依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
主要流程
使用
定义配置类 继承 WebSecurityConfigurerAdapter,重写里面的configure方法。
package com.ventus.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* 配置类
**/
@Configuration
public class MySecurity extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//一般配置认证具体业务操作
auth.userDetailsService(new userDetailsService() .passwordEncoder(new BCryptPasswordEncoder());
}
@Override
public void configure(WebSecurity web) throws Exception {
//一般配置忽略拦截的静态资源,url
web.ignoring().antMatchers("index.html","/static/**");//忽略security拦截
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//定制化配置security的拦截过程
http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
.usernameParameter("username") //默认的用户名的参数 username
.passwordParameter("password") // 默认的密码的参数 password
.loginPage("/authentication/login") // 默认请求地址 /login with an HTTP get
.failureUrl("/authentication/login?failed") //默认失败地址 /login?error
.loginProcessingUrl("/authentication/login/process"); // default is /login // with an HTTP// post
.and().csrf().disable();//关闭防止csrf攻击 ,如果表单post提交 不成功可添加此行试试
}
}
获取对象
以表单登录为例 我们需要获取认证的对象信息
package com.ventus.utils;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
/**
* 获取对象
**/
public class UserUtils {
public static User getUser(){
/**
SecurityContextHolder.getContext()获取安全上下文对象,就是那个保存在 ThreadLocal 里面的安全上下文对象
总是不为null(如果不存在,则创建一个authentication属性为null的empty安全上下文对象)
获取当前认证了的 principal(当事人),或者 request token (令牌)
如果没有认证,会是 null,该例子是认证之后的情况
*/
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
//有登陆用户就返回登录用户,没有就返回null
if (authentication != null) {
if (authentication instanceof AnonymousAuthenticationToken) {
return null;
}
if (authentication instanceof UsernamePasswordAuthenticationToken) {
return (User) authentication.getPrincipal();
}
}
return null;
}
}