SpringSecurity 是一个安全框架,可做权限管理和相应拦截(SpringBoot 任意版本可用),默认使用该安全框架
依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Security 权限配置
@EnableWebSecurity
public class SerurityConfiger extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//设置权限 antMatchers 页面路径 hasRole 权限命名
http.authorizeRequests().antMatchers("/").permitAll()
.antMatchers("/vip1").hasRole("vip1")
.antMatchers("/vip2").hasRole("vip2")
.antMatchers("/vip3").hasRole("vip3");
//无权限进login 自带login页面,自动跳转login页面 发送/login 请求
http.formLogin();
//开启注销 和 注销后跳转路径
http.logout().logoutSuccessUrl("/index.html");
}
//认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.jdbcAuthentication() 可以从数据库取数据
// passwordEncoder 定义编码方式
// and 连接
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("admin").password(new BCryptPasswordEncoder().encode("123")).roles("vip1","vip2","vip3")
.and()
.withUser("zhangsan").password(new BCryptPasswordEncoder().encode("123")).roles("vip1");
}
}
几个简单页面和页面逻辑
@Controller
public class indexController {
@GetMapping({"/","/index.html",})
public String index(){
return "index";
}
@GetMapping("/vip1")
public String vip1(){
return "vip1";
}
@GetMapping("/vip2")
public String vip2(){
return "vip2";
}
@GetMapping("/vip3")
public String vip3(){
return "vip3";
}
@GetMapping("/login2")
public String login(){
System.out.println("login");
return "login";
}
}
index.html
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>Hello World</h1>
<a href="/vip1">vip1</a>
<a href="/vip2">vip2</a>
<a href="/vip3">vip3</a>
<a href="/login2">login2</a>
<a href="/login">loginsecurity</a>
<a href="/logout">logout</a>
</body>
</html>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>vip1</h1>
</body>
</html>
动态展示 (SpringBoot 切换低版本2.0.7.RELEASE)
登录显示用户名和注销,未登录显示登录(也可以用th:if判断等)
依赖
<!-- thymeleaf security 整合-->
<!-- https://mvnrepository.com/artifact/org.thymeleaf.extras/thymeleaf-extras-springsecurity4 -->
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
<version>3.0.2.RELEASE</version>
</dependency>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security"> 命名空间
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>Hello World</h1>
<a href="/vip1">vip1</a>
<a href="/vip2">vip2</a>
<a href="/vip3">vip3</a>
<a href="/login2">login2</a>
<div sec:authorize="!isAuthenticated()">
<!-- !isAuthenticated() 未登录显示登录 -->
<a href="/login">loginsecurity</a>
</div>
<div sec:authorize="isAuthenticated()">
<!-- isAuthenticated() 登录显示用户名 -->
用户名:<span sec:authentication="name"></span>
</div>
<div sec:authorize="isAuthenticated()">
<!-- isAuthenticated() 登录显示注销 -->
<a href="/logout">logout</a>
</div>
</body>
</html>
@EnableWebSecurity
public class SerurityConfiger extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//设置权限
http.authorizeRequests().antMatchers("/").permitAll()
.antMatchers("/vip1").hasRole("vip1")
.antMatchers("/vip2").hasRole("vip2")
.antMatchers("/vip3").hasRole("vip3");
//无权限进login 自带login页面,自动跳转login页面
http.formLogin();
//logout 自定义页面中是get请求,容易遭到网站攻击,SpringBoot默认拒绝此get请求,关闭springBoot拦截
http.csrf().disable();
//开启注销
http.logout().logoutSuccessUrl("/index.html");
}
//认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.jdbcAuthentication() 可以从数据库取数据
// passwordEncoder 定义编码方式
// and 连接
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("admin").password(new BCryptPasswordEncoder().encode("123")).roles("vip1","vip2","vip3")
.and()
.withUser("zhangsan").password(new BCryptPasswordEncoder().encode("123")).roles("vip1");
}
}
自定义登录和记住我
@EnableWebSecurity
public class SerurityConfiger extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//设置权限
http.authorizeRequests().antMatchers("/").permitAll()
.antMatchers("/vip1").hasRole("vip1")
.antMatchers("/vip2").hasRole("vip2")
.antMatchers("/vip3").hasRole("vip3");
//无权限进login 自带login页面,自动跳转login页面
// http.formLogin();
//usernameParameter 绑定前端username 默认的是username
http.formLogin().loginPage("/tologin").loginProcessingUrl("/login").usernameParameter("username").passwordParameter("password");
//logout 自定义页面中是get请求,容易遭到网站攻击,SpringBoot默认拒绝此get请求,关闭springBoot拦截
http.csrf().disable();
//开启注销
http.logout().logoutSuccessUrl("/index.html");
// cookie 默认保存2周 rememberMeParameter 前端记住我的name
http.rememberMe().rememberMeParameter("remember");
}
//认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.jdbcAuthentication() 可以从数据库取数据
// passwordEncoder 定义编码方式
// and 连接
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("admin").password(new BCryptPasswordEncoder().encode("123")).roles("vip1","vip2","vip3")
.and()
.withUser("zhangsan").password(new BCryptPasswordEncoder().encode("123")).roles("vip1");
}
}
login.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>login</h1>
<form th:action="@{/login}" method="post">
用户名:<input type="text" name="username"> <br>
密码:<input type="password" name="password">
<input type="checkbox" name="remember"> 记住我
<input type="submit" value="提交">
</form>
</body>
</html>
index.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>Hello World</h1>
<a href="/vip1">vip1</a>
<a href="/vip2">vip2</a>
<a href="/vip3">vip3</a>
<a href="/tologin">login2</a>
<div sec:authorize="!isAuthenticated()">
<!-- !isAuthenticated() 未登录显示登录 -->
<a href="/tologin">loginsecurity</a>
</div>
<div sec:authorize="isAuthenticated()">
<!-- isAuthenticated() 登录显示用户名 -->
用户名:<span sec:authentication="name"></span>
</div>
<div sec:authorize="isAuthenticated()">
<!-- isAuthenticated() 登录显示注销 -->
<a href="/logout">logout</a>
</div>
</body>
</html>