接上一篇文章。spring security 最简单的demo
1.我们首先自定义资源接口访问权限
我们可以继承WebSecurityConfigurerAdapter类来进行控制,如下,我们定义/和/static/的资源不需要认证,其他除了登陆和登出都是需要验证的。并且我们设置了登陆时需要跳转到/login
@Configuration
@EnableWebSecurity // 注解开启Spring Security的功能
@EnableGlobalMethodSecurity(prePostEnabled=true) //开启spring security注解功能
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/static/*").permitAll() //定义不需要认证就可以访问的资源
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')") //定义只有特定角色能访问的资源
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login") //定义当需要用户登录时候,转到的登录页面
.permitAll()
.and()
.logout()
.permitAll();
http.csrf().disable();
}
}
2.编写/login对应的接口和页面,页面我们使用thymeleaf标签,记得引入相关maven:spring-boot-starter-thymeleaf
@Controller
public class DemoController {
@RequestMapping("/login")
public String login() {
return "login";
}
}
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org">
<head>
<title>Spring Security login </title>
</head>
<body>
<div th:if="${param.error}">
用户名或密码错误
</div>
<div th:if="${param.logout}">
注销成功
</div>
<form th:action="@{/login}" method="post">
<div><label> 用户名 : <input type="text" name="username"/> </label></div>
<div><label> 密 码 : <input type="password" name="password"/> </label></div>
<div><input type="submit" value="登录"/></div>
</form>
</body>
</html>
此时我们再次访问/helloworld.html页面就会跳转到我们的登陆页面,输入user和控制台输出的密码即可访问。
然而我们在static的目录下再新建一个static目录,然后新建一个index.html,是可以直接访问不需要登陆的
我们现在控制了登陆页和资源的访问是否需要登陆,但是我们还需要进行权限控制,某些资源有的人可以访问,有些人访问不了,怎么做?于是我们需要使用用户、角色、权限来进行控制,所以我们需要先建立这三者的关系,我用的mysql,脚本已经写好,直接运行就好了。就实现最简单的关系,诸位一看就懂。
-- ----------------------------
-- Table structure for sys_permission
-- ----------------------------
DROP TABLE IF EXISTS `sys_permission`;
CREATE TABLE `sys_permission` (
`id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
`name` varchar(200) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
`description` varchar(200) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL DEFAULT NULL,
`url` varchar(200) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
`pid` bigint(20) NULL DEFAULT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of sys_permission
-- ----------------------------
INSERT INTO `sys_permission` VALUES (1, 'ROLE_HOME', 'home', '/', NULL);
INSERT INTO `sys_permission` VALUES (2, 'ROLE_ADMIN', 'ABel', '/admin', NULL);
-- ----------------------------
-- Table structure for sys_permission_role
-- ----------------------------
DROP TABLE IF EXISTS `sys_permission_role`;
CREATE TABLE `sys_permission_role` (
`id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
`role_id` bigint(20) UNSIGNED NOT NULL,
`permission_id` bigint(20) UNSIGNED NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of sys_permission_role
-- ----------------------------
INSERT INTO `sys_permission_role` VALUES (1, 1, 1);
INSERT INTO `sys_permission_role` VALUES (2, 1, 2);
INSERT INTO `sys_permission_role` VALUES (3, 2, 1);
-- ----------------------------
-- Table structure for sys_role
-- ----------------------------
DROP TABLE IF EXISTS `sys_role`;
CREATE TABLE `sys_role` (
`id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
`name` varchar(200) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of sys_role
-- ----------------------------
INSERT INTO `sys_role` VALUES (1, 'ROLE_ADMIN');
INSERT INTO `sys_role` VALUES (2, 'ROLE_USER');
-- ----------------------------
-- Table structure for sys_role_user
-- ----------------------------
DROP TABLE IF EXISTS `sys_role_user`;
CREATE TABLE `sys_role_user` (
`id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
`sys_user_id` bigint(20) UNSIGNED NOT NULL,
`sys_role_id` bigint(20) UNSIGNED NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of sys_role_user
-- ----------------------------
INSERT INTO `sys_role_user` VALUES (1, 1, 1);
INSERT INTO `sys_role_user` VALUES (2, 2, 2);
-- ----------------------------
-- Table structure for sys_user
-- ----------------------------
DROP TABLE IF EXISTS `sys_user`;
CREATE TABLE `sys_user` (
`id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
`username` varchar(200) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
`password` varchar(200) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of sys_user
-- ----------------------------
INSERT INTO `sys_user` VALUES (1, 'admin', 'admin');
INSERT INTO `sys_user` VALUES (2, 'user', 'user');
然后建立对应的实体类(请根据数据库编写User,Role,Permission类即可,getter、setter方法),继而我们需要实现UserDetailsService来进行访问资源对应到角色、权限的细化控制。
package com.example.springsecuritydemo2.service;
import com.example.springsecuritydemo2.dao.PermissionMapper;
import com.example.springsecuritydemo2.dao.UserMapper;
import com.example.springsecuritydemo2.entity.Permission;
import com.example.springsecuritydemo2.entity.SysUser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
import java.util.List;
@Service
public class MyUserService implements UserDetailsService {
private final Logger logger = LoggerFactory.getLogger(getClass());
@Autowired
private UserMapper userMapper;
@Autowired
private PermissionMapper permissionMapper;
public UserDetails loadUserByUsername(String username) {
SysUser user = userMapper.findByUserName(username);
if (user != null) {
List<Permission> permissions = permissionMapper.findByAdminUserId(user.getId());
List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
for (Permission permission : permissions) {
if (permission != null && permission.getName() != null) {
GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(permission.getName());
grantedAuthorities.add(grantedAuthority);
}
}
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String password = passwordEncoder.encode(user.getPassword());
return new User(user.getUsername(), password, grantedAuthorities);
} else {
logger.error(username + "不存在");
return null;
}
}
}
访问数据库我们使用mybatis,userMapper和permissionMapper需要自己实现findByUserName和findByAdminUserId方法,见名知意,代码我就不贴了。别忘了引入mybatis的maven,不清楚的可以看我的源码在最后会有地址。
在WebSecurityConfig里面还需要设置密码加密方式和MyUserService加密方式要保持一致。
/**
* 设置密码加密方式
* @return
*/
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@RequestMapping("/role")
@PreAuthorize("hasAnyRole('ROLE_ADMIN') or hasAnyAuthority('ROLE_HOME')")
public String role() {
return "role";
}
@RequestMapping("/admin")
public String admin() {
return "admin/admin";
}
我们可以写点接口和页面,来验证角色权限的控制
别忘了配置项目属性和连接池
logging.level.root=INFO
logging.level.com.example.springsecuritydemo2=debug
spring.datasource.url=jdbc:mysql://localhost:3306/sc_copy?useSSL=false&useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC
spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
spring.datasource.username=root
spring.datasource.password=123456
spring.thymeleaf.cache=false
mybatis.type-aliases-package=com.example.springsecuritydemo2.entity
mybatis.mapper-locations=classpath:mybatis/*.xml
代码结构如下:
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.1.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>spring-security-demo2</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>spring-security-demo2</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.4.6</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>1.3.2</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
ok,此时项目没有报错启动即可进行验证。
1. 访问/helloworld.html,预期:需要登陆即可访问,admin和user用户都可
验证和预期一致。
2.访问/logout即可登出,访问/admin。预期:只有admin可以访问,user访问受限
验证和预期一致。
至此我们简单的权限控制基本开发完成。
贴一下常用的权限控制说明:
再说一点:前端的模块展示也是可以使用springsecurity4标签来进行控制,哪些div是管理员展示的,哪些是所有的都可以看的,使用起来很方便。例如:
<div sec:authorize="hasRole('ROLE_ADMIN')"> <p class="bg-info" th:text="${msg.extraInfo}"></p> </div>
代码已经上传