Spirng-Security基础–基于SpringMVC的Session认证
在基于mvc认证的基础上修改
简介
SpringSecurity是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。由于它是Spring生态系统中的一员,因此它伴随着整个Spring生态系统不断修正、升级,在springboot项目中加入springsecurity更是十分简单,使用SpringSecurity减少了为企业系统安全控制编写大量重复代码的工作。
创建工程
空的Maven工程,如下是已经搭建好的工程结构
首先配置spring、springmvc的配置
@Configuration
@ComponentScan(basePackages = "com.mcs.security",
excludeFilters = {
@ComponentScan.Filter(type = FilterType.ANNOTATION, value = Controller.class)})
public class ApplicationConfig {
}
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com.mcs.security",
includeFilters = {
@ComponentScan.Filter(type = FilterType.ANNOTATION, value = Controller.class)})
public class WebConfig implements WebMvcConfigurer {
// 配置视图解析器
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver internalResourceViewResolver = new InternalResourceViewResolver();
internalResourceViewResolver.setPrefix("/WEB-INF/views/");
internalResourceViewResolver.setSuffix(".jsp");
return internalResourceViewResolver;
}
// 默认url根路径跳转到/login,此url为spring security提供
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("redirect:/login");
}
}
public class SpringApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] {
ApplicationConfig.class, WebSecurityConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[] {
WebConfig.class };
}
@Override
protected String[] getServletMappings() {
return new String[] {
"/" };
}
}
在上次搭建springMVC配配置的基础上导入如下坐标
版本一定是5.1.4,否则会在登录跳转成功页面报错
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.1.4.RELEASE</version>
</dependency>
初始化security
public class SpringSecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
public SpringSecurityApplicationInitializer() {
// 如果没有使用spring再加上这个
//super(WebSecurityConfig.class);
}
}
配置Security
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
// 配置用户信息服务
@Bean
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());
manager.createUser(User.withUsername("lisi").password("123").authorities("p2").build());
return manager;
}
// 密码编码器
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
// 配置安全拦截机制
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/r/r1").hasAuthority("p1")
.antMatchers("/r/r2").hasAuthority("p2")
.antMatchers("/r/**").authenticated() // 拦截/r/**请求
.anyRequest().permitAll() // 其他请求正常方行
.and()
.formLogin().successForwardUrl("/login-success");
}
}
controller配置
@RestController
public class loginController {
@RequestMapping(value = "/login-success", produces = {
"text/plain;charset=utf-8"})
public String loginSuccess() {
return "登录成功";
}
@RequestMapping(value = "/r/r1", produces = {
"text/plain;charset=utf-8"})
public String r1() {
return "访问资源r1";
}
@RequestMapping(value = "/r/r2", produces = {
"text/plain;charset=utf-8"})
public String r2() {
return "访问资源r2";
}
}
总结
所以在原来我们使用springmvc的基础上,去掉了我们自定义的登录页面使用spring security自带的登录以及成功界面,将原来使用springmvc的拦截器进行处理改为使用security处理授权会话,简化了代码亿点点。