentication-manager>
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// 老版本的角色设置 在 springboot 2.0 以后 不能这样设置
// auth.inMemoryAuthentication()
// .withUser("shaojie").password("123456")
// .authorities("PRODUCT_ADD");
// inMemoryAuthentication 内存验证
auth.inMemoryAuthentication()
.passwordEncoder(passwordEncoder())
.withUser("shaojie")
.password(passwordEncoder().encode("123456"))
// .roles("PRODUCT_ADD","PRODUCT_LIST");
// authorities 和 roles 都是设置权限 这里使用 roles 不能访问 403
.authorities("PRODUCT_ADD", "PRODUCT_LIST");
}
/**
* 验证
*
* @param http
* @throws Exception
*/
// 代替配置文件 <security:http></security:http>
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// antMatchers 设置拦截的请求 hasAnyAuthority 设置所拥有的角色访问权限
.antMatchers("/product/add").hasAnyAuthority("PRODUCT_ADD")
.antMatchers("/product/update").hasAnyAuthority("PRODUCT_UPDATE")
.antMatchers("/product/list").hasAnyAuthority("PRODUCT_LIST")
.antMatchers("/product/delete").hasAnyAuthority("PRODUCT_DELETE")
// permitAll 所有的权限都能访问
.antMatchers("/login").permitAll()
.antMatchers("/**")
// fullyAuthenticated 不允许匿名用户查看
.fullyAuthenticated()
.and()
// httpbasic 登录
// .httpBasic();
// 表单登录 登录请求的页面
.formLogin().loginPage("/login")
// 修改 spring 提供的 默认登陆参数
// .usernameParameter("name")
// .passwordParameter("password")
.and()
// 开启记住我功能
.rememberMe()
.and()
// 开启登出
.logout()
.and()
// 禁用跨域的保护
.csrf().disable();
}
}
构建错误页面配置
验证没有权限时跳转
package com.shaojie.authority.security;
import org.springframework.boot.web.server.ConfigurableWebServerFactory;
import org.springframework.boot.web.server.ErrorPage;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
/**
* @author ShaoJie
* @Date 2019/10/25
*/
@Configuration
public class ErrorPageConfig {
// 使用 WebServerFactoryCustomizer 接口替换 EmbeddedServletContainerCustomizer 组件完成对嵌入式Servlet容器的配置
@Bean
public WebServerFactoryCustomizer<ConfigurableWebServerFactory> webServerFactoryCustomizer(){
return new WebServerFactoryCustomizer<ConfigurableWebServerFactory>() {
@Override
public void customize(ConfigurableWebServerFactory factory) {
factory.addErrorPages(new ErrorPage(HttpStatus.FORBIDDEN,"/403"));
}
};
}
}
login.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h2>登录页面</h2>
<form th:action="@{/userlogin}" method="post">
账号:<input type="text" name="username"><br>
密码:<input type="password" name="password"><br>
<button type="submit">登录</button>
</form>
</body>
</html>
值得注意一下这里的<input>
的属性name
官方源码 写的很清楚 默认就是 username
和 password
* protected void configure(HttpSecurity http) throws Exception {
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
* .usernameParameter("username") // default is username
* .passwordParameter("password") // default is password
* .loginPage("/authentication/login") // default is /login with an HTTP get
* .failureUrl("/authentication/login?failed") // default is /login?error
* .loginProcessingUrl("/authentication/login/process"); // default is /login
* // with an HTTP
* // post
* }
index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>我的页面</title>
</head>
<body>
以下是网站的功能 <br>
<a href="" th:href="@{product/add}">商品的添加</a><br>
<a href="" th:href="@{product/update}">商品修改</a><br>
<a href="" th:href="@{product/list}">商品的查询</a><br>
<a href="" th:href="@{product/delete}">商品的删除</a>
</body>
</html>
403.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>错误页面</title>
</head>
<body>
你没有权限访问
</body>
</html>
add.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>产品的增加</title>
</head>
<body>
产品的增加
</body>
</html>
delete.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>产品的删除</title>
</head>
<body>
产品的删除
</body>
</html>
list.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>产品的查询</title>
</head>
<body>
产品的查询
</body>
</html>
update.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>产品的修改</title>
</head>
<body>
产品的修改
</body>
</html>
整体使用内存做授权验证, 后续整理基于JDBC
做权限授权,整体一套下来的话,基本上对于springsecurity
有一个基本的了解,入坑第一步建议以基础入手,大部分的配置建议查看官方源码 ,对于登出以及记住密码,细节在 源码HttpSecurity
类中有详细说明,这里不做过多的说明。只提供基础的Demo
示例
喜欢编程的,请关注我的博客https://www.lzmvlog.top/