您好,登錄后才能下訂單哦!
Spring-Security框架學習總結
前提:在做演示之前,我們先創建項目,并將項目導入IDE
測試項目是否運行成功,成功后進行正式開始學習
一.Case1:只要能登錄即可
目標:我們在訪問項目是訪問index可以直接進入,不需要攔截,訪問其他路徑是需要進行登錄驗證,并且允許登錄用戶注銷和使用表單進行登錄,不攔截前臺js,css,image等文件,我們在內存中設置了一個admin用戶,可以進行登錄
直接上代碼(代碼中會有注釋):
SecuDemoApplication:
package com.dhtt.security.SecuDemo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@SpringBootApplication
@RestController
@EnableAutoConfiguration
public class SecuDemoApplication {
public static void main(String[] args) {
SpringApplication.run(SecuDemoApplication.class, args);
}
@RequestMapping("/index")
public String hello() {
return "hello Spring boot....";
}
@RequestMapping("/home")
public String home() {
return "this my home....";
}
}
SpringSecruityConfig:
package com.dhtt.security.SecuDemo;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SpringSecruityConfig extends WebSecurityConfigurerAdapter{
/**
* HTTP請求攔截處理
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/index").permitAll() //主路徑直接請求
.anyRequest().authenticated() //請他請求都要驗證
.and()
.logout().permitAll() //允許注銷
.and()
.formLogin(); //允許表單登錄
http.csrf().disable(); //關閉csrf的認證
}
/**
* 處理前端文件,攔截忽略
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**","/css/**","/image/**");
}
/**
* 設置內存中的用戶admin
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");
}
}
然后我們啟動項目,在前臺訪問路徑
(1)訪問http://localhost:8080/index成功
(2)訪問http://localhost:8080/home:
我們發現前臺會為我們跳轉到登錄界面,接下來我們進行登錄驗證,我們發現登錄界面沒有跳轉,證明登錄失敗,此時我們觀察后臺
發現后臺報錯
(3)報錯問題解決:原因是spring boot的版本和Spring Security的版本問題,我們需要提供一個PasswordEncorder實例
MyPasswordEncoder:
package com.dhtt.security.SecuDemo;
import org.springframework.security.crypto.password.PasswordEncoder;
public class MyPasswordEncoder implements PasswordEncoder{
@Override
public String encode(CharSequence rawPassword) {
return rawPassword.toString();
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return encodedPassword.equals(rawPassword);
}
}
SpringSecruityConfig中修改部分:
/**
* 設置內存中的用戶admin
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder())
.withUser("admin").password("123456").roles("ADMIN");
}
現在再次運行項目訪問/home,我們發現登錄成功,頁面成功訪問
Case2:有指定的角色,每個角色都有指定的權限
(1)目標:我們新增一個USER,對于ADMIN權限可以訪問所有地址,但是user的權限規定其不能訪問/roleAuth,代碼:
SpringSecruityConfig中修改部分:
/**
* 設置內存中的用戶admin
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder())
.withUser("admin").password("haha1996").roles("ADMIN");
auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder())
.withUser("zhangsan").password("123456").roles("ADMIN");
auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder())
.withUser("username1").password("password").roles("USER");
}
SecuDemoApplication:這里我們添加了新的注解
package com.dhtt.security.SecuDemo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@SpringBootApplication
@RestController
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecuDemoApplication {
public static void main(String[] args) {
SpringApplication.run(SecuDemoApplication.class, args);
}
@RequestMapping("/index")
public String hello() {
return "hello Spring boot....";
}
@RequestMapping("/home")
public String home() {
return "this my home....";
}
@RequestMapping("/roleAuth")
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String role() {
return "HELLO SPRING SECURITY....";
}
}
經測試運行結果與我們的預期相同,我們使用admin進行登錄,地址均可訪問,當我們使用user進行登錄時,我們發現/roleAuth路徑訪問失敗,沒有權限
待續。。。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。