spring boot+spring Security简易demo
描述
这是一个spring boot和security最简易demo,直接上代码吧
pom文件
<!-- security依赖 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!--web依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- log依赖 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</dependency>
WebSecurityConfig 权限管理配置类
解释一下@EnableGlobalMethodSecurity(prePostEnabled = true)这个注解,spring security注解(比如@PreAuthorize(“hasAnyRole(‘ROLE_USER’)”))是默认false的,你需要开启才能使用。
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/**
* @Title: SecurityConfig
* @description: 权限配置
* @author: LIUFANG
* @create: 2020/3/13 9:12
* @Version: v1.0
*/
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyUserDetailsService userDetailsService;
/***
* 认证方式
* @param auth
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasAnyRole("ADMIN","USER")
.antMatchers("/test").authenticated()
.anyRequest().authenticated().and()
/**httpBasic 认证,必须的,要不你在浏览器中没法测试的*/
.httpBasic().and()
/**防止csrf攻击,完全可以不用写*/
.csrf()
.disable();
}
}
# UserDetailsService 用户信息和资源管理
实现UserDetailsService 类的时候,建议看一下org.springframework.security.core.userdetails类,鉴权的东西就在里面,怎么做完全取决你自己
User对象是security自身提供的,实现了UserDetails类,提供了两个构造,直接赋值还是比较好用的。
```java
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Component;
import org.springframework.security.core.userdetails.User;
/**
* @Title: MyUserDetailsService
* @description: 用户管理
* @author: LIUFANG
* @create: 2020/3/13 9:27
* @Version: v1.0
*/
@Component
public class MyUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return User.withUsername("user").password(new BCryptPasswordEncoder().encode("123456"))
.roles("USER").build();
}
}
controller 请求调用
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* @Title: MyController
* @description: 测试Controller
* @author: LIUFANG
* @create: 2020/3/12 15:56
* @Version: v1.0
*/
@RestController
public class MyController {
@GetMapping(value = "/test")
public Object test(){
return "test";
}
@GetMapping(value = "/user")
@PreAuthorize("hasAnyRole('ROLE_USER')")
public Object user(){
return "user";
}
@GetMapping(value = "/user/a")
public Object user2(){
return "user";
}
@PreAuthorize("hasAnyRole('ROLE_ADMIN')")
@GetMapping(value = "/admin")
public Object admin(){
return "admin";
}
@GetMapping(value = "/admin/b")
public Object admin2(){
return "admin";
}
}
测试成果
有权限请求
无权限请求
最后
后边在加入Oauth,同样为最简demo