spring-security–基础–4.2–案例:简单资源权限访问
代码位置
https://gitee.com/DanShenGuiZu/learnDemo/tree/master/spring-security-learn
1、介绍
通过SpringSecurity实现以下功能:
- 内存2个用户
- admin:有p1权限
- user:有p2权限
- 权限控制
- 是否登录
- 否:不能访问资源
- 是:
- “/admin/p1”,只有p1权限的用户才能访问
- “/user/p2”,只有p2权限的用户才能访问
- 是否登录
2、代码
2.1、结构
2.2、依赖
<!--security begin-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!--security end-->
2.3、源码
LoginController
package com.feizhou.oauth.hello2;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* @author Administrator
* @version 1.0
**/
@RestController
public class LoginController {
@RequestMapping(value = "/login-success")
public String loginSuccess(){
return getUsername()+" login-success 登录成功";
}
/**
* 测试资源1
* @return
*/
@GetMapping(value = "/admin/p1")
public String r1(){
return " /admin/p1 "+getUsername()+"访问资源1";
}
/**
* 测试资源2
* @return
*/
@GetMapping(value = "/user/p2")
public String r2(){
return "/user/p2 "+getUsername()+"访问资源2";
}
//获取当前用户信息
private String getUsername(){
String username = null;
//当前认证通过的用户身份
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
//用户身份
Object principal = authentication.getPrincipal();
if(principal == null){
username = "匿名";
}
if(principal instanceof org.springframework.security.core.userdetails.UserDetails){
UserDetails userDetails =(UserDetails)principal;
username = userDetails.getUsername();
}else{
username = principal.toString();
}
return username;
}
}
MvcConfig2
package com.feizhou.oauth.hello2;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
/**
* 视图配置
*
* @author zhoufei
* @class: MvcConfig
* @date 2020/10/24 21:03
* @Verson 1.0 -2020/10/24 21:03
* @see
*/
@Configuration
public class MvcConfig2 implements WebMvcConfigurer {
@Override
public void addViewControllers(ViewControllerRegistry registry){
//请求/login 跳转到login页面
registry.addViewController("/login").setViewName("login");
}
}
WebSecurityConfig2
package com.feizhou.oauth.hello2;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig2 extends WebSecurityConfigurerAdapter {
//定义用户信息服务(查询用户信息)
@Bean
public UserDetailsService userDetailsService(){
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("admin").password("admin").authorities("p1").build());
manager.createUser(User.withUsername("user").password("user").authorities("p2").build());
return manager;
}
//密码编码器,不加密
@Bean
public PasswordEncoder passwordEncoder(){
//不加密
return NoOpPasswordEncoder.getInstance();
}
//web url 拦截规则
@Override
protected void configure(HttpSecurity http)throws Exception {
http.authorizeRequests()
.antMatchers("/admin/p1").hasAuthority("p1")//访问/admin/p1权限,需要有p1权限
.antMatchers("/user/p2").hasAuthority("p2")//访问/user/p2,需要有p2权限
.anyRequest().authenticated()//所有其他请求必须认证通过
.and()
.formLogin()
.loginPage("/login")
.successForwardUrl("/login-success")//自定义登录成功的页面地址
.permitAll()
.and()
.logout()
.permitAll();
}
}
login.html
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
<title>Spring Security Example </title>
</head>
<body>
<div th:if="${param.error}">
Invalid username and password.
</div>
<div th:if="${param.logout}">
You have been logged out.
</div>
<form th:action="@{/login}" method="post">
<div><label> User Name : <input type="text" name="username"/> </label></div>
<div><label> Password: <input type="password" name="password"/> </label></div>
<div><input type="submit" value="Sign In"/></div>
</form>
</body>
</html>
3、测试
3.1、未登录访问资源,直接跳到登录页面
localhost:8080/admin/p1