Spring Guide:Securing a Web Application(中文大概意思)

最新推荐文章于 2023-05-09 17:01:39 发布

superfreak

最新推荐文章于 2023-05-09 17:01:39 发布

阅读量234

点赞数 1

分类专栏： Java Spring Java_JSP

本文链接：https://blog.csdn.net/superfreak/article/details/114531335

版权

Java 同时被 3 个专栏收录

75 篇文章 1 订阅

订阅专栏

Spring

26 篇文章 0 订阅

订阅专栏

Java_JSP

15 篇文章 0 订阅

订阅专栏

这个教程我已经看过很多次，无奈根基太薄弱，只能是照着做出结果，很多未能领会。不过我感觉基础还是servlet and JSP.

我的IDE环境该升级了，点击SpringToolsSuiteIDE环境中Help-->Check for Update 可以升级，我的好像是431Mb的下载量，一会就升级成功了。

如果不不升级你会发现在https://start.spring.io/ 向导创建的下面解压后也导入进入IDE环境会出错，不让你导入。

Securing a Web Application

Starting with Spring Initializr

去https://start.spring.io/创建新的应用程序， Artifact中是：securing-web，右侧依赖选择Spring Web 和Thymeleaf 。点击Genreate 下载压缩包，解压缩。

Spring ToolsSute中打开该项目

Create an Unsecured Web Application

创建一个不安全的Web应用。就是不加安全限制的，Web应用。src/main/resources/templates/home.html目录下创建home.html 文件：

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    <head>
        <title>Spring Security Example</title>
    </head>
    <body>
        <h1>Welcome!</h1>
        
        <p>Click <a th:href="@{/hello}">here</a> to see a greeting.</p>
    </body>
</html>

还有hello.html：

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    <head>
        <title>Hello World!</title>
    </head>
    <body>
        <h1>Hello world!</h1>
    </body>
</html>

添加src/main/java/com/example/securingweb/MvcConfig.java 类：

package com.example.securingweb;

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class MvcConfig implements WebMvcConfigurer {

	public void addViewControllers(ViewControllerRegistry registry) {
		registry.addViewController("/home").setViewName("home");
		registry.addViewController("/").setViewName("home");
		registry.addViewController("/hello").setViewName("hello");
		registry.addViewController("/login").setViewName("login");
	}

}

至此不带安全的应用就建设好了。IDE中，右键--运行--SpringBootApp

之后浏览器中输入：http://localhost:8080/

点击Here 出现：

下面是添加安全

只要是Spring Security is on the classpath, 我理解是pom文件中有SpringSecurity了，那么Spring Boot automatically secures all HTTP endpoints with “basic” authentication.那么SB就给你做基础的认证。

如果想做更多的安全功能，那么添加在pom.xml文件中加入两个条目。

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-test</artifactId>
  <scope>test</scope>
</dependency>

src/main/java/com/example/securingweb/WebSecurityConfig.java中加入该类：

package com.example.securingweb;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http
			.authorizeRequests()
				.antMatchers("/", "/home").permitAll()
				.anyRequest().authenticated()
				.and()
			.formLogin()
				.loginPage("/login")
				.permitAll()
				.and()
			.logout()
				.permitAll();
	}

	@Bean
	@Override
	public UserDetailsService userDetailsService() {
		UserDetails user =
			 User.withDefaultPasswordEncoder()
				.username("user")
				.password("password")
				.roles("USER")
				.build();

		return new InMemoryUserDetailsManager(user);
	}
}

src/main/resources/templates/login.html 添加login.html页面：

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    <head>
        <title>Spring Security Example </title>
    </head>
    <body>
        <div th:if="${param.error}">
            Invalid username and password.
        </div>
        <div th:if="${param.logout}">
            You have been logged out.
        </div>
        <form th:action="@{/login}" method="post">
            <div><label> User Name : <input type="text" name="username"/> </label></div>
            <div><label> Password: <input type="password" name="password"/> </label></div>
            <div><input type="submit" value="Sign In"/></div>
        </form>
    </body>
</html>

修改hello.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
      xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    <head>
        <title>Hello World!</title>
    </head>
    <body>
        <h1 th:inline="text">Hello [[${#httpServletRequest.remoteUser}]]!</h1>
        <form th:action="@{/logout}" method="post">
            <input type="submit" value="Sign Out"/>
        </form>
    </body>
</html>

这样就是hello用户名了。

运行即可

效果如下：