spring-security入门demo @TOC
1.核心功能
其核心就是一组过滤器链,项目启动后将会自动配置。最核心的就是 Basic Authentication Filter 用来认证用户的身份,一个在spring security中一种过滤器处理一种认证方式。
2.入门demo具体操作
2.1 目录架构
2.2 导入依赖
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.7.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.hy</groupId>
<artifactId>springsecuritytest02</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>springsecuritytest02</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<!-- web 依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- security 依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
</project>
2.3 核心配置类
package com.hy.springsecuritytest02.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* @author wang'hai'yang
* @Description:
* @date 2022/2/1610:01
*/
@Configuration
public class MySecurityConfig extends WebSecurityConfigurerAdapter{
@Bean
public PasswordEncoder passwordEncoder(){
//暂时不加密,要加密的话,可以return new BCryptPasswordEncoder();
return NoOpPasswordEncoder.getInstance();
}
@Override
public void configure(WebSecurity web) throws Exception {
//放行静态资源
web.ignoring().antMatchers("/js/**", "/css/**","/images/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests() //允许基于使用HttpServletRequest限制访问
//所有请求都需要认证
.anyRequest().authenticated()
.and()
//表单登录
.formLogin()
//登录页面和处理接口
.loginPage("/login.html")
// 登录成功跳转页面,必须是action的地址
.successForwardUrl("/index")
.permitAll()
.and()
//关闭跨站请求伪造的防护,这里是为了前期开发方便
.csrf().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// 这里就不请求数据库了 ,手动添加角色 和 用户、密码
auth.inMemoryAuthentication()
.withUser("admin")
.password("123").roles("admin","user")
.and()
.withUser("why")
.password("123").roles("user");
}
}
2.4 自定义登录页面
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>login</title>
</head>
<body>
<!-- method="post" 必须指定,小编当时为了测试,省略了 结果被坑了好久 -->
<form class="form-signin" method="post" action="">
<!-- name 必须设置成username ,框架默认规定死的 ,小编当时作死写了account ,被坑了好久-->
用户名:<input type="text" name="username" value=""/><br/>
<!-- name 必须设置成password ,框架默认规定死的-->
密码:<input type="password" name="password" value=""/><br/>
<input type="submit" value="submit"/>
</form>
</body>
</html>