一个Java小白的学习之路 个人博客 youngljx.top
SpringBoot 安全管理之 Spring Security
基于SpringBoot的自动化配置安全管理使用Spring Security比Shiro更适用
基本配置
1.基本用法,引入依赖,项目中的所有资源会默认的被保护起来
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
2.简单地配置用户名和密码,不会在在生成随机的密码,示例
spring.security.user.name=ljx
spring.security.user.password=123
spring.security.user.roles=admin
3.基于内存的认证,简单示例
@Bean
PasswordEncoder passwordEncoder() {
return new NoOpPasswordEncoder().getInstance;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("ljx")
.password("123")
.roles("admin")
.and()
.withUser("dage")
.password("123")
.roles("user");
}
登录表单,注销登录,密码加密的详细配置见下文
基于数据库的认证,动态权限配置
1.数据库表模型如下:
值得注意的是,数据库表role的字段前要加ROLE_,如果不加如下修改:
用户实体类实现UserDetails接口,重写其中的方法
@Data
public class User implements UserDetails {
private Integer id;
private String username;
private String password;
private Boolean enabled;
private Boolean locked;
private List<Role> roles;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<SimpleGrantedAuthority> authorities = new ArrayList<>();
for (Role role : roles) {
//"ROLE_"+role.getName()
authorities.add(new SimpleGrantedAuthority(role.getName()));
}
return authorities;
}
@Override
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return !locked;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return enabled;
}
@Override
public String getPassword() {
return password;
}
}
定义UserService实现UserServiceDetails
@Service