1、添加依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
2、配置文件
默认用户名user ,密码每次启动随机生成,可以在日志中查看
也可以在配置文件中自定义
spring.security.user.name=sang
spring.security.password=123
spring.security.user.roles=admin
3、基于内存认证
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class testSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("root").password("123").roles("admin", "user")
.and()
.withUser("sang").password("123").roles("user");
}
}
4、授权
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class testSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").hasRole("admin")
.antMatchers("/user/**").access("hasAnyRole('admin','user')")
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginProcessingUrl("/login")
.permitAll()
.and()
.csrf()
.disable();
}
}
- .formLogin() 开启表单登录
- .csrf() .disable() 关闭csrf
- .logout 开启注销登录配置
- .logoutUrl(“/logout”) 注销登录请求url 为"/logout" , 默认也是"/logout"
- .logoutSuccessUrl(“/”) 注销成功后去"/" 页面
- .clearAuthentication(true) 是否清除身份认证信息,默认true
- .invaliddateHttpSession(true) 是否使session失效,默认true
5、方法安全
@EnableGlobalMethodSecurity开启基于注解的安全配置
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class testSecurityConfig extends WebSecurityConfigurerAdapter {
}
@PreAuthorize 在方法执行前验证
@PostAuthorize 在方法执行后验证
写法
@PreAuthorize("@permission.admin()") 调用方法前先去调用admin方法
@PreAuthorize("hasRole('admin' and hasRole('user'))") 调用前需要有admin和user角色
@PreAuthorize("hasAnyRole('admin', 'user')") 调用前需要有admin和user角色
项目实战
@PreAuthorize("@permission.admin()")
@ApiOperation("获取文章详情")
@GetMapping("/{articleId}")
public ResponseResult getArticle(@ApiParam(value = "文章ID", required = true) @PathVariable("articleId") String articleId) {
return articleService.getArticleById(articleId);
}
@Slf4j
@Service("permission")
public class PermissionService {
@Autowired
private IUserService userService;
public boolean admin() {
//拿到request和response
ServletRequestAttributes requestAttributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
HttpServletRequest request = requestAttributes.getRequest();
String tokenKey = CookieUtils.getCookie(request, Constants.User.COOKIE_TOKEN_KEY);
//没有令牌的key,没有登录,不用往下执行
if (StrUtil.isEmpty(tokenKey)) {
log.info("您没有登录");
return false;
}
User user = userService.checkUser();
if (user == null) {
log.info("您不是管理员");
return false;
}
if (Constants.User.ROLE_ADMIN.equals(user.getRoles())) {
//管理员
return true;
}
return false;
}
}