Spring Boot整合SpringSecurity(二)
Spring Boot是一套Spring的快速开发框架,基于Spring 4.0设计,使用Spring Boot开发可以避免一些繁琐的工程搭建和配置,同时它集成了大量的常用框架,快速导入依赖包,避免依赖包的冲突。
创建项目
创建maven工程
项目结构:
添加pom依赖
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>cn.zysheep</groupId>
<artifactId>security-spring-boot</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>jar</packaging>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.2.RELEASE</version>
</parent>
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!--下面的jar都是对jsp的依赖-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
</dependency>
<!--jsp页面使用jstl标签-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</dependency>
<!--用于编译jsp-->
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<scope>provided</scope>
</dependency>
</dependencies>
</project>
Spring Boot官方不推荐使用jsp做模板引擎,但是也可以使用,需要加以下依赖
<!--jsp依赖-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
</dependency>
<!--jsp页面使用jstl标签-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</dependency>
<!--用于编译jsp-->
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<scope>provided</scope>
</dependency>
Spring 容器配置
SpringBoot工程启动会自动扫描 启动类(SecuritySpringBootApp) 所在包及其子包下的所有Bean
,加载到spring容器。
Spring Boot配置文件
在resources
下添加application.yml,内容如下:
spring:
application:
name: security-springboot
mvc:
view:
prefix: /WEB-INF/views/
suffix: .jsp
Spring Boot 启动类
@SpringBootApplication
public class SecuritySpringBootApp {
public static void main(String[] args) {
SpringApplication.run(SecuritySpringBootApp.class,args);
}
}
Servlet Context配置
由于Spring boot starter
自动装配机制,这里无需使用@EnableWebMvc
与@ComponentScan
,WebMvcConfig 如下
//这里无需使用@EnableWebMvc,否则需要全面接管Springmvc的配置
@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addRedirectViewController("/","/login");
}
}
视图解析器配置在application.yml中
spring:
mvc:
view:
prefix: /WEB-INF/views/
suffix: .jsp
安全配置
由于Spring boot starter
自动装配机制,这里无需使用@EnableWebSecurity
,WebSecurityConfig内容如下
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager detailsManager = new InMemoryUserDetailsManager();
detailsManager.createUser(User.withUsername("zhangsan").password("123").authorities("save","update").build());
detailsManager.createUser(User.withUsername("lisi").password("456").authorities("save").build());
return detailsManager;
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
//配置授权服务,即安全拦截机制
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/user/save").hasAuthority("save")
.antMatchers("/user/update").hasAuthority("update")
.antMatchers("/user/**").authenticated()
.anyRequest().permitAll()
.and()
.formLogin() // 支持form表单验证
.successForwardUrl("/user/login-success"); // 自定义登录成功请求
}
}
LoginController
@Controller
@RequestMapping("/user")
public class LoginController {
@PostMapping("/login-success")
public String loginSuccess() {
return "success";
}
@GetMapping("/save")
@ResponseBody
public String saveUser() {
return "save resources";
}
@GetMapping("/update")
@ResponseBody
public String updateUser() {
return "update resources";
}
@GetMapping("/delete")
@ResponseBody
public String deleteUser() {
return "delete resources";
}
@GetMapping("/get")
@ResponseBody
public String getUser() {
return "get resources";
}
}
测试
测试认证(登录)
测试退出
测试授权
使用lisi登录,密码456,只要save的权限,没有update权限,如果访问,后台响应403错误
访问/user/save,成功访问
访问/user/update,访问失败,没有权限