1. 基本概念
- 认证(Authentication): 认证可以看成是一种最简单的授权,它只要区分“你是谁”,能拒绝“无名氏”访问Web资源
- 授权(Authorization): 先认证,再授权。
- HTTP Basic认证流程:当request第一次到达服务器时,服务器没有认证的信息,服务器会返回一个401 Unauthozied给客户端。认证之后将认证信息放在session,以后在session有效期内就不用再认证了。(HTTP 状态码: 401:未认证;403:未授权)
- 默认情况下,Spring Security 使用HTTP Basic认证流程,将用户名与密码,放到HTTP 请求消息的首部-------Authentication 中传给Server端应用。
GET http://localhost:9090/public/now
Authorization: Basic user 123456
2.配置(Spring Security 6)
@Configuration
public class MyWebSecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(
requests->{
requests.requestMatchers("/public").permitAll();
requests.requestMatchers("/private").authenticated();
}
);
http.formLogin(withDefaults());
http.httpBasic(withDefaults());
return http.build();
}
}
@Bean
public InMemoryUserDetailsManager userDetailServiceManager(){
UserDetails admin= User.withDefaultPasswordEncoder()
.username("admin")
.password("123456")
.roles("ADMIM")
.authorities("read","write")
.build();
UserDetails user=User.withDefaultPasswordEncoder()
.username("testUser")
.password("123456")
.roles("USER")
.authorities("read")
.build();
return new InMemoryUserDetailsManager(admin,user);
}