互联网项目中,安全与权限控制是不可回避的问题,为了解决这一些列问题,许多安全框架应运而生了。这些框架旨在帮我们解决公用的安全问题,让我们的程序更加健壮,从而让程序员全身心投入到业务开发当中。那么SpringSecurity出自于大名鼎鼎的Spring家族,同时能与SpringBoot,SpringCloud无缝集成,它也是业界流行的安全框架之一。
一、SpringSecurity的准备工作
注意:本示例是基于注解的springmvc构建
首先添加SpringSecurity的依赖:
compile('org.springframework.boot:spring-boot-starter-security')
紧接着按照如下目录规范创建
app包下主要为Root WebApplicationContext提供配置,而web包下主要是为servlet WebApplicationContext提供相关配置,这种方式更符合WebApplicationContext的层次化规范,同时也方便管理配置
二、实现app包下的配置
2.1、WebSecurityInitializer
package com.bdqn.lyrk.security.study.app.config; import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; /** * 这个类可以在添加springSecurity核心过滤器之前或之后做一些我们需要的操作 * * @author chen.nie * @date 2018/6/8 **/ public class WebSecurityInitializer extends AbstractSecurityWebApplicationInitializer { }
2.2、WebSecurityConfig
package com.bdqn.lyrk.security.study.app.config; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; /** * spring-security的相关配置 * * @author chen.nie * @date 2018/6/7 **/ @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { /* 1.配置静态资源不进行授权验证 2.登录地址及跳转过后的成功页不需要验证 3.其余均进行授权验证 */ http. authorizeRequests().antMatchers("/static/**").permitAll(). and().authorizeRequests().anyRequest().authenticated(). and().formLogin().loginPage("/login").successForwardUrl("/toIndex").permitAll(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { /* 在内存中创建用户 */ User.UserBuilder users = User.withDefaultPasswordEncoder(); auth.inMemoryAuthentication().withUser(users.username("admin").password("123").roles("ADMIN")); } }
该类主要是设置安全配置注意使用@EnableWebSecruity注解,我们可以在这里设置Http的安全配置和最基本的认证配置等,其中在该代码里设置静态资源 登录页 和登录成功需要跳转的页面不用认证,另外基于内存设置了用户admin
另外:loginPage()里的值即为跳转页面的路径又为处理登录验证的路径。当get请求时为前者而post请求时为后者
2.3、WebAppConfig
package com.bdqn.lyrk.security.study.app; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.PropertySource; import org.springframework.context.support.PropertySourcesPlaceholderConfigurer; /** * 主配置类 * * @author chen.nie * @date 2018/6/8 **/ @Configuration @ComponentScan @PropertySource("classpath:application.properties") public class WebAppConfig { @Bean public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() { return new PropertySourcesPlaceholderConfigurer(); } }
三、实现WebMvc的配置
3.1、初始化DispatcherServlet配置
WebStartupInitializer:
package com.bdqn.lyrk.security.study.web; import com.bdqn.lyrk.security.study.app.WebAppConfig; import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer; public class WebStartupInitializer extends AbstractAnnotationConfigDispatcherServletInitializer { @Override protected Class<?>[] getRootConfigClasses() { return new Class[]{WebAppConfig.class}; } @Override protected Class<?>[] getServletConfigClasses() { return new Class[]{WebMvcConfig.class}; } @Override protected String[] getServletMappings() { return new String[]{"/"}; } }
在这里注意配置RootConfigClass为WebAppConfig,ServletConfigClass为WebMvcConfig
3.2、创建WebMvcConfig
package com.bdqn.lyrk.security.study.web; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.ViewResolver; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.view.InternalResourceViewResolver; import org.springframework.web.servlet.view.JstlView; @Configuration @ComponentScan @EnableWebMvc public class WebMvcConfig implements WebMvcConfigurer { /** * 创建视图解析器 * @return */ @Bean public ViewResolver viewResolver() { InternalResourceViewResolver viewResolver = new InternalResourceViewResolver(); viewResolver.setViewClass(JstlView.class); viewResolver.setPrefix("/WEB-INF/jsp/"); viewResolver.setSuffix(".jsp"); return viewResolver; } /** * 处理静态资源 * @param registry */ @Override public void addResourceHandlers(ResourceHandlerRegistry registry) { registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static/").setCachePeriod(60 * 2); } }
3.3、创建Controller
package com.bdqn.lyrk.security.study.web.controller; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.User; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PostMapping; @Controller public class LoginController { @PostMapping("/toIndex") public String index(ModelMap modelMap) { User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); modelMap.put("user", user); return "main/index"; } @GetMapping("/login") public String login() { return "login"; } }
四、页面设置
4.1、登录页
login.jsp:
<%-- Created by IntelliJ IDEA. User: chen.nie Date: 2018/6/8 Time: 上午9:49 To change this template use File | Settings | File Templates. --%> <%@ page contentType="text/html;charset=UTF-8" language="java" %> <!doctype html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>Amaze UI Admin index Examples</title> <meta name="description" content="这是一个 index 页面"> <meta name="keywords" content="index"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="renderer" content="webkit"> <meta http-equiv="Cache-Control" content="no-siteapp" /> <link rel="icon" type="image/png" href="assets/i/favicon.png"> <link rel="apple-touch-icon-precomposed" href="assets/i/[email protected]"> <meta name="apple-mobile-web-app-title" content="Amaze UI" /> <link rel="stylesheet" href="${request.contextPath}/static/assets/css/amazeui.min.css" /> <link rel="stylesheet" href="${request.contextPath}/static/assets/css/admin.css"> <link rel="stylesheet" href="${request.contextPath}/static/assets/css/app.css"> </head> <body data-type="login"> <div class="am-g myapp-login"> <div class="myapp-login-logo-block tpl-login-max"> <div class="myapp-login-logo-text"> <div class="myapp-login-logo-text"> Amaze UI<span> Login</span> <i class="am-icon-skyatlas"></i> </div> </div> <div class="login-font"> <i>Log In </i> or <span> Sign Up</span> </div> <div class="am-u-sm-10 login-am-center"> <form class="am-form" action="/login" method="post"> <fieldset> <div class="am-form-group"> <input name="username" type="text" class="" id="doc-ipt-email-1" placeholder="输入登录名"> </div> <div class="am-form-group"> <input name="password" type="password" class="" id="doc-ipt-pwd-1" placeholder="设置个密码吧"> </div> <p><button type="submit" class="am-btn am-btn-default">登录</button></p> </fieldset> <input type="hidden" name="_csrf" value="${_csrf.token}" /> </form> </div> </div> </div> <script src="${request.contextPath}/static/assets/js/jquery.min.js"></script> <script src="${request.contextPath}/static/assets/js/amazeui.min.js"></script> <script src="${request.contextPath}/static/assets/js/app.js"></script> </body>
注意:1)表单属性action为httpSecurity的loginPage()配置地址
2)表单为post方式提交
3)input的name属性分别为username,password代表用户名,密码
4)必须设置隐藏表单_csrf 如果不设置请http.csrf().ignoringAntMatchers()方法进行排除
4.2、 登录成功页
<%-- Created by IntelliJ IDEA. User: chen.nie Date: 2018/6/8 Time: 上午9:56 To change this template use File | Settings | File Templates. --%> <%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>Title</title> </head> <body> 欢迎:${user.username} </body> </html>
在成功页时打印出认证成功的用户.
随即当我们访问http://localhost:8080/toIndex时跳转至登录页:
登录成功时:
在实际应用中登录页可能要复杂的多,可能包括验证码或者其他业务。另外用户不可能都存在内存当中,关于更详细的验证问题,我们会在下篇讨论。