SpringSecurity
web开发中–安全–过滤器,拦截器~
问题
- 漏洞,隐私泄露
- 架构确定后 要改好多代码
框架
- shiro
- springsecurity
这俩都是用于认证、授权
- 功能权限
- 访问权限
- 菜单权限
- …拦截器,过滤器:大量的原生代码,产生很多冗余
简介
- spring项目的安全框架,可以实现强大的web安全控制
- 仅需要引入spring-boot-starter-security模块即可,少量的配置,即可实现强大的安全管理
记住几个类:
- WebSecurityConfigurerAdapter: 自定义Security策略
- AuthenticationManagerBuilder:自定义认证策略
- @EnableWebSecurity: 开启WebSecurity模式,@Enablexxx开启某个功能
SpringSecurity的两个目标是“认证(authentication)”和“授权(authorization)”(访问控制),这个概念是通用的,并不只是Spring Security中存在。
使用
一个简单的demo,实现了登录的拦截和注销功能,登录前后以及不同的用户登录界面显示不同的内容。(红方框为展示的代码)
pom.xml中引用
<!--thymeleaf和security整合包-->
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
<version>3.0.2.RELEASE</version>
</dependency>
<!--thymeleaf-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!--security拦截器-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
SpringSecurity重点代码(SecurityConfig)
package com.springsecurity1.config;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//授权
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/").permitAll()
.antMatchers("/login/**").hasRole("vip1")
.antMatchers("/register/**").hasRole("vip2");
//登录功能,前端密码参数为psword
http.formLogin().loginPage("/toLogin").passwordParameter("psword");
//防止网站攻击:get post
http.csrf().disable();
//注销功能,注销后返回到http://localhost:8080/
http.logout().logoutSuccessUrl("/");
//cookies 自动保存两周
http.rememberMe().rememberMeParameter("remember-me");
}
//认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("weon").password(new BCryptPasswordEncoder().encode("123")).roles("vip1")
.and()
.withUser("wen").password(new BCryptPasswordEncoder().encode("123")).roles("vip2");
}
}
主界面(index.html)
<!DOCTYPE html>
<html xmlns:th="http://www.w3.org/1999/xhtml"
xmlns:sec="http://www.w3.org/1999/xhtml/thymeleaf-extras-springsecurity4">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>welcome</title>
</head>
<body>
<h2>Welcome</h2>
<h3>
<div sec:authorize="!isAuthenticated()">
<a th:href="@{/toLogin}">去登录</a>
</div>
<div sec:authorize="isAuthenticated()">
用户名:<span sec:authentication="name"></span>
<a th:href="@{/logout}">注销</a>
</div>
<div sec:authorize="hasRole('vip1')">
<a th:href="@{/login/sucess}">登录成功页面</a>
</div>
</h3>
</body>
</html>
登录页面(login.html)
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>登录</title>
</head>
<body>
<div align="center" style="margin-top: 60px">
<form th:action="@{/toLogin}" method="post">
<p>
<label>Username</label>
<input type="text" name="username">
</p>
<p>
<label>Password</label>
<input type="password" name="psword">
</p>
<p>
<label>Remember Me</label>
<input type="checkbox" name="remember-me">
</p>
<div align="center">
<input type="submit" value="登录">
</div>
</form>
</div>
</body>
</html>
登录成功页面(login_result.html)
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:th="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>
</head>
<body>
<h3>已登录</h3>
<a th:href="@{/logout}">注销</a>
</body>
</html>
参考博客
https://blog.csdn.net/weixin_36512652/article/details/82226036