登录认证
1.首先开启登录认证,对static下的静态资源css、js、img、plugins全部放行
2.但是访问/admin/**下资源的需要开启实时的权限认证,会调用authService下的auth函数
3.antMatchers("/pages/**").authenticated()代表对pages下的资源,如果已经通过了权限认证,就可以访问
SecurityConfig:
package com.example.admin.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//使用BCrypt加密策略
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
public static void main(String[] args)
{
//加密策略 MD5 不安全 彩虹表 MD5 加盐
String mszlu = new BCryptPasswordEncoder().encode("mszlu");
}
@Override
public void configure(WebSecurity web) throws Exception
{
super.configure(web);
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
//开启登录认证
http.authorizeRequests()
.antMatchers("/css/**").permitAll()
.antMatchers("/img/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/plugins/**").permitAll()
.antMatchers("/admin/**").access("@authService.auth(request,authentication)") //自定义service实现实时的权限认证
.antMatchers("/pages/**").authenticated();
//没有权限,会自动跳到登陆页,需要开启登录的页面
http.formLogin()
.loginPage("/login.html") //自定义的登录页面
.loginProcessingUrl("/login") //登录处理接口
.usernameParameter("username") //定义登录时的用户名的key 默认为username
.passwordParameter("password") //定义登录时的密码key,默认是password
.defaultSuccessUrl("/pages/main.html") //登录成功跳转的页面
.failureUrl("/login.html") //登录失败跳转的页面
.permitAll(); //和登录表单相关的接口/login通过
//退出登录配置
http.logout()
.logoutUrl("/logout") //退出登录接口
.logoutSuccessUrl("/login.html") //退出登录成功跳转的页面
.permitAll(); //退出登录的接口放行
http.httpBasic()
.and()
.csrf().disable() //csrf关闭 如果自定义登录 需要关闭
.headers().frameOptions().sameOrigin();//支持iframe嵌套
}
}
SecurityUserService:
登录的时候,会把username传递到这里
通过username查询admin,如果存在,将密码告诉springSecurity
如果不存在 返回Null,代表认证失败
package com.example.admin.service;
import com.example.admin.pojo.Admin;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
@Service
public class SecurityUserService implements UserDetailsService
{
@Autowired
private AdminService adminService;
//登录的时候,会把username传递到这里
//通过username查询admin,如果存在,将密码告诉springSecurity
//如果不存在 返回Null,代表认证失败
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
Admin admin = adminService.findAdminByUsername(username);
if(admin == null)
{
//登录失败
return null;
}
UserDetails userDetails = new User(username,admin.getPassword(),new ArrayList<>());
return userDetails;
}
}
AuthService:
自定义service 来去实现实时的权限认证
package com.example.admin.service;
import com.example.admin.pojo.Admin;
import com.example.admin.pojo.Permission;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;
import org.thymeleaf.util.StringUtils;
import javax.servlet.http.HttpServletRequest;
import java.util.List;
//自定义service 来去实现实时的权限认证
@Service
public class AuthService
{
@Autowired
private AdminService adminService;
//权限认证
public boolean auth(HttpServletRequest request, Authentication authentication)
{
//请求路径
String requestURI = request.getRequestURI();
//匿名用户
Object principal = authentication.getPrincipal();
if(principal == null || "anonymousUser".equals(principal))
{
//未登录
return false;
}
UserDetails userDetails = (UserDetails) principal;
String username = userDetails.getUsername();
Admin admin = adminService.findAdminByUsername(username);
if(admin == null)
{
return false;
}
//最高权限者
if(admin.getId() == 1)
{
return true;
}
Long id = admin.getId();
List<Permission> permissionList = adminService.findPermissionByAdminId(id);
//requestURI可能有?后面的参数传参,所以要分割一下
requestURI = StringUtils.split(requestURI, "?")[0];
for (Permission permission : permissionList)
{
//判断该用户有没有这个请求路径的权限
if(requestURI.equals(permission.getPath()))
{
return true;
}
}
return false;
}
}