乐趣区

关于springboot:SpringSecurity入坑一

SpringSecurity 入坑第一步:内存的权限验证与受权
构建依赖 pom.xml
<?xml version=”1.0″ encoding=”UTF-8″?>
<project xmlns=”http://maven.apache.org/POM/4.0.0″

     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>com.shaojie.authority</groupId>
<artifactId>authority</artifactId>
<version>1.0-SNAPSHOT</version>

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.2.0.RELEASE</version>
    <relativePath/>
</parent>

<properties>
    <java.version>1.8</java.version>
    <maven.compiler.source>${java.version}</maven.compiler.source>
    <maven.compiler.target>${java.version}</maven.compiler.target>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <spring-cloud.version>Hoxton.RC1</spring-cloud.version>
</properties>

<!-- 治理依赖 -->
<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-dependencies</artifactId>
            <version>Hoxton.RC1</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

<dependencies>
    <!--lombok-->
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>

    <!-- Spring Security -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <!--spring-data-jpa-->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <!--lombok-->
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
    </dependency>
    <!-- mysql -->
    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
    </dependency>
    <!-- druid 连接池 -->
    <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>druid</artifactId>
        <version>1.1.21</version>
    </dependency>
</dependencies>

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
    </plugins>
</build>

</project>
构建权限验证
package com.shaojie.authority.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

/**

  • @author ShaoJie
  • @Date 2019/10/25
    */

@Configuration
// 启动 SpringSecurity 的过滤器链
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

@Bean
public BCryptPasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();
}

/**
 * 受权
 *
 * @param auth
 * @throws Exception
 */
// 代替配置文件 <security:authentication-manager></security:authentication-manager>
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {// 老版本的角色设置 在  springboot 2.0 当前 不能这样设置

// auth.inMemoryAuthentication()
// .withUser(“shaojie”).password(“123456”)
// .authorities(“PRODUCT_ADD”);

    // inMemoryAuthentication 内存验证
    auth.inMemoryAuthentication()
            .passwordEncoder(passwordEncoder())
            .withUser("shaojie")
            .password(passwordEncoder().encode("123456"))
            // .roles("PRODUCT_ADD","PRODUCT_LIST");
            // authorities 和 roles 都是设置权限 这里应用 roles 不能拜访 403
            .authorities("PRODUCT_ADD", "PRODUCT_LIST");

}

/**
 * 验证
 *
 * @param http
 * @throws Exception
 */
// 代替配置文件 <security:http></security:http>
@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests()
            // antMatchers 设置拦挡的申请  hasAnyAuthority 设置所领有的角色拜访权限
            .antMatchers("/product/add").hasAnyAuthority("PRODUCT_ADD")
            .antMatchers("/product/update").hasAnyAuthority("PRODUCT_UPDATE")
            .antMatchers("/product/list").hasAnyAuthority("PRODUCT_LIST")
            .antMatchers("/product/delete").hasAnyAuthority("PRODUCT_DELETE")
            // permitAll 所有的权限都能拜访
            .antMatchers("/login").permitAll()
            .antMatchers("/**")
            // fullyAuthenticated 不容许匿名用户查看
            .fullyAuthenticated()
            .and()
            // httpbasic 登录
            // .httpBasic();
            // 表单登录 登录申请的页面
            .formLogin().loginPage("/login")
            // 批改 spring 提供的 默认登陆参数
            // .usernameParameter("name")
            // .passwordParameter("password")
            .and()
            // 开启记住我性能
            .rememberMe()
            .and()
            // 开启登出
            .logout()
            .and()
            // 禁用跨域的爱护
            .csrf().disable();
}

}

构建谬误页面配置
验证没有权限时跳转

package com.shaojie.authority.security;

import org.springframework.boot.web.server.ConfigurableWebServerFactory;
import org.springframework.boot.web.server.ErrorPage;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;

/**

  • @author ShaoJie
  • @Date 2019/10/25
    */

@Configuration
public class ErrorPageConfig {

// 应用 WebServerFactoryCustomizer 接口替换 EmbeddedServletContainerCustomizer 组件实现对嵌入式 Servlet 容器的配置
@Bean
public WebServerFactoryCustomizer<ConfigurableWebServerFactory> webServerFactoryCustomizer(){return new WebServerFactoryCustomizer<ConfigurableWebServerFactory>() {
        @Override
        public void customize(ConfigurableWebServerFactory factory) {factory.addErrorPages(new ErrorPage(HttpStatus.FORBIDDEN,"/403"));
        }
    };
}

}

login.html
<!DOCTYPE html>
<html lang=”en” xmlns:th=”http://www.thymeleaf.org”>
<head>

<meta charset="UTF-8">
<title>Title</title>

</head>
<body>

<h2> 登录页面 </h2>
<form th:action="@{/userlogin}" method="post">
    账号:<input type="text" name="username"><br>
    明码:<input type="password" name="password"><br>
    <button type="submit"> 登录 </button>
</form>

</body>
</html>
值得注意一下这里的 <input> 的属性 name

官网源码 写的很分明 默认就是 username 和 password

 * protected void configure(HttpSecurity http) throws Exception {*         http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
 *                 .usernameParameter(&quot;username&quot;) // default is username
 *                 .passwordParameter(&quot;password&quot;) // default is password
 *                 .loginPage(&quot;/authentication/login&quot;) // default is /login with an HTTP get
 *                 .failureUrl(&quot;/authentication/login?failed&quot;) // default is /login?error
 *                 .loginProcessingUrl(&quot;/authentication/login/process&quot;); // default is /login
 *                                                                         // with an HTTP
 *                                                                         // post
 *     }

index.html
<!DOCTYPE html>
<html lang=”en”>
<head>

<meta charset="UTF-8">
<title> 我的页面 </title>

</head>
<body>
以下是网站的性能

<a href=""th:href="@{product/add}"> 商品的增加 </a><br>
<a href=""th:href="@{product/update}"> 商品批改 </a><br>
<a href=""th:href="@{product/list}"> 商品的查问 </a><br>
<a href=""th:href="@{product/delete}"> 商品的删除 </a>

</body>
</html>
403.html
<!DOCTYPE html>
<html lang=”en”>
<head>

<meta charset="UTF-8">
<title> 谬误页面 </title>

</head>
<body>

你没有权限拜访

</body>
</html>
add.html
<!DOCTYPE html>
<html lang=”en”>
<head>

<meta charset="UTF-8">
<title> 产品的减少 </title>

</head>
<body>

产品的减少

</body>
</html>
delete.html
<!DOCTYPE html>
<html lang=”en”>
<head>

<meta charset="UTF-8">
<title> 产品的删除 </title>

</head>
<body>

产品的删除

</body>
</html>

list.html
<!DOCTYPE html>
<html lang=”en”>
<head>

<meta charset="UTF-8">
<title> 产品的查问 </title>

</head>
<body>

产品的查问

</body>
</html>
update.html
<!DOCTYPE html>
<html lang=”en”>
<head>

<meta charset="UTF-8">
<title> 产品的批改 </title>

</head>
<body>

产品的批改

</body>
</html>
整体应用内存做受权验证,后续整顿基于 JDBC 做权限受权,整体一套下来的话,基本上对于 springsecurity 有一个根本的理解,入坑第一步倡议以根底动手,大部分的配置倡议查看官网源码,对于登出以及记住明码,细节在 源码 HttpSecurity 类中有具体阐明,这里不做过多的阐明。只提供根底的 Demo 示例

喜爱编程的,请关注我的博客 https://www.lzmvlog.top/

退出移动版