SpringSecurity入坑第一步:内存的权限验证与受权
构建依赖 pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.shaojie.authority</groupId><artifactId>authority</artifactId><version>1.0-SNAPSHOT</version><parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.2.0.RELEASE</version> <relativePath/></parent><properties> <java.version>1.8</java.version> <maven.compiler.source>${java.version}</maven.compiler.source> <maven.compiler.target>${java.version}</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <spring-cloud.version>Hoxton.RC1</spring-cloud.version></properties><!--治理依赖--><dependencyManagement> <dependencies> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-dependencies</artifactId> <version>Hoxton.RC1</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies></dependencyManagement><dependencies> <!--lombok--> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-thymeleaf</artifactId> </dependency> <!-- Spring Security --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <!--spring-data-jpa--> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-jpa</artifactId> </dependency> <!--lombok--> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> </dependency> <!-- mysql --> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> </dependency> <!-- druid 连接池 --> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid</artifactId> <version>1.1.21</version> </dependency></dependencies><build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins></build>
</project>
构建权限验证
package com.shaojie.authority.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/**
- @author ShaoJie
- @Date 2019/10/25
*/
@Configuration
// 启动 SpringSecurity 的过滤器链
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Beanpublic BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder();}/** * 受权 * * @param auth * @throws Exception */// 代替配置文件 <security:authentication-manager></security:authentication-manager>@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception { // 老版本的角色设置 在 springboot 2.0 当前 不能这样设置
// auth.inMemoryAuthentication()
// .withUser("shaojie").password("123456")
// .authorities("PRODUCT_ADD");
// inMemoryAuthentication 内存验证 auth.inMemoryAuthentication() .passwordEncoder(passwordEncoder()) .withUser("shaojie") .password(passwordEncoder().encode("123456")) // .roles("PRODUCT_ADD","PRODUCT_LIST"); // authorities 和 roles 都是设置权限 这里应用 roles 不能拜访 403 .authorities("PRODUCT_ADD", "PRODUCT_LIST");}/** * 验证 * * @param http * @throws Exception */// 代替配置文件 <security:http></security:http>@Overrideprotected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() // antMatchers 设置拦挡的申请 hasAnyAuthority 设置所领有的角色拜访权限 .antMatchers("/product/add").hasAnyAuthority("PRODUCT_ADD") .antMatchers("/product/update").hasAnyAuthority("PRODUCT_UPDATE") .antMatchers("/product/list").hasAnyAuthority("PRODUCT_LIST") .antMatchers("/product/delete").hasAnyAuthority("PRODUCT_DELETE") // permitAll 所有的权限都能拜访 .antMatchers("/login").permitAll() .antMatchers("/**") // fullyAuthenticated 不容许匿名用户查看 .fullyAuthenticated() .and() // httpbasic 登录 // .httpBasic(); // 表单登录 登录申请的页面 .formLogin().loginPage("/login") // 批改 spring 提供的 默认登陆参数 // .usernameParameter("name") // .passwordParameter("password") .and() // 开启记住我性能 .rememberMe() .and() // 开启登出 .logout() .and() // 禁用跨域的爱护 .csrf().disable();}
}
构建谬误页面配置
验证没有权限时跳转
package com.shaojie.authority.security;
import org.springframework.boot.web.server.ConfigurableWebServerFactory;
import org.springframework.boot.web.server.ErrorPage;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
/**
- @author ShaoJie
- @Date 2019/10/25
*/
@Configuration
public class ErrorPageConfig {
// 应用 WebServerFactoryCustomizer 接口替换 EmbeddedServletContainerCustomizer 组件实现对嵌入式Servlet容器的配置@Beanpublic WebServerFactoryCustomizer<ConfigurableWebServerFactory> webServerFactoryCustomizer(){ return new WebServerFactoryCustomizer<ConfigurableWebServerFactory>() { @Override public void customize(ConfigurableWebServerFactory factory) { factory.addErrorPages(new ErrorPage(HttpStatus.FORBIDDEN,"/403")); } };}
}
login.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8"><title>Title</title>
</head>
<body>
<h2>登录页面</h2><form th:action="@{/userlogin}" method="post"> 账号:<input type="text" name="username"><br> 明码:<input type="password" name="password"><br> <button type="submit">登录</button></form>
</body>
</html>
值得注意一下这里的<input>的属性name
官网源码 写的很分明 默认就是 username 和 password
* protected void configure(HttpSecurity http) throws Exception { * http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin() * .usernameParameter("username") // default is username * .passwordParameter("password") // default is password * .loginPage("/authentication/login") // default is /login with an HTTP get * .failureUrl("/authentication/login?failed") // default is /login?error * .loginProcessingUrl("/authentication/login/process"); // default is /login * // with an HTTP * // post * }
index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"><title>我的页面</title>
</head>
<body>
以下是网站的性能
<a href="" th:href="@{product/add}">商品的增加</a><br><a href="" th:href="@{product/update}">商品批改</a><br><a href="" th:href="@{product/list}">商品的查问</a><br><a href="" th:href="@{product/delete}">商品的删除</a>
</body>
</html>
403.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"><title>谬误页面</title>
</head>
<body>
你没有权限拜访
</body>
</html>
add.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"><title>产品的减少</title>
</head>
<body>
产品的减少
</body>
</html>
delete.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"><title>产品的删除</title>
</head>
<body>
产品的删除
</body>
</html>
list.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"><title>产品的查问</title>
</head>
<body>
产品的查问
</body>
</html>
update.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"><title>产品的批改</title>
</head>
<body>
产品的批改
</body>
</html>
整体应用内存做受权验证, 后续整顿基于JDBC 做权限受权,整体一套下来的话,基本上对于springsecurity有一个根本的理解,入坑第一步倡议以根底动手,大部分的配置倡议查看官网源码 ,对于登出以及记住明码,细节在 源码HttpSecurity类中有具体阐明,这里不做过多的阐明。只提供根底的Demo示例
喜爱编程的,请关注我的博客https://www.lzmvlog.top/