SpringSecurity学习笔记

点击下载源码

1.环境搭建

1.1项目创建

目录结构

添加thymeleaf依赖

<dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>

1.2 创建Controller

package com.tamy.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@Controller
public class SecurityController {
//    要记得添加Thymeleaf依赖，不然就会报错，Path[/index]
    @RequestMapping({"/","/index"})
    public String index(){
        return "index";
    }

    @RequestMapping("/level1/{id}")
    public String level1(@PathVariable("id") int id){
        return "pages/level1/"+id;
    }
    @RequestMapping("/level2/{id}")
    public String level2(@PathVariable("id") int id){
        return "pages/level2/"+id;
    }
    @RequestMapping("/level3/{id}")
    public String level3(@PathVariable("id") int id){
        return "pages/level3/"+id;
    }

    @RequestMapping("/login")
    public String login(){
        return "login";
    }

    @RequestMapping("logout")
    public String logout(){
        return "logout";
    }
}

2.用户认证与授权

2.1 SecurityConfig

package com.tamy.config;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //首页所有人可以访问，功能页只有对应权限的人才能访问
        //请求授权的规则
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/level1/**").hasRole("vip1")
                .antMatchers("/level2/**").hasRole("vip2")
                .antMatchers("/level3/**").hasRole("vip3");

        //没有权限默认会跳转到登录页面
        http.formLogin();
    }

//    密码编码
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //这些数据应该从数据库中读取
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
                .withUser("user").password(new BCryptPasswordEncoder().encode("123")).roles("vip1","vip2")
                .and()
                .withUser("admin").password(new BCryptPasswordEncoder().encode("123")).roles("vip1","vip2","vip3");
    }
}

3.注销与权限控制

3.1SecurityConfig 接上面的程序

package com.tamy.config;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //首页所有人可以访问，功能页只有对应权限的人才能访问
        //请求授权的规则
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/level1/**").hasRole("vip1")
                .antMatchers("/level2/**").hasRole("vip2")
                .antMatchers("/level3/**").hasRole("vip3");

        //没有权限默认会跳转到登录页面
        http.formLogin().loginPage("/login");

        http.logout().logoutSuccessUrl("/");

        //防止网站攻击：post   get
        http.csrf().disable();  //关闭csrf功能，注销失败存在的原因，默认是开启的

		//记住我功能
        //firefox失败，不能成功保存cookie，关闭浏览器，cookie自动删除
        http.rememberMe().rememberMeParameter("remember");
    }

//    密码编码

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //这些数据应该从数据库中读取，现在是在内存中模拟账号
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
                .withUser("user").password(new BCryptPasswordEncoder().encode("123")).roles("vip1","vip2")
                .and()
                .withUser("admin").password(new BCryptPasswordEncoder().encode("123")).roles("vip1","vip2","vip3");
    }
}

3.2导入依赖

<dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
            <version>3.0.4.RELEASE</version>
</dependency>

3.3index.html 首页

<!DOCTYPE html>
<html lang="en"
      xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity5">

<!--      thymeleaf的命名空间：
            xmlns:th="http://www.thymeleaf.org"

          thymeleaf-extras-springsecurity5的命名空间：
            xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity5"


-->
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>

<body>
    <h1>SpringSecurity</h1>
<!--    如果未登录,显示登录按钮-->
    <div sec:authorize="!isAuthenticated()">
        <a th:href="@{/login}">登录</a>
    </div>
<!--    如果登录，显示注销按钮-->
    <div sec:authorize="isAuthenticated()">
        <a th:href="@{/logout}">注销</a>
    </div>
    <hr>

	<!-- 登陆的用户只有拥有vip1的权限才显示 -->
    <div sec:authorize="hasRole('vip1')">
        <span>vip1</span>
        <a href="/level1/1">vip1.html</a>
    </div>
    <hr>
    <!-- 登陆的用户只有拥有vip2的权限才显示 -->
    <div sec:authorize="hasRole('vip2')">
        <span>vip2</span>
        <a href="/level2/1">vip2.html</a>
    </div>
    <hr>
    <!-- 登陆的用户只有拥有vip3的权限才显示 -->
    <div sec:authorize="hasRole('vip3')">
        <span>vip3</span>
        <a href="/level3/1">vip3.html</a>
    </div>
    <hr>
</body>
</html>