1.禁止所有的请求访问
引入security-web与security-config两个依赖
package com.fishedee;
import org.springframework.core.annotation.Order;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
/**
* Created by fishedee on 15/12/2016.
*/
public class SecurityAppInitializer extends AbstractSecurityWebApplicationInitializer{
}
建立AbstractSecurityWebApplicationInitializer类,其会增加Security的Filter
package com.fishedee;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* Created by fishedee on 15/12/2016.
*/
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().denyAll();
http.csrf().disable();
}
}
建立SecurityConfig,建立安全配置,默认为禁止所有的请求访问
/**
* Created by fishedee on 29/11/2016.
*/
public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected String[] getServletMappings(){
System.out.println("uu");
return new String[]{"/"};
}
@Override
protected Class<?>[] getRootConfigClasses(){
return new Class<?>[]{RootConfig.class,SecurityConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses(){
return new Class<?>[]{WebConfig.class};
}
}
在WebAppInitializer中将SecurityConfig.class加入到RootConfig中
2.身份认证
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(AuthenticationManagerBuilder auth)throws Exception{
auth.inMemoryAuthentication()
.withUser("fish").password("123").roles("USER","ADMIN").and()
.withUser("fish2").password("456").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().
anyRequest().authenticated().and().formLogin();
http.csrf().disable();
}
}
配置为所有请求都必须登录后才能访问
这时候请求所有请求都会跳转到固定的/login页面,登录后自动跳转到原有的请求页面,注意,security指定的登出为/logout
3.获取用户
@Controller
public class HomeController {
@RequestMapping(value="/",method= RequestMethod.GET)
public String home(Model model){
model.addAttribute("text","My Name is Fish");
UserDetails userDetails = (UserDetails) SecurityContextHolder.getContext()
.getAuthentication()
.getPrincipal();
System.out.println(userDetails);
return "home";
}
}
在Controller层通过SecurityContextHolder.getContext获取当前用户的信息