SpringSecurity 入坑第一步:内存的权限验证与受权
构建依赖 pom.xml
<?xml version=”1.0″ encoding=”UTF-8″?>
<project xmlns=”http://maven.apache.org/POM/4.0.0″
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.shaojie.authority</groupId>
<artifactId>authority</artifactId>
<version>1.0-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.0.RELEASE</version>
<relativePath/>
</parent>
<properties>
<java.version>1.8</java.version>
<maven.compiler.source>${java.version}</maven.compiler.source>
<maven.compiler.target>${java.version}</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<spring-cloud.version>Hoxton.RC1</spring-cloud.version>
</properties>
<!-- 治理依赖 -->
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Hoxton.RC1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<!--lombok-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!--spring-data-jpa-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<!--lombok-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<!-- mysql -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<!-- druid 连接池 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.21</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
构建权限验证
package com.shaojie.authority.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/**
- @author ShaoJie
- @Date 2019/10/25
*/
@Configuration
// 启动 SpringSecurity 的过滤器链
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public BCryptPasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();
}
/**
* 受权
*
* @param auth
* @throws Exception
*/
// 代替配置文件 <security:authentication-manager></security:authentication-manager>
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {// 老版本的角色设置 在 springboot 2.0 当前 不能这样设置
// auth.inMemoryAuthentication()
// .withUser(“shaojie”).password(“123456”)
// .authorities(“PRODUCT_ADD”);
// inMemoryAuthentication 内存验证
auth.inMemoryAuthentication()
.passwordEncoder(passwordEncoder())
.withUser("shaojie")
.password(passwordEncoder().encode("123456"))
// .roles("PRODUCT_ADD","PRODUCT_LIST");
// authorities 和 roles 都是设置权限 这里应用 roles 不能拜访 403
.authorities("PRODUCT_ADD", "PRODUCT_LIST");
}
/**
* 验证
*
* @param http
* @throws Exception
*/
// 代替配置文件 <security:http></security:http>
@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests()
// antMatchers 设置拦挡的申请 hasAnyAuthority 设置所领有的角色拜访权限
.antMatchers("/product/add").hasAnyAuthority("PRODUCT_ADD")
.antMatchers("/product/update").hasAnyAuthority("PRODUCT_UPDATE")
.antMatchers("/product/list").hasAnyAuthority("PRODUCT_LIST")
.antMatchers("/product/delete").hasAnyAuthority("PRODUCT_DELETE")
// permitAll 所有的权限都能拜访
.antMatchers("/login").permitAll()
.antMatchers("/**")
// fullyAuthenticated 不容许匿名用户查看
.fullyAuthenticated()
.and()
// httpbasic 登录
// .httpBasic();
// 表单登录 登录申请的页面
.formLogin().loginPage("/login")
// 批改 spring 提供的 默认登陆参数
// .usernameParameter("name")
// .passwordParameter("password")
.and()
// 开启记住我性能
.rememberMe()
.and()
// 开启登出
.logout()
.and()
// 禁用跨域的爱护
.csrf().disable();
}
}
构建谬误页面配置
验证没有权限时跳转
package com.shaojie.authority.security;
import org.springframework.boot.web.server.ConfigurableWebServerFactory;
import org.springframework.boot.web.server.ErrorPage;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
/**
- @author ShaoJie
- @Date 2019/10/25
*/
@Configuration
public class ErrorPageConfig {
// 应用 WebServerFactoryCustomizer 接口替换 EmbeddedServletContainerCustomizer 组件实现对嵌入式 Servlet 容器的配置
@Bean
public WebServerFactoryCustomizer<ConfigurableWebServerFactory> webServerFactoryCustomizer(){return new WebServerFactoryCustomizer<ConfigurableWebServerFactory>() {
@Override
public void customize(ConfigurableWebServerFactory factory) {factory.addErrorPages(new ErrorPage(HttpStatus.FORBIDDEN,"/403"));
}
};
}
}
login.html
<!DOCTYPE html>
<html lang=”en” xmlns:th=”http://www.thymeleaf.org”>
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h2> 登录页面 </h2>
<form th:action="@{/userlogin}" method="post">
账号:<input type="text" name="username"><br>
明码:<input type="password" name="password"><br>
<button type="submit"> 登录 </button>
</form>
</body>
</html>
值得注意一下这里的 <input> 的属性 name
官网源码 写的很分明 默认就是 username 和 password
* protected void configure(HttpSecurity http) throws Exception {* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
* .usernameParameter("username") // default is username
* .passwordParameter("password") // default is password
* .loginPage("/authentication/login") // default is /login with an HTTP get
* .failureUrl("/authentication/login?failed") // default is /login?error
* .loginProcessingUrl("/authentication/login/process"); // default is /login
* // with an HTTP
* // post
* }
index.html
<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset="UTF-8">
<title> 我的页面 </title>
</head>
<body>
以下是网站的性能
<a href=""th:href="@{product/add}"> 商品的增加 </a><br>
<a href=""th:href="@{product/update}"> 商品批改 </a><br>
<a href=""th:href="@{product/list}"> 商品的查问 </a><br>
<a href=""th:href="@{product/delete}"> 商品的删除 </a>
</body>
</html>
403.html
<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset="UTF-8">
<title> 谬误页面 </title>
</head>
<body>
你没有权限拜访
</body>
</html>
add.html
<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset="UTF-8">
<title> 产品的减少 </title>
</head>
<body>
产品的减少
</body>
</html>
delete.html
<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset="UTF-8">
<title> 产品的删除 </title>
</head>
<body>
产品的删除
</body>
</html>
list.html
<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset="UTF-8">
<title> 产品的查问 </title>
</head>
<body>
产品的查问
</body>
</html>
update.html
<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset="UTF-8">
<title> 产品的批改 </title>
</head>
<body>
产品的批改
</body>
</html>
整体应用内存做受权验证,后续整顿基于 JDBC 做权限受权,整体一套下来的话,基本上对于 springsecurity 有一个根本的理解,入坑第一步倡议以根底动手,大部分的配置倡议查看官网源码,对于登出以及记住明码,细节在 源码 HttpSecurity 类中有具体阐明,这里不做过多的阐明。只提供根底的 Demo 示例
喜爱编程的,请关注我的博客 https://www.lzmvlog.top/