SpringSecurity权限认证(一)
导入依赖
<!--security 依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
设置数据库配置
spring.datasource.driver-class-name = com.mysql.cj.jdbc.Driver
spring.datasource.url= jdbc:mysql://localhost:3306/ds
spring.datasource.username = root
spring.datasource.password= root
security配置
自己编写security配置类继承WebSecurityConfigurerAdapter,配置相关信息。
重写第一个方法
//一般用于配置全局的某些通用事物,例如静态资源等
@Override
public void configure(WebSecurity web) throws Exception {
//跳过security的所有filter,直接跳过认证
//放行一些静态文件,比如js,css,登录界面,等
web.ignoring().antMatchers(
"/css/**",
"/js/**",
"favicon.ico",
"/webjar/**",
"/swagger-resources/**",
"/v2/api-docs/**",
"/verifyCode",
"/test"
);
}
访问/test,访问成功
访问/test1,访问失败,跳到登录界面
重写第二个方法
//也就是对角色的权限——所能访问的路径做出限制
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.headers()
.cacheControl();
http.csrf().disable();
}
重写第三个方法
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//用来记录账号,密码,角色信息。,可以从数据库中读取,也可用代码直接赋予
//下方代码不从数据库读取,直接手动赋予
//添加用户user,密码为123,用户角色为User
//设置密码编译器
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
auth.inMemoryAuthentication()
.withUser("user")
.password( passwordEncoder.encode("123"))
.roles("User");
}
SecurityConfig代码如下:
package com.bep.server.config.security;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* Security 配置
*/
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//一般用于配置全局的某些通用事物,例如静态资源等
@Override
public void configure(WebSecurity web) throws Exception {
//跳过security的所有filter,直接跳过认证
//放行一些静态文件,比如js,css,登录界面,等
web.ignoring().antMatchers(
"/css/**",
"/js/**",
"favicon.ico",
"/webjar/**",
"/swagger-resources/**",
"/v2/api-docs/**",
"/verifyCode",
"/test"
);
}
//也就是对角色的权限——所能访问的路径做出限制
@Override
protected void configure(HttpSecurity http) throws Exception {
//可以暂时不设置
//http.authorizeRequests()
// .anyRequest()
// .authenticated()
// .and()
// .headers()
// .cacheControl();
// http.csrf().disable();
}
}
SecurityConfig配置类整体代码:
package com.bep.server.config.security;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* Security 配置
*/
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//用来记录账号,密码,角色信息。,可以从数据库中读取,也可用代码直接赋予
//下方代码不从数据库读取,直接手动赋予
//添加用户user,密码为123,用户角色为User
auth.inMemoryAuthentication()
.withUser("user")
.password("123")
.roles("User");
}
//一般用于配置全局的某些通用事物,例如静态资源等
@Override
public void configure(WebSecurity web) throws Exception {
//跳过security的所有filter,直接跳过认证
//放行一些静态文件,比如js,css,登录界面,等
web.ignoring().antMatchers(
"/css/**",
"/js/**",
"favicon.ico",
"/webjar/**",
"/swagger-resources/**",
"/v2/api-docs/**",
"/verifyCode",
"/test",
"doc.html"
);
}
// 也就是对角色的权限——所能访问的路径做出限制
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login")
.permitAll()
.anyRequest()
.authenticated()
.and()
.headers()
.cacheControl();
// http.csrf().disable();
}
}