Spring -Security学习
本质上是一个过滤链
SpringSecurity主要包括认证和授权两大功能。
认证:确实是否登录
授权:限制访问权限
认证授权注解使用
1、@Secured
使用方法:在启动类添加 开启此注解使用
添加注解
@EnableGlobalMethodSecurity(securedEnabled = true)
2、在controller方法的注解上添加注解。
示例:
@RequestMapping("/level3/{id}")
@Secured({
"ROLE_ADMIN","ROLE_MANAGER"})
public String level3(@PathVariable("id") int id){
return "views/level3/"+id;
}
2、@PreAuthorize
使用方法:在启动类上添加以下注解:
@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true)
PreAuthorize该注解源码注释,值是一个el表达式,在调用之前被调用
public @interface PreAuthorize {
/**
* @return the Spring-EL expression to be evaluated before invoking the protected
* method
*/
String value();
}
controller中
3、@PostAuthorize
在方法执行之后进行验证,可以进行一些处理
使用方法:在启动类上添加以下注解:
@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true)
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-rxLKj0bQ-1627905031861)(C:\Users\admin\AppData\Roaming\Typora\typora-user-images\image-20210802152437702.png)]
4、@PostFilter
权限验证之后对数据进行过滤
自动登录技术
使用token
实现
1、创建数据表(或者在代码中自动创建)
create table learn.persistent_logins
(
username varchar(64) not null,
series varchar(64) not null
primary key,
token varchar(64) not null,
last_used timestamp default CURRENT_TIMESTAMP not null on update CURRENT_TIMESTAMP
);
2、修改配置类
注入数据源,配置操作数据对象
@Autowired
DataSource dataSource;
//配置对象
@Bean
public PersistentTokenRepository persistentTokenRepository(){
JdbcTokenRepositoryImpl jdbcTokenRepository= new JdbcTokenRepositoryImpl();
jdbcTokenRepository.setDataSource(dataSource);
//jdbcTokenRepository.setCreateTableOnStartup(true); //启动的时候创建一个数据表
return jdbcTokenRepository;
}
3、配置类中配置自动登录
@Override
protected void configure(HttpSecurity http) throws Exception {
// 定制请求的授权规则
// 首页所有人可以访问
http.and()
.rememberMe() //记住我
.tokenRepository(persistentTokenRepository()) //配置token仓库
.userDetailsService(userDetailsService) //配置查询的用户数据服务
.tokenValiditySeconds(60) //配置有效时间,单位秒
;
}
4、页面添加记住我复选框
<div><input type="checkbox" name="remember-me" title="记住密码"></div>
name属性必须是remember-me
完整项目
1、导入pom依赖
<!-- JDBC-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<!-- spring security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.2.0</version>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.4.3</version>
</dependency>
<dependency>
<groupId>p6spy</groupId>
<artifactId>p6spy</artifactId>
<version>3.8.0</version>
</dependency>
<!-- 代码生成器-->
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-generator</artifactId>
<version>3.4.1</version>
</dependency>
<!-- 模板依赖-->
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity-engine-core</artifactId>
<version>2.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/io.springfox/springfox-swagger2 -->
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.7.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-log4j -->
<dependency>
<groupId>org.springframework.boot</groupId>