1 理论
Spring Security,这是一种基于 Spring AOP 和 Servlet 过滤器的安全框架。它提供全面的安全性解决方案,同时在 Web 请求级和方法调用级处理身份确认和授权。
工作流程
2 实践
2.1.0 目录结构
2.1.1 导入依赖
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- thymeleaf 模板引擎-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
<version>2.1.1.RELEASE</version>
</dependency>
<!--监控-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<!-- security 权限管理和授权登录-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.3.1.RELEASE</version>
</dependency>
</dependencies>
2.1.2 修改配置文件yml
server:
port: 82
2.1.3 主启动类
2.1.4 配置类
@EnableWebSecurity //开启 ,原理:AOP
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//首页所有人都可以访问,功能也需要权限
@Override
public void configure(HttpSecurity http) throws Exception {
//请求授权的规则,链式访问
http.authorizeRequests()
.antMatchers("/index").permitAll()
.antMatchers("/v1/**").hasRole("v1")
.antMatchers("/v2/**").hasRole("v2")
.antMatchers("/v3/**").hasRole("v3");
//没有权限默认到登录页面
http.formLogin();
// http.formLogin().loginPage("") 定制登录页面
//开启注销,注销后跳转到登录页面
http.logout().logoutSuccessUrl("/index");
//开启记住我功能
http.rememberMe();
//防止网站攻击
http.csrf();
}
//认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//一般从数据库中读取数据
//密码需要加密,不然会报500异常 Spring Security 5+
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("ls1").password(new BCryptPasswordEncoder().encode("123456")).roles("v1")
.and().withUser("ls2").password(new BCryptPasswordEncoder().encode("123456")).roles("v1","v2")
.and().withUser("ls3").password(new BCryptPasswordEncoder().encode("123456")).roles("v1","v2","v3");
}
}
2.1.5 业务类
@Controller
public class SecurityController {
@RequestMapping("/index")
public String index(){
System.out.println("--------------------");
return "index";
}
@RequestMapping("/v1/a")
public String v1a(){
System.out.println("--------------------");
return "v1/a";
}
@RequestMapping("/v1/b")
public String v1b(){
System.out.println("--------------------");
return "v1/b";
}
@RequestMapping("/v1/c")
public String v1c(){
System.out.println("--------------------");
return "v1/c";
}
@RequestMapping("/v2/a")
public String v2a(){
System.out.println("--------------------");
return "v2/a";
}
@RequestMapping("/v2/b")
public String v2b(){
System.out.println("--------------------");
return "v2/b";
}
@RequestMapping("/v2/c")
public String v2c(){
System.out.println("--------------------");
return "v2/c";
}
@RequestMapping("/v3/a")
public String v3a(){
System.out.println("--------------------");
return "v3/a";
}
@RequestMapping("/v3/b")
public String v3b(){
System.out.println("--------------------");
return "v3/b";
}
@RequestMapping("/v3/c")
public String v3c(){
System.out.println("--------------------");
return "v3/c";
}
}