Spring Boot:SpringSecurity学习笔记
使用SpringSecurity需要导入对应的starter,并且编写一个注释了
@EnableWebSecurity----开启WebSecurity模式
注解并且继承了
WebSecurityConfigurerAdapter----自定义Security策略
的类来实现其功能。
在重写父类方法时有个传参
AuthenticationManagerBuilder----自定义认证策略
依赖
<!--Thymeleaf-springSecurity整合包-->
<!-- https://mvnrepository.com/artifact/org.thymeleaf.extras/thymeleaf-extras-springsecurity5 -->
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
<version>3.0.4.RELEASE</version>
</dependency>
<!--Thymeleaf-->
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-java8time</artifactId>
</dependency>
<!--springsecurity启动器-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
功能类
package com.huang.config;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//链式编程
//授权
@Override
protected void configure(HttpSecurity http) throws Exception {
//首页所有人可以访问,功能页只有对应有权限的人才能访问
//请求授权的规则
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/level1/**").hasRole("vip1")
.antMatchers("/level2/**").hasRole("vip2")
.antMatchers("/level3/**").hasRole("vip3");
//没有权限默认会到登录页
// loginPage("/toLogin");----配置默认登录页
// loginProcessingUrl("/login");----配置登录表单请求的URL
// passwordParameter("pwd");----配置前端传递参数的name属性值
http.formLogin().loginPage("/toLogin").loginProcessingUrl("/login").passwordParameter("pwd").usernameParameter("name");
//注销
//需要关闭csrf功能 http.csrf().disable()
http.csrf().disable();
http.logout().logoutSuccessUrl("/");
//开启记住我功能 cookie,默认保存两周
// rememberMeParameter("remember")----配置前端传递的name属性值
http.rememberMe().rememberMeParameter("remember");
}
//认证 ,在springboot 2.1.x 可以直接使用,不需要加密
//在Spring Security 5.0+ 新增了很多的加密方法
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("huangyu").password(new BCryptPasswordEncoder().encode("123456")).roles("vip2","vip3")
.and()
.withUser("root").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2","vip3")
.and()
.withUser("laoba").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1");
}
}
注意点:
- loginPage("/toLogin")是设置一个自己的登录界面代替默认的/login页面,当设置了这个值时,默认的/login页面就会失效。
- loginProcessingUrl("/login")是配置你自己登录界面的form表单最终提交的action的URL
<form th:action="@{/login}" method="post">