目录
前言
记录一下学习springsecurity的过程
开发环境:IDEA,springsecurity6
一、概念
1.什么是springsecurity
spring提供的安全管理框架,核心功能是认证,授权
认证:验证当前用户是不是本系统注册的用户,识别具体是哪个用户
授权:通过认证的用户,需要判断是否具有权限进行某个操作
2.对比shiro
springsecurity功能更强大,shiro更容易上手应用
3.执行过程
初学阶段,从我的角度来说,最重要的是先用起来,底层逻辑在一开始我并不重视,但要知道的是整个执行过程是一组过滤器链,核心过滤器有三个
UsernamePasswordAuthenticationFilter:用户名密码认证过滤器,处理登录请求
ExceptionTranslationFilter:异常转换过滤器
FilterSecurityInterceptor:权限过滤器
二、开始项目
1.建立一个空项目,建立module,引入相关依赖
new Project->Empty Project
File->new module->Spring Initializr->Maven->选择需要加入的功能->生成项目,等待依赖导入
必须选择的包括springsecurity,springweb,注意右上角选择自己想要的springboot版本,springboot版本与jdk版本要匹配,否则可能会导致其他依赖的版本混乱
附上依赖pom
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>crm</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
2.启动项目,访问项目
控制台输出如下,意思是自动生成了密码,如果你要在生产环境使用,应该修改配置
Using generated security password: 7bc86ae1-30a1-435c-bc59-6d894a7ae0b6
This generated password is for development use only. Your security configuration must be updated before running your application in production.
访问项目localhost:8080,以往我们访问本地项目,直接会进入首页,但这次弹出了一个登录页面
这是springsecurity自带的过滤器,验证当前用户没有登陆,自动跳转到登录页面
这个页面是通过网络下载的bootstrap页面,如果下载的有问题,那么页面展示效果可能会不太好,可以忽略
输入账号密码登录,默认账号为user,密码为刚刚控制台输出的
登陆后跳转到error页面,这并不是登录失败了,只是没有识别到登陆成功后应该跳转到哪
我们可以自己写一个接口访问,比如http://localhost:8080/index,页面输出hello world!
@RestController
public class IndexController {
@GetMapping("/index")
public String index() {
return "hello world!";
}
}
3.自定义密码
如果我们不想使用默认生成的密码,可以自己配置密码application.yml
spring:
security:
user:
name: admin
password: 1234
那么刚才我们没有配置密码的时候,默认密码是怎么生成的呢,security的User类给name和password提供了默认值
private String name = "user";
private String password = UUID.randomUUID().toString();
4.自定义登陆页面
显然我们不可能使用security提供的登陆页面
如何让springsecurity能够跳转到我们自定义的登陆页面并验证呢
1.编写页面
注意:
1.这里@{/login},@{/logout}指的是springsecurity提供的认证和退出接口,不是我们自己手写的访问接口
2.这里使用了thymeleaf模板引擎,页面存放在templates目录下,如果不用引擎,应当作为静态页面存放在static下,或者通过spring.web.resources.static-locations配置
3.@{/login}的入参必须是username,password,切记不能自由发挥
login.html
<!DOCTYPE html>
<html lang="en" xmlns:th="https://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>登录</title>
</head>
<body>
<h1>你好</h1>
<form th:action="@{/login}" method="post">
用户名:<input type="text" name="username">
密码:<input type="password" name="password">
<input type="submit" value="登录">
</form>
</body>
</html>
index.html
<!DOCTYPE html>
<html lang="en" xmlns:th="https://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>首页</title>
</head>
<body>
hello world!
<form th:action="@{/logout}" method="post">
<input type="submit" value="退出">
</form>
</body>
</html>
2.编写跳转页面的接口
注意:
1.login.html也可写作login
2.使用@Controller,而不是@RestController,当然也不可以使用@ResponseBody,因为这样会使返回值成为一个字符串,而不是页面
@Controller
public class LoginController {
/**
* 登录页
*
* @return
*/
@RequestMapping("/login")
public String login() {
return "login.html";
}
/**
* 首页
*
* @return
*/
@RequestMapping("/index")
public String index() {
return "index.html";
}
}
3.配置springsecurity
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity //开启springsecurity,自动引入过滤器链SecurityFilterChain
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
/*
security6
authorizeHttpRequests():针对http请求的授权配置
requestMatchers:匹配http请求url,此处指定为/login
permitAll:给与所有权限,即允许匿名访问(不登陆直接访问)
anyRequest:其它的所有的请求
authenticated:需要认证
*/
http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
authorizationManagerRequestMatcherRegistry
.requestMatchers("/login")
.permitAll()
.anyRequest()
.authenticated()
);
/*
loginPage:登陆页面
loginProcessingUrl:登录接口
defaultSuccessUrl:登陆成功跳转
*/
http.formLogin(httpSecurityFormLoginConfigurer ->
httpSecurityFormLoginConfigurer
.loginPage("/login").permitAll()
.loginProcessingUrl("/login")
.defaultSuccessUrl("/index")
);
//关闭跨域漏洞防御
http.csrf(Customizer.withDefaults());
//退出
http.logout(httpSecurityLogoutConfigurer -> httpSecurityLogoutConfigurer.invalidateHttpSession(true));
//security5,已经被标记为过时,不建议
// http.authorizeHttpRequests()
// .requestMatchers("/public/**")
// .permitAll()
// .anyRequest()
// .hasRole("USER")
// .and()
// .formLogin()
// .permitAll();
return http.build();
}
}
5.前后端分离登录配置
此处不讨论前端页面,只关注security配置
与前后端不分的区别:去掉了登录页面和默认跳转页面,相当于入口由前端项目控制,前端页面拿到登录成功的返回值后,通过路由控制跳转首页
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity //开启springsecurity,自动引入过滤器链SecurityFilterChain
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
/*
security6
authorizeHttpRequests():针对http请求的授权配置
requestMatchers:匹配http请求url,此处指定为/login
permitAll:给与所有权限,即允许匿名访问(不登陆直接访问)
anyRequest:其它的所有的请求
authenticated:需要认证
*/
http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
authorizationManagerRequestMatcherRegistry
.requestMatchers("/login")
.permitAll()
.anyRequest()
.authenticated()
);
/*
loginProcessingUrl:指定登录接口,即前端点击登陆时需要调用的接口名,默认值为/login
successHandler:成功处理
failureHandler:失败处理
*/
http.formLogin(httpSecurityFormLoginConfigurer ->
httpSecurityFormLoginConfigurer
.loginProcessingUrl("/login")
.successHandler(new LoginSuccessHandler())
.failureHandler(new LoginFailureHandler())
);
//关闭跨域漏洞防御,跨域拦截
http.csrf(Customizer.withDefaults()).cors(Customizer.withDefaults());
//退出
http.logout(httpSecurityLogoutConfigurer -> httpSecurityLogoutConfigurer.invalidateHttpSession(true));
//security5,已经被标记为过时,不建议
// http.authorizeHttpRequests()
// .requestMatchers("/public/**")
// .permitAll()
// .anyRequest()
// .hasRole("USER")
// .and()
// .formLogin()
// .permitAll();
return http.build();
}
}
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import java.io.IOException;
public class LoginFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
response.setContentType("text/html;charset=UFT-8");
response.getWriter().write("loginNo");
exception.printStackTrace();
}
}
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import java.io.IOException;
public class LoginSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
response.setContentType("text/html;charset=UFT-8");
response.getWriter().write("loginYes");
authentication.getPrincipal();
authentication.getAuthorities();
authentication.getCredentials();
}
}
三、权限
在实际应用中,通常使用角色控制菜单的访问,通过权限控制接口的访问(即功能的访问)
看一下增加了权限的SecurityConfig文件
authorizeHttpRequests:增加角色,权限配置
InMemoryUserDetailsManager:在内存中配置几个用户,后续可以改为读取数据库
PasswordEncoder:密码编码器,给密码加密
package com.example.crm.config.login;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity //开启springsecurity,自动引入过滤器链SecurityFilterChain
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
/*
security6
authorizeHttpRequests():针对http请求的授权配置
requestMatchers:匹配http请求url,此处指定为/login
permitAll:允许匿名访问(不登陆直接访问)
hasRole,hasAnyRole:指定访问角色
hasAuthority,hasAnyAuthority:指定权限
anyRequest:其它的所有的请求
authenticated:需要认证
*/
http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
authorizationManagerRequestMatcherRegistry
.requestMatchers("/login").permitAll()
// .requestMatchers("admin/*").hasRole("admin")
// .requestMatchers("user/*").hasAnyRole("admin", "user")
.requestMatchers("admin/*").hasAuthority("admin:get")
.requestMatchers("user/*").hasAnyAuthority("admin:get", "user:get")
.anyRequest().authenticated()
);
/*
formLogin:针对登录的配置
loginProcessingUrl:指定登录接口,即前端点击登陆时需要调用的接口名,默认值为/login
successHandler:成功处理
failureHandler:失败处理
*/
http.formLogin(httpSecurityFormLoginConfigurer ->
httpSecurityFormLoginConfigurer
.loginProcessingUrl("/login")
.successHandler(new LoginSuccessHandler())
.failureHandler(new LoginFailureHandler())
);
/*
* 异常处理
*/
http.exceptionHandling(httpSecurityExceptionHandlingConfigurer -> httpSecurityExceptionHandlingConfigurer.accessDeniedPage("/exception"));
//关闭跨域漏洞防御,跨域拦截
http.csrf(Customizer.withDefaults()).cors(Customizer.withDefaults());
//退出
http.logout(httpSecurityLogoutConfigurer -> httpSecurityLogoutConfigurer.invalidateHttpSession(true));
return http.build();
}
//用户
@Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
UserDetails admin = User
.withUsername("admin").password("1234")
// .roles("admin", "user")
.authorities("admin:get", "user:get")
.build();
UserDetails user = User.withUsername("user").password("1234").roles("user").build();
return new InMemoryUserDetailsManager(admin, user);
}
//密码编码器
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}