1 原文链接:http://blog.csdn.net/u012373815/article/details/55225079
2 链接2:为一个REST服务使用Spring Security的基本和摘要认证
https://my.oschina.net/buwei/blog/193576
3 springboot+springsecurity 异步日志 验证码 记住我 (验证xml方式和注解方式事务同时存在的情况)
https://github.com/facheng/demo/tree/3edf9fe1f22429fb5963e16f40b506fb665dcc00/veen --不是restful
4 http://blog.csdn.net/pomer_huang/article/details/77902392 -resultful风格
原来默认返回html的类(如跳转到拒绝访问页面),使用自定义的类后,不跳转到html,而是返回给前端状态码。
3和4结合看,但是以3为准,因为3全而且是可运行的完整项目。看对springsecurity的配置在resultful和非resultful风格下有什么区别。
4的部分代码拷贝了一份:
如重写拒绝访问后的逻辑,原来是跳转到拒绝访问页面,现在是返回状态码。
public class GoAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException exception) throws IOException, ServletException {
response.setHeader("Content-Type", "application/json;charset=utf-8");
response.getWriter().print("{\"code\":1,\"message\":\""+exception.getMessage()+"\"}");
response.getWriter().flush();
}
}
@Configuration
@Import(RootConfig.class)
public class GoWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
//......
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.accessDeniedHandler(new GoAccessDeniedHandler())
.authenticationEntryPoint(new GoAuthenticationEntryPoint())
.and().authorizeRequests()
.antMatchers("/", "/csrf").permitAll()
.antMatchers("/hello").hasAuthority("ADMIN")
.anyRequest().authenticated()
.and().formLogin()
.loginProcessingUrl("/login").permitAll()
.successHandler(new GoAuthenticationSuccessHandler())
.failureHandler(new GoAuthenticationFailureHandler())
.and().logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new GoLogoutSuccessHandler())
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.and().requiresChannel()
.antMatchers("/pomer").requiresSecure()
.anyRequest().requiresInsecure()
.and().rememberMe()
.tokenValiditySeconds(1800)
.key("token_key");
}
}