SpringSecurity使用
认证
SpringBoot自动配置
Springboot引入 security的依赖后即做了相关的自动配置,所以我们可以什么都不做就能实现资源访问需要认证
使用Springboot整合SpringSecurity
自动配置
默认创建的内存中用户
自动创建的内存用户
@Bean
@Lazy
public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties,
ObjectProvider<PasswordEncoder> passwordEncoder) {
SecurityProperties.User user = properties.getUser();
List<String> roles = user.getRoles();
return new InMemoryUserDetailsManager(User.withUsername(user.getName())
.password(getOrDeducePassword(user, passwordEncoder.getIfAvailable()))
.roles(StringUtils.toStringArray(roles))
.build());
}
public static class User {
/**
* Default user name.
*/
private String name = "user";
/**
* Password for the default user name.
*/
private String password = UUID.randomUUID().toString();
}
具体使用
1.创建了Springboot项目后引入SpringSecurity的依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
2.启动应用
2023-09-02 15:06:48.614 WARN 27520 --- [ main] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: d5ad3dc6-2b3d-4e84-9c4e-4cafc97b7bc1
This generated password is for development use only. Your security configuration must be updated before running your application in production.
3.浏览器访问
访问 http://127.0.0.1:8080/(根据自己配置更改),即 SpringBoot默认错误页面。会发现自动跳转到了 http://127.0.0.1:8080/login页面,使用用户名为“user”,密码为应用启动打印的密码(上面是”d5ad3dc6-2b3d-4e84-9c4e-4cafc97b7bc1“)的用户进行登录,最终可以访问正确的”错误页面“了。
个性化配置
内存中认证
可以配置添加多个内存中用户
创建UserDetails对象实现
创建2个用户:user/123456 admin/123456
其中 user拥有 USER角色,admin拥有 USER、ADMIN角色
@Bean
public UserDetailsService users() {
UserDetails user = User.builder()
.username("user")
.password("{bcrypt}$2a$10$QgVuSc7vTMOnu44DRG2OyOJpkJG0pegWsWXGFHoQH2N1mxvUOokYq")
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("admin")
.password("{bcrypt}$2a$10$hV6CFZYzfbWVd0GtSxr0nu/IjJy0issHQDDmTSvHNTyY/5C7SPEU2")
.roles("USER", "ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
public static void main(String[] args) {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String encode = encoder.encode("123456");
System.out.println("encode = " + encode);
}
数据库认证
实现通过查询数据库系统用户表进行认证
简单实现
1.自己用户表实现UserDetail对象
不涉及授权,因此权限信息返回简单角色
@Data
public class KyokyoUser implements UserDetails {
private Long id;
private String userName;
private String userAccount;
private String password;
private String enabled;
private String remark;
private String deleteFlag;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
SimpleGrantedAuthority admin = new SimpleGrantedAuthority("ADMIN");
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(admin);
return authorities;
}
@Override
public String getPassword() {
return this.password;
}
@Override
public String getUsername() {
return this.userAccount;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true ;
}
}
2.实现UserDetailsService,重写loadUserByUsername
使用JDBC或者Mybatis查出用户信息
@Service
@Slf4j(topic = "KyokyoUserDetailsService")
public class KyokyoUserDetailsService implements UserDetailsService {
@Autowired
private JdbcTemplate jdbcTemplate;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
KyokyoUser user = getUserByUserName(username);
if (null != user) {
return user;
} else {
throw new UsernameNotFoundException("找不到用户:" + username);
}
}
/**
* 描述:使用用户账号查询用户信息
* @author 段友元(duanyouyuan)
* @param userName 用户名
* @return com.kyokyo.common.config.security.KyokyoUser
* @create 2023年09月02日 16:41:40
**/
private KyokyoUser getUserByUserName(String userName) {
String sql = "select id,user_name userName,user_account userAccount,password,enabled,remark,delete_flag deleteFlag,created_by,created_time,updated_by,updated_time from user where delete_flag = 0 and user_account = ?";
Map<String, Object> result = null;
try {
result = jdbcTemplate.queryForMap(sql, userName);
} catch (Exception e) {
log.error("获取用户失败", e);
}
return BeanUtil.toBean(result, KyokyoUser.class);
}
}
3.浏览器随便访问一个请求,使用数据库用户登录,登录成功则没问题了。
授权
待补充