1、讲之前,希望先记住这几个类:
WebSecurityConfigurerAdapter:自定义Security策略
AuthenticationManagerBuilder:自定义认证策略
@EnableWebSecurity:开启WebSecurity模式
需要页面资源可以到我的主页下载,免费的:https://download.csdn.net/download/aaa123_456aaa/52593283
接下来就是老规矩,引入依赖:
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-java8time</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
项目结构:
application.properties
# 关闭游览器缓存
spring.thymeleaf.cache=false
RouterController.java
package com.wlm.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class RouterController {
@RequestMapping({"/","/index"})
public String index(){
return "index";
}
@RequestMapping("/toLogin")
public String toLogin(){
return "views/login";
}
@RequestMapping("/level1/{id}")
public String level1(@PathVariable("id") int id){
return "views/level1/"+id;
}
@RequestMapping("/level2/{id}")
public String level2(@PathVariable("id") int id){
return "views/level2/"+id;
}
@RequestMapping("/level3/{id}")
public String level3(@PathVariable("id") int id){
return "views/level3/"+id;
}
}
SecurityConfig.java
package com.wlm.config;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
//利用Aop的思想
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//这个是授权
@Override
protected void configure(HttpSecurity http) throws Exception {
//首页所有人都可以访问,功能页只有对应有权限的人才能访问
//请求授权的规则:
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/level1/**").hasRole("vip1")
.antMatchers("/level2/**").hasRole("vip2")
.antMatchers("/level3/**").hasRole("vip3");
//没有权限默认会到登陆页面,需要开启登陆的页面
http.formLogin();
}
//这个是认证,springboot是 2.1.**版本是可以直接使用的
//密码编码:PasswordEncoder
//在spring security 5.0+ 新增了很多加密方法,如果你不加密,他就不让你用
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//这些数据正常应该在数据库中取,但我们没有连接数据库,直接在内存里面认证
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("xianyu").password(new BCryptPasswordEncoder().encode("123456")).roles("vip2","vip3")
.and()
.withUser("root").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2","vip3")
.and()
.withUser("guest").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1");
}
}
测试一下:
随便点一个等级,就会跳到登陆页面:
我们有三个人物权限,分别是:
账号xianyu 密码123456 (可以访问level2,level3)
账号root 密码123456 (可以访问level1,level2,level3)
账号guest 密码123456 (只能访问level1)
那我们就试一个xianyu吧:
这个时候我们点击level 2-1:
就能进去对应的功能界面:
当我们点击level 1-1:
就可以看见,我们访问不了,因为没有权限: