3.3.1 认证页面
SpringSecurity默认提供认证页面。
3.3.2 安全配置
spring security提供了用户名密码登录、退出、会话管理等认证功能,只需要配置即可使用。
在config包下定义WebSecurityConfig ,安全配置的内容包括:用户信息、密码编码器、安全拦截机制。
package com.uncle.security.springmvc.config;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
/**
* @program: spring-security-springmvc
* @description:
* @author: 步尔斯特
* @create: 2021-07-23 00:41
*/
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//定义用户信息服务(查询用户信息)
@Bean
public UserDetailsService userDetailsService(){
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());
manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());
return manager;
}
//密码编码器
@Bean
public PasswordEncoder passwordEncoder(){
return NoOpPasswordEncoder.getInstance();
}
//安全拦截机制(最重要)
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/r/**").authenticated()//所有/r/**的请求必须认证通过
.anyRequest().permitAll()//除了/r/**,其它的请求可以访问
.and()
.formLogin()//允许表单登录
.successForwardUrl("/login-success");//自定义登录成功的页面地址
}
}
在userDetailsService()方法中,我们返回了一个UserDetailsService给spring容器,Spring
Security会使用它来获取用户信息。我们暂时使用InMemoryUserDetailsManager实现类,并在其中分别创建了zhangsan、lisi两个用户,并设置密码和权限。
而在configure()中,我们通过HttpSecurity设置了安全拦截规则,其中包含了以下内容:
- url匹配"/**的资源,经过认证后才能访问。
- 其他url完全开放。
- 支持form表单认证,认证成功后转向/login-success。
加载 WebSecurityConfig
修改SpringApplicationlinitializer的getRootConfigClasses()方法,添加WebSecurityConfig.class:
package com.uncle.security.springmvc.init;
import com.uncle.security.springmvc.config.ApplicationConfig;
import com.uncle.security.springmvc.config.WebConfig;
import com.uncle.security.springmvc.config.WebSecurityConfig;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
/**
* @program: security-springmvc
* @description:
* @author: 步尔斯特
* @create: 2021-07-22 21:47
*/
public class SpringApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
//spring容器,相当于加载 applicationContext.xml
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[]{
ApplicationConfig.class, WebSecurityConfig.class};
}
//servletContext,相当于加载springmvc.xml
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{
WebConfig.class};
}
//url-mapping
@Override
protected String[] getServletMappings() {
return new String[]{
"/"};
}
}
3.3.3 初始化
Spring Security初始化,这里有两种情况
- 若当前环境没有使用Spring或Spring MVC ,则需要将WebSecurityConfig(Spring Security配置类)传入超类,以确保获取配置,并创建spring context。
- 相反,若当前环境已经使用spring ,我们应该在现有的springContext中注册Spring Security(上一步已经将 WebSecurityConfig加载至rootcontext),此方法可以什么都不做。
package com.uncle.security.springmvc.init;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
/**
* @program: spring-security-springmvc
* @description:
* @author: 步尔斯特
* @create: 2021-07-23 00:46
*/
@EnableWebSecurity
public class SpringSecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
public SpringSecurityApplicationInitializer() {
//super(WebSecurityConfig.class);
}
}
3.3.4 默认根路径请求
在WebConfig.java中添加默认请求根路径跳转到/login ,此url为spring security提供:
package com.uncle.security.springmvc.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.FilterType;
import org.springframework.stereotype.Controller;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
/**
* @program: security-springmvc
* @description:
* @author: 步尔斯特
* @create: 2021-07-22 21:34
*/
@Configuration//就相当于springmvc.xml文件
@EnableWebMvc
@ComponentScan(basePackages = "com.uncle.security.springmvc"
,includeFilters = {
@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)})
public class WebConfig implements WebMvcConfigurer {
//视频解析器
@Bean
public InternalResourceViewResolver viewResolver(){
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setPrefix("/WEB-INF/view/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("redirect:/login");
}
}
spring security默认提供的登录页面。
3.3.5 认证成功页面
在安全配置中,认证成功将跳转到/login-success ,代码如下:
package com.uncle.security.springmvc.config;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
/**
* @program: spring-security-springmvc
* @description:
* @author: 步尔斯特
* @create: 2021-07-23 00:41
*/
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//定义用户信息服务(查询用户信息)
@Bean
public UserDetailsService userDetailsService(){
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());
manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());
return manager;
}
//密码编码器
@Bean
public PasswordEncoder passwordEncoder(){
return NoOpPasswordEncoder.getInstance();
}
//安全拦截机制(最重要)
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/r/**").authenticated()//所有/r/**的请求必须认证通过
.anyRequest().permitAll()//除了/r/**,其它的请求可以访问
.and()
.formLogin()//允许表单登录
.successForwardUrl("/login-success");//自定义登录成功的页面地址
}
}
spring security支持form表单认证,认证成功后转向/login-success。
在 Logincontroller 中定义/login-success:
package com.uncle.security.springmvc.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpSession;
/**
* @program: security-springmvc
* @description:
* @author: 步尔斯特
* @create: 2021-07-22 23:33
*/
@RestController
public class LoginController {
@RequestMapping(value = "/login-success",produces = {
"text/plain;charset=UTF-8"})
public String loginSuccess(){
return " 登录成功";
}
}
3.3.6 测试
启动项目,访问http://localhost:8080/spring-security-springmvc路径地址
页面会根据WebConfig中addViewControllers配置规则,跳转至/login , /login是Spring
Security提供的登录页面。
登录
输入错误的用户名、密码
输入正确的用户名、密码,登录成功
退出
请求/logout退出
退出后再访问资源自动跳转到登录页面
