第一次使用Springboot权限管理Spring security时,使用 inMemoryAuthentication(内存)用户验证时,控制台报错:
原因分析:有些Spring security5.X版本没有提供PasswordEncoder实例,不是以明文的方式进行匹配,会报错。
解决:
1.创建PasswordEncoder的实现类MyPasswordEncoder.class:
package Encode;
import org.springframework.security.crypto.password.PasswordEncoder;
public class MyPasswordEncoder implements PasswordEncoder {
@Override
public String encode(CharSequence charSequence) {
return charSequence.toString();
}
@Override
public boolean matches(CharSequence charSequence, String s) {
return s.equals(charSequence.toString());
}
}
2.在内存用户中添加passwordEncoder(new MyPasswordEncoder()):
package com.example.demo;
import Encode.MyPasswordEncoder;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SpringSecurity extends WebSecurityConfigurerAdapter {
//只有本小组的组员看到登陆,设置内存指定的登陆账号密码和角色
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//若不带.passwordEncoder(new MyPasswordEncoder())这样页面提交时就不是1以明文的方式进行匹配,报错
auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder()).withUser("admin").password("123456").roles("ADMIN");
auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder()).withUser("major").password("1234560").roles("USER");
}
//指定安全访问规则
@Override
protected void configure(HttpSecurity http) throws Exception {
//设置登录注销1,表单登陆不用拦截,其他需要
http.authorizeRequests().antMatchers("/").permitAll()
.anyRequest().authenticated()
.and()
.logout().permitAll()
.and()
.formLogin();
//关闭csrf认证
http.csrf().disable();
}
@Override
public void configure(WebSecurity web) throws Exception{
//设置静态资源不要拦截
web.ignoring().antMatchers("js/**","/css/**","/images/**");
}
}
另外,我的权限管理规则如下:
package com.example.demo;
import Encode.MyPasswordEncoder;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SpringSecurity extends WebSecurityConfigurerAdapter {
//只有本小组的组员看到登陆,设置内存指定的登陆账号密码和角色
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//若不带.passwordEncoder(new MyPasswordEncoder())这样页面提交时就不是1以明文的方式进行匹配,报错
auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder()).withUser("admin").password("123456").roles("ADMIN");
auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder()).withUser("major").password("1234560").roles("USER");
}
//指定安全访问规则
@Override
protected void configure(HttpSecurity http) throws Exception {
//设置登录注销1,表单登陆不用拦截,其他需要
http.authorizeRequests().antMatchers("/").permitAll()
.anyRequest().authenticated()
.and()
.logout().permitAll()
.and()
.formLogin();
//关闭csrf认证
http.csrf().disable();
}
@Override
public void configure(WebSecurity web) throws Exception{
//设置静态资源不要拦截
web.ignoring().antMatchers("js/**","/css/**","/images/**");
}
}
启动程序:
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
@SpringBootApplication
//controller and rospondisty的组合
@RestController
//自动配置
@EnableAutoConfiguration
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
@RequestMapping("/")
public String say(){
return "hello world";
}
@RequestMapping("/hello")
public String hello(){
return "hello";
}
//只有admin才可以使用这一级别
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping("/roleauth")
public String hello01(){
return "hello world!";
}
}
3.运行
成功结果: