Spring Security是一个功能强大且高度可定制的身份验证和访问控制框架。本文将记录Spring Security相关开发笔记及简单的Spring Security应用
首先导入相关依赖
<!--Spring Security依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!--thymeleaf Spring Security依赖-->
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
<version>3.0.4.RELEASE</version>
</dependency>
配置继承自WebSecurityConfigurerAdapter的配置类,并重写
protected void configure(HttpSecurity http): 用于授权
protected void configure(AuthenticationManagerBuilder auth):用于认证
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//配置授权的页面请求
//.antMatchers("/page1/**")配置所需授权的访问请求
//.hasRole()来配置访问请求所需的角色,如vip1
http.authorizeRequests().antMatchers("/*").permitAll()
.antMatchers("/page1/**").hasRole("vip1")
.antMatchers("/page2/**").hasRole("vip2")
.antMatchers("/page3/**").hasRole("vip3");
//配置被阻止访问后,跳转到登录界面,和登陆界面自定义的请求
http.formLogin().loginProcessingUrl("/login");
//开启记住密码功能
http.rememberMe();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//配置认证,这里从内存读取
auth.inMemoryAuthentication()
//设置密码加密方式
.passwordEncoder(new BCryptPasswordEncoder())
//添加用户
.withUser("root")
.password(new BCryptPasswordEncoder().encode("123456"))
.roles("vip1","vip2","vip3")
//多个用户使用.and()连接
.and()
.withUser("admin")
.password(new BCryptPasswordEncoder().encode("123456"))
.roles("vip1");
}
}
下面大致的看一下源码
/**
* Override this method to configure the {@link HttpSecurity}. Typically subclasses
* should not invoke this method by calling super as it may override their
* configuration. The default configuration is:
*
*
* http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
*
*
* Any endpoint that requires defense against common vulnerabilities can be specified
* here, including public ones. See {@link HttpSecurity#authorizeRequests} and the
* `permitAll()` authorization rule for more details on public endpoints.
* @param http the {@link HttpSecurity} to modify
* @throws Exception if an error occurs
*/
protected void configure(HttpSecurity http) throws Exception {
this.logger.debug("Using default configure(HttpSecurity). "
+ "If subclassed this will potentially override subclass configure(HttpSecurity).");
http.authorizeRequests((requests) -> requests.anyRequest().authenticated());
http.formLogin();
http.httpBasic();
}
从 protected void configure(HttpSecurity http)源码注释中可以看出,如下为默认配置
http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
进入.authorizeRequests()源码,spring已经将模板写在了注释中,按照其提示编写即可
需要注意的是antMatchers是有顺序的
在antMatchers的注释中也提到了antMatchers的编写格式, 使用/**或**作为通用匹配用于匹配任何请求,像/aaa/**的格式会匹配/aaa、/aaa/和任何子目录,例如/aaa/bbb/ccc
通过http.formLogin()实现拦截后跳转到登录界面,loginProcessingUrl("/login")实现跳转到自定义登陆界面的请求。同样错误页面也可自定义,请求为/login?error
如使用Thymeleaf模板引擎开发,可添加以下命名空间,引入thymeleaf-extras-springsecurity4
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4"
可在Thymeleaf中通过sec调用相关函数
sec:authorize="isAuthenticated()"