Spring Boot ：Security+thymeleaf

1、首先是构造Spring Boot 基本的架构，之后需要添加几个其余的文件

请参考 使用STS 构建 Spring Boot 项目

2、所有文件添加完毕之后结构

红色方框内的内容为新增或者有修改。

Spring boot 默认静态文件在src/main/java/static下

前台页面文件默认在 src/main/resources/templates 下

报错默认访问/error，所以需要自己写error.html 

3、静态css文件

main.css

@CHARSET "UTF-8";
body {
    font-family: sans;
    font-size: 1em;
}

p.error {
    font-weight: bold;
    color: red;
}

div.logout {
    float: right;
}

4、前台页面文件

error.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<head>
    <meta charset="UTF-8"/>
    <title>出错了</title>
</head>
<body>
<h1>报错了</h1>
</body>
</html>

index.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
    <head>
        <title>Hello Spring Security</title>
        <meta charset="utf-8" />
        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
    </head>
    <body>
        <div th:fragment="logout" class="logout" sec:authorize="isAuthenticated()">
            Logged in user: <span sec:authentication="name"></span> |
            Roles: <span sec:authentication="principal.authorities"></span>
            <div>
                <form action="#" th:action="@{/logout}" method="post">
                    <input type="submit" value="Logout" />
                </form>
            </div>
        </div>
        <h1>Hello Spring Security</h1>
        <p>This is an unsecured page, but you can access the secured pages after authenticating.</p>
        <ul>
            <li>Go to the <a href="/user/index" th:href="@{/user/index}">secured pages</a></li>
        </ul>
    </body>
</html>

login.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
    <head>
        <title>Login page</title>
        <meta charset="utf-8" />
        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
	</head>
    <body>
        <h1>Login page</h1>
        <p>Example user: user / password</p>
        <p th:if="${loginError}" class="error">Wrong user or password</p>
        <form th:action="@{/login}" method="post">
            <label for="username">Username</label>:
            <input type="text" id="username" name="username" autofocus="autofocus" /> <br />
            <label for="password">Password</label>:
            <input type="password" id="password" name="password" /> <br />
            <input type="submit" value="Log in" />
        </form>
        <p><a href="/index" th:href="@{/index}">Back to home page</a></p>
    </body>
</html>

user/index.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
    <head>
        <title>Hello Spring Security</title>
        <meta charset="utf-8" />
        <link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
    </head>
    <body>
        <div th:substituteby="index::logout"></div>
        <h1>This is a secured page!</h1>
        <p><a href="/index" th:href="@{/index}">Back to home page</a></p>
    </body>
</html>

5、配置日志打印

application.properties

logging.level.org.springframework.security=DEBUG

6、权限配置 WebSecurityConfig.java

需要说明的是，本例限定了登录名和密码，以及权限。没有加密措施，页不支持动态权限，代码还是比较容易看懂的。

com.bestcxx.stu.springbootsecurity.security.config 下 WebSecurityConfig.java

package com.bestcxx.stu.springbootsecurity.security.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;


@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
	
		@Override
		protected void configure(HttpSecurity http) throws Exception {
			http.authorizeRequests()
				.antMatchers("/css/**", "/index").permitAll()//无需权限即可访问的路径
				.antMatchers("/user/**").hasRole("USER")//需要权限才可以访问的路径
				.and()
				.formLogin().loginPage("/login").failureUrl("/login-error");//登陆页面和失败登陆页面
		}
		
		@Autowired
		public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
			auth.inMemoryAuthentication()
				.withUser("user")//登陆验证用户名
				.password("password")//登陆验证密码
				.roles("USER");//使用该用户名和密码赋予的角色为 USER
		}
		
}

7、controller类的编写

com.bestcxx.stu.springbootsecurity.controller 包下 HomeController.java

package com.bestcxx.stu.springbootsecurity.controller;

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class HomeController {
	
	//默认页
	@RequestMapping("/")
	public String root() {
		return "redirect:/index";
	}

	//默认页
	@RequestMapping("/index")
	public String index() {
		return "index";
	}

	//用户登陆成功页-如果未登陆返回登陆页，否则返回登陆成功页
	@RequestMapping("/user/index")
	public String userIndex() {
		return "user/index";
	}

	//登陆页
	@RequestMapping("/login")
	public String login() {
		return "login";
	}

	//登陆失败
	@RequestMapping("/login-error")
	public String loginError(Model model) {
		model.addAttribute("loginError", true);
		return "login";
	}
	
}