导入依赖
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
在config包下创建MultiHttpSecurityConfig配置类
package org.hx.springboot_springsecurity_demo44.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* @Description: TODO
* @author: hx
* @date: 2021年04月14日 15:59
*/
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true,securedEnabled = true)
public class MultiHttpSecurityConfig {
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("hx").password("$2a$10$NdADd9.KLXEVJrNlDjWzD.flLiUnXXxPegJZUv09S8bKq.qh1BCSS").roles("admin")
.and()
.withUser("hx1").password("$2a$10$0Kz.MUDZzDwbMJCpiN/cbOkMMtCucoBF/w1lrIEY62ZWz6pxZwJiO").roles("user");
}
@Configuration
@Order(1)
public static class AdminSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/admin/**").authorizeRequests().anyRequest().hasAnyRole("admin");
}
}
@Configuration
public static class OtherSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin()
.loginProcessingUrl("/dologin")
.permitAll()
.and()
.csrf()
.disable();
}
}
}
@Secured()和@PreAuthorize()区别
(1)@Secured():secured_annotation,使用时,需要配置Spring Security (无论是通过xml配置,还是在SpringBoot下,直接注解配置,都需要指明secured-annotations,这里使用SpringBoot配置)
XML:
Spring boot: @EnableGlobalMethodSecurity(securedEnabled = true)
(2)@PreAuthorize(): pre-post-annotations,使用时,需要配置Spring Security (无论是通过xml配置,还是在SpringBoot下,直接注解配置,都需要指明pre-post-annotations,本文使用SpringBoot配置)
XML:
Spring boot: @EnableGlobalMethodSecurity(prePostEnabled = true)
在service包下创建MethodService类
package org.hx.springboot_springsecurity_demo44.service;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Service;
/**
* @Description: TODO
* @author: hx
* @date: 2021年04月14日 16:32
*/
@Service
public class MethodService {
@PreAuthorize("hasRole('admin')")
public String admin(){
return "hello admin";
}
@Secured("ROLB_user")
public String user(){
return "hello user";
}
@PreAuthorize("hasAnyRole('admin','user')")
public String hello(){
return "hello xx";
}
}
在controller包下创建HelloController类
package org.hx.springboot_springsecurity_demo44.controller;
import org.hx.springboot_springsecurity_demo44.service.MethodService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* @Description: TODO
* @author: hx
* @date: 2021年04月14日 9:49
*/
@RestController
public class HelloController {
@Autowired
MethodService methodService;
@GetMapping("/hello")
public String hello(){
return "hello security!";
}
@GetMapping("/admin/hello")
public String admin(){
return "hello admin";
}
@GetMapping("/user/hello")
public String user(){
return "hello user";
}
@GetMapping("/login")
public String login(){
return "please login";
}
@GetMapping("/hello1")
public String hello1(){
return methodService.admin();
}
@GetMapping("/hello2")
public String hello2(){
return methodService.user();
}
@GetMapping("/hello3")
public String hello3(){
return methodService.hello();
}
}