包
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
package com.zhonghuan.bookkeeping.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
// 进行用户验证 ,将其用@Bean注解交给spring管理 然后返回 查询数据 的方法
@Bean
UserDetailsService customUserService() {
return new CustomUserService();
}
// 重写验证的方法,将上面的方法Service 交给他下面设置
// configureGlobal(AuthenticationManagerBuilder auth)方法,在内存中创建了一个用户
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserService());
}
//允许跨域
// @Bean
// public WebMvcConfigurer corsConfigurer() {
// return new WebMvcConfigurerAdapter() {
// @Override
// public void addCorsMappings(CorsRegistry registry) {
// registry.addMapping("/**").allowedOrigins("*")
// .allowedMethods("GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS")
// .allowCredentials(false).maxAge(3600);
// }
// };
// }
/**
* permitAll配置实例
*/
// configure(HttpSecurity http) 方法
// 通过 authorizeRequests() 定义哪些URL需要被保护、哪些不需要被保护。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
// 不拦截的请求路径 (放行)
// permitAll没有绕过spring security,其中包含了登录的以及匿名的。
// ingore是完全绕过了spring security的所有filter,相当于不走spring security
.antMatchers("/getSmsCode","/regist").permitAll()
.anyRequest().authenticated()
// 通过 formLogin() 定义当需要用户登录时候,转到的登录页面。
.and().formLogin()
// 用户的密码和用户 需要和 from 表单的 name属性相同
.passwordParameter("password")
.usernameParameter("user")
// 登录页面
.loginPage("/loginPage.html")
// from表单提交的请求路径
.loginProcessingUrl("/toLogin")
// 登录成功后的跳转
.defaultSuccessUrl("/welcome.html")
.permitAll()
.and().logout().permitAll();
}
// @Override
// public void configure(WebSecurity web) throws Exception {
// //解决静态资源被拦截的问题
// web.ignoring().antMatchers("/css/**");
// }
}
web ignore配置实例
permitAll没有绕过spring security,其中包含了登录的以及匿名的。
ingore是完全绕过了spring security的所有filter,相当于不走spring security
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**");
web.ignoring().antMatchers("/js/**");
web.ignoring().antMatchers("/fonts/**");
}
}
另外一个类用做查询数据
package com.zhonghuan.bookkeeping.security;
import com.zhonghuan.bookkeeping.entity.User;
import com.zhonghuan.bookkeeping.login.dao.UserDao;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import javax.annotation.Resource;
import java.util.ArrayList;
public class CustomUserService implements UserDetailsService {
@Resource
private UserDao userDao;
@Override
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
User user = userDao.findByTellphone(userName);
if (user == null) {
throw new UsernameNotFoundException("用户名不存在");
}
return new org.springframework.security.core.userdetails.User(user.getTellphone(), user.getPassword(), new ArrayList<>());
}
}