零、 spring security 简介
spring security 的核心功能主要包括:
- 认证 (是哪个用户访问)
- 授权 (访问的用户有哪些权限)
- 攻击防护 (防止伪造身份)
一、工程目录
二、Maven导入jar包
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
</dependencies>
三、创建两个Html文件
在src/main/resources/templates/目录下创建页面
hello.html
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Hello World!</title>
</head>
<body>
<h1>您访问的是Hello!!</h1>
</body>
</html>
home.html
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>html</title>
</head>
<body>
<h1>您访问的是home!!</h1>
</body>
</html>
四、SpringSecurity核心配置
package top.createdream.security.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/**
* SpringSecurity配置类
*/
@Configuration
/**
* @EnableWebSecurity说明
* 在 Spring boot 应用中使用 Spring Security,
* 用到了 @EnableWebSecurity注解,官方说明为,
* 该注解和 @Configuration 注解一起使用,
* 注解 WebSecurityConfigurer 类型的类,
* 或者利用@EnableWebSecurity 注解继承 WebSecurityConfigurerAdapter的类,
* 这样就构成了 Spring Security 的配置。
*
*/
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
/**
* SpringSecurity核心配置类
*
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
//请求授权
.authorizeRequests()
//拦截MVC请求home的Controller并用户的Role(权限认证)必须是USER才可以访问
.antMatchers("/", "/home").hasRole("USER")
//剩下的全部放行
.anyRequest().permitAll()
.and()
//登录配置
.formLogin()
.and()
//退出配置
.logout()
.permitAll();
}
/**
* 配置内存用户
*
* @param auth
* @throws Exception
*/
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.passwordEncoder(new BCryptPasswordEncoder())
.withUser("user")
.password(new BCryptPasswordEncoder()
.encode("123456")).roles("USER");
}
}
五、运行结果
由于我们设置了权限,所以我们访问http://localhost:8080/home被请求转发了(302)
随后我们被跳转到Security给我们创建的login页面中
然后我们输入代码中设置的账号:user密码:123456,就可以看到我们进来了home