技术原理
Spring security 就是一个filter,然后又把request 分发给spring security内部注册的filters.
Note:Request Matching for Dispatch and Authorization
A security filter chain (or equivalently a WebSecurityConfigurerAdapter
) has a request matcher that is used for deciding whether to apply it to an HTTP request. Once the decision is made to apply a particular filter chain, no others are applied. But within a filter chain you can have more fine grained control of authorization by setting additional matchers in the HttpSecurity
configurer
使用步骤:
-
引入依赖
<dependency> <groupId>org.thymeleaf.extras</groupId> <artifactId>thymeleaf-extras-springsecurity5</artifactId> <!--<version>3.0.4.RELEASE</version>--> </dependency> <!-- 导入依赖 --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
-
配置相关文件,
就是配置自己rule认证跟授权规则,后面稍微解释。
-
测试代码编写
配置自己网站的rule 认证跟授权规则
// 适配器模式 不影响原来业务代码的情况下,实现了动态增加功能!
@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 10)
public class ApplicationConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/foo/**")
...;
}
}
@EnableWebSecurity 可能应该也是需要的,然后根据网站的跳转逻辑添加自己的规则。
参考文档
https://spring.io/guides/topicals/spring-security-architecture
https://docs.spring.io/spring-security/site/docs/5.3.1.BUILD-SNAPSHOT/reference/html5/#modules