（转载）SpringBoot + Spring Security + Thymeleaf 实现权限管理登录

原文地址：https://liuyanzhao.com/7431.html

---

本文通过一个登录的例子介绍 SpringBoot + Spring Security + Thymeleaf 权限管理。

一、数据库

用户登录账号是 admin，saysky，lockeduser

密码都是 123456

1、表结构

user 表

authority 表

user_authority 表

2、数据

user 表

authority 表

user_authority 表

3、SQL 代码

SET NAMES utf8;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
--  Table structure for `authority`
-- ----------------------------
DROP TABLE IF EXISTS `authority`;
CREATE TABLE `authority` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `name` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
-- ----------------------------
--  Records of `authority`
-- ----------------------------
BEGIN;
INSERT INTO `authority` VALUES ('1', 'ROLE_ADMIN'), ('2', 'ROLE_USER');
COMMIT;
-- ----------------------------
--  Table structure for `user`
-- ----------------------------
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `username` varchar(20) NOT NULL,
  `password` varchar(100) NOT NULL,
  `name` varchar(20) NOT NULL,
  `email` varchar(50) NOT NULL,
  `avatar` varchar(200) DEFAULT NULL,
  `create_time` datetime DEFAULT NULL,
  `last_login_time` datetime DEFAULT NULL,
  `status` varchar(10) DEFAULT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `UK_ob8kqyqqgmefl0aco34akdtpe` (`email`),
  UNIQUE KEY `UK_sb8bbouer5wak8vyiiy4pf2bx` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;
-- ----------------------------
--  Records of `user`
-- ----------------------------
BEGIN;
INSERT INTO `user` VALUES ('1', 'admin', '$2a$10$N.zmdr9k7uOCQb376NoUnuTJ8iAt6Z5EHsM8lE9lBOsl7iKTVKIUi', '管理员', '[email protected]', null, null, null, 'normal'), ('2', 'saysky', '$2a$10$N.zmdr9k7uOCQb376NoUnuTJ8iAt6Z5EHsM8lE9lBOsl7iKTVKIUi', '言曌', '[email protected]', null, null, null, 'normal'), ('3', 'lockuser', '$2a$10$N.zmdr9k7uOCQb376NoUnuTJ8iAt6Z5EHsM8lE9lBOsl7iKTVKIUi', '锁定账号', '[email protected]', null, null, null, 'locked');
COMMIT;
-- ----------------------------
--  Table structure for `user_authority`
-- ----------------------------
DROP TABLE IF EXISTS `user_authority`;
CREATE TABLE `user_authority` (
  `user_id` bigint(20) NOT NULL,
  `authority_id` bigint(20) NOT NULL,
  KEY `FKgvxjs381k6f48d5d2yi11uh89` (`authority_id`),
  KEY `FKpqlsjpkybgos9w2svcri7j8xy` (`user_id`),
  CONSTRAINT `FKgvxjs381k6f48d5d2yi11uh89` FOREIGN KEY (`authority_id`) REFERENCES `authority` (`id`),
  CONSTRAINT `FKpqlsjpkybgos9w2svcri7j8xy` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- ----------------------------
--  Records of `user_authority`
-- ----------------------------
BEGIN;
INSERT INTO `user_authority` VALUES ('1', '1'), ('2', '2'), ('1', '2');
COMMIT;
SET FOREIGN_KEY_CHECKS = 1;

二、Maven 依赖

pom.xml

1. <?xml version=“1.0” encoding=“UTF-8”?>
2. <project xmlns=”http://maven.apache.org/POM/4.0.0” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
3.          xsi:schemaLocation=”http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd”>
4.     <modelVersion>4.0.0</modelVersion>
6.     <groupId>com.liuyanzhao</groupId>
7.     <artifactId>chuyun</artifactId>
8.     <version>0.0.1-SNAPSHOT</version>
9.     <packaging>war</packaging>
11.     <name>chuyun</name>
12.     <description>Chuyun Blog for Spring Boot</description>
15.     <parent>
16.         <groupId>org.springframework.boot</groupId>
17.         <artifactId>spring-boot-starter-parent</artifactId>
18.         <version>1.5.9.RELEASE</version>
19.         <relativePath/> <!– lookup parent from repository –>
20.     </parent>
22.     <properties>
23.         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
24.         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
25.         <java.version>1.8</java.version>
26.         <thymeleaf.version>3.0.3.RELEASE</thymeleaf.version>
27.         <thymeleaf-layout-dialect.version>2.0.0</thymeleaf-layout-dialect.version>
28.         <elasticsearch.version>2.4.4</elasticsearch.version>
29.     </properties>
32.     <dependencies>
34.         <dependency>
35.             <groupId>org.springframework.boot</groupId>
36.             <artifactId>spring-boot-starter-web</artifactId>
37.         </dependency>
39.         <!–lombok–>
40.         <dependency>
41.             <groupId>org.projectlombok</groupId>
42.             <artifactId>lombok</artifactId>
43.             <optional>true</optional>
44.         </dependency>
46.         <dependency>
47.             <groupId>org.springframework.boot</groupId>
48.             <artifactId>spring-boot-starter-test</artifactId>
49.             <scope>test</scope>
50.         </dependency>
52.         <!– Thymeleaf –>
53.         <dependency>
54.             <groupId>org.springframework.boot</groupId>
55.             <artifactId>spring-boot-starter-thymeleaf</artifactId>
56.         </dependency>
58.         <!– Spring Data JPA–>
59.         <dependency>
60.             <groupId>org.springframework.boot</groupId>
61.             <artifactId>spring-boot-starter-data-jpa</artifactId>
62.         </dependency>
64.         <!– mysql–>
65.         <dependency>
66.             <groupId>mysql</groupId>
67.             <artifactId>mysql-connector-java</artifactId>
68.         </dependency>
70.         <!– 热部署 –>
71.         <dependency>
72.             <groupId>org.springframework.boot</groupId>
73.             <artifactId>spring-boot-devtools</artifactId>
74.             <optional>true</optional>
75.         </dependency>
77.         <!– Spring Boot Elasticsearch 依赖 –>
78.         <dependency>
79.             <groupId>org.springframework.boot</groupId>
80.             <artifactId>spring-boot-starter-data-elasticsearch</artifactId>
81.         </dependency>
82.         <dependency>
83.             <groupId>net.java.dev.jna</groupId>
84.             <artifactId>jna</artifactId>
85.             <version>4.3.0</version>
86.         </dependency>
88.         <!– Spring Security 依赖 –>
89.         <dependency>
90.             <groupId>org.springframework.boot</groupId>
91.             <artifactId>spring-boot-starter-security</artifactId>
92.         </dependency>
93.         <dependency>
94.             <groupId>org.thymeleaf.extras</groupId>
95.             <artifactId>thymeleaf-extras-springsecurity4</artifactId>
96.             <version>3.0.2.RELEASE</version>
97.         </dependency>
100.         <!–fasthson–>
101.         <dependency>
102.             <groupId>com.alibaba</groupId>
103.             <artifactId>fastjson</artifactId>
104.             <version>1.2.7</version>
105.         </dependency>
107.         <!–验证码kaptcha–>
108.         <dependency>
109.             <groupId>com.github.penggle</groupId>
110.             <artifactId>kaptcha</artifactId>
111.             <version>2.3.2</version>
112.         </dependency>
114.     </dependencies>
116.     <build>
117.         <plugins>
118.             <plugin>
119.                 <groupId>org.springframework.boot</groupId>
120.                 <artifactId>spring-boot-maven-plugin</artifactId>
121.                 <configuration>
122.                     <fork>true</fork>
123.                 </configuration>
124.             </plugin>
125.         </plugins>
127.     </build>
130. </project>

主要需要 SpringBoot、Thymeleaf、Spring Security 的依赖

三、实体类

User.java

1. package com.liuyanzhao.chuyun.entity;
4. import lombok.Data;
5. import org.hibernate.validator.constraints.Email;
6. import org.hibernate.validator.constraints.NotEmpty;
7. import org.springframework.security.core.GrantedAuthority;
8. import org.springframework.security.core.authority.SimpleGrantedAuthority;
9. import org.springframework.security.core.userdetails.UserDetails;
10. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
11. import org.springframework.security.crypto.password.PasswordEncoder;
13. import javax.persistence.;
14. import javax.validation.constraints.Size;
15. import java.io.Serializable;
16. import java.util.ArrayList;
17. import java.util.Collection;
18. import java.util.Date;
19. import java.util.List;
21. /
22.   @author 言曌
23.   @date 2017/12/28 上午9:06
24.  /
26. @Entity // 实体
27. @Data
28. public class User implements UserDetails, Serializable {
30.     private static final long serialVersionUID = 1L;
32.     @Id // 主键
33.     @GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略
34.     private Long id; // 用户的唯一标识
36.     @NotEmpty(message = “昵称不能为空”)
37.     @Size(min=2, max=20)
38.     @Column(nullable = false, length = 20) // 映射为字段，值不能为空
39.     private String name;
41.     @NotEmpty(message = “邮箱不能为空”)
42.     @Size(max=50)
43.     @Email(message= “邮箱格式不对” )
44.     @Column(nullable = false, length = 50, unique = true)
45.     private String email;
47.     @NotEmpty(message = “账号不能为空”)
48.     @Size(min=3, max=20)
49.     @Column(nullable = false, length = 20, unique = true)
50.     private String username; // 用户账号，用户登录时的唯一标识
52.     @NotEmpty(message = “密码不能为空”)
53.     @Size(max=100)
54.     @Column(length = 100)
55.     private String password; // 登录时密码
57.     @Column(length = 200)
58.     private String avatar; // 头像图片地址
60.     private Date createTime;
62.     private Date lastLoginTime;
64.     @Column(length = 10)
65.     private String status;
67.     @ManyToMany(cascade = CascadeType.DETACH, fetch = FetchType.EAGER)
68.     @JoinTable(name = “user_authority”, joinColumns = @JoinColumn(name = “user_id”, referencedColumnName = “id”),
69.             inverseJoinColumns = @JoinColumn(name = “authority_id”, referencedColumnName = “id”))
70.     private List<Authority> authorities;
72.     protected User() { // JPA 的规范要求无参构造函数；设为 protected 防止直接使用
73.     }
75.     public User(String name, String email,String username,String password) {
76.         this.name = name;
77.         this.email = email;
78.         this.username = username;
79.         this.password = password;
80.     }
84.     public Collection<? extends GrantedAuthority> getAuthorities() {
85.         //  需将 List<Authority> 转成 List<SimpleGrantedAuthority>，否则前端拿不到角色列表名称
86.         List<SimpleGrantedAuthority> simpleAuthorities = new ArrayList<>();
87.         for(GrantedAuthority authority : this.authorities){
88.             simpleAuthorities.add(new SimpleGrantedAuthority(authority.getAuthority()));
89.         }
90.         return simpleAuthorities;
91.     }
93.     public void setAuthorities(List<Authority> authorities) {
94.         this.authorities = authorities;
95.     }
98.     public void setEncodePassword(String password) {
99.         PasswordEncoder  encoder = new BCryptPasswordEncoder();
100.         String encodePasswd = encoder.encode(password);
101.         this.password = encodePasswd;
102.     }
104.     @Override
105.     public boolean isAccountNonExpired() {
106.         return true;
107.     }
109.     @Override
110.     public boolean isAccountNonLocked() {
111.         return true;
112.     }
114.     @Override
115.     public boolean isCredentialsNonExpired() {
116.         return true;
117.     }
119.     @Override
120.     public boolean isEnabled() {
121.         return true;
122.     }
125. }

Authority.java

1. package com.liuyanzhao.chuyun.entity;
3. import org.springframework.security.core.GrantedAuthority;
5. import javax.persistence.;
7. /
8.   权限
9.   @author 言曌
10.   @date 2018/1/26 下午2:05
11.  /
12. @Entity
13. public class Authority implements GrantedAuthority {
15.     private static final long serialVersionUID = 1L;
17.     @Id // 主键
18.     @GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略
19.     private Long id; // 用户的唯一标识
21.     @Column(nullable = false) // 映射为字段，值不能为空
22.     private String name;
24.     public Long getId() {
25.         return id;
26.     }
28.     public void setId(Long id) {
29.         this.id = id;
30.     }
33.     @Override
34.     public String getAuthority() {
35.         return name;
36.     }
38.     public void setName(String name) {
39.         this.name = name;
40.     }
42. }

四、Dao 层

UserRepository.java

1. package com.liuyanzhao.chuyun.repository;
3. import com.liuyanzhao.chuyun.entity.User;
4. import org.springframework.data.jpa.repository.JpaRepository;
7. /
8.   用户repository
9.   @author 言曌
10.   @date 2017/12/27 0027 20:50
11.  /
13. public interface UserRepository extends JpaRepository<User, Long> {
15.     /
16.       根据用户名查找用户
17.       @param username
18.       @return
19.      /
20.     User findByUsername(String username);
22. }

五、Service 层

CustomUserService.java

1. package com.liuyanzhao.chuyun.service;
3. import com.liuyanzhao.chuyun.entity.User;
4. import com.liuyanzhao.chuyun.repository.UserRepository;
5. import org.springframework.beans.factory.annotation.Autowired;
6. import org.springframework.security.authentication.LockedException;
7. import org.springframework.security.core.userdetails.UserDetailsService;
8. import org.springframework.security.core.userdetails.UsernameNotFoundException;
9. import org.springframework.stereotype.Service;
11. /
12.   @author 言曌
13.   @date 2018/1/30 下午8:37
14.  /
16. @Service
17. public class CustomUserService implements UserDetailsService{
19.     @Autowired
20.     private UserRepository userRepository;
22.     @Override
23.     public User loadUserByUsername(String username) throws UsernameNotFoundException {
24.         User user = userRepository.findByUsername(username);
25.         if (user == null) {
26.             throw new UsernameNotFoundException(“用户名不存在”);
27.         } else if(“locked”.equals(user.getStatus())) { //被锁定，无法登录
28.             throw new LockedException(“用户被锁定”);
29.         }
30.         return user;
31.     }
32. }

六、Spring Security 配置

SecurityConfig.java

1. package com.liuyanzhao.chuyun.config;
4. import com.liuyanzhao.chuyun.service.CustomUserService;
5. import org.springframework.beans.factory.annotation.Autowired;
6. import org.springframework.context.annotation.Bean;
7. import org.springframework.security.authentication.AuthenticationProvider;
8. import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
9. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
10. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
11. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
12. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
13. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
14. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
15. import org.springframework.security.crypto.password.PasswordEncoder;
18. /
19.   安全配置类
20.  
21.   @author 言曌
22.   @date 2018/1/23 上午11:37
23.  /
24. @EnableWebSecurity
25. @EnableGlobalMethodSecurity(prePostEnabled = true) // 启用方法安全设置
26. public class SecurityConfig extends WebSecurityConfigurerAdapter {
28.     private static final String KEY = “liuyanzhao.com”;
30.     @Autowired
31.     private PasswordEncoder passwordEncoder;
33.     @Bean
34.     CustomUserService customUserService() {
35.         return new CustomUserService();
36.     }
38.     @Bean
39.     public PasswordEncoder passwordEncoder() {
40.         return new BCryptPasswordEncoder();   // 使用 BCrypt 加密
41.     }
43.     @Bean
44.     public AuthenticationProvider authenticationProvider() {
45.         DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
46.         authenticationProvider.setUserDetailsService(customUserService());
47.         authenticationProvider.setPasswordEncoder(passwordEncoder); // 设置密码加密方式
48.         return authenticationProvider;
49.     }
51.     /
52.       自定义配置
53.      /
54.     @Override
55.     protected void configure(HttpSecurity http) throws Exception {
56.         http.authorizeRequests().antMatchers(“/”,“/css/”, “/js/”, “/fonts/”,“/users”).permitAll() // 都可以访问
57.                 .antMatchers(“/h2-console/”).permitAll() // 都可以访问
58.                 .antMatchers(“/admin/”).hasRole(“ADMIN”) // 需要相应的角色才能访问
59.                 .antMatchers(“/console/”).hasAnyRole(“ADMIN”,“USER”) // 需要相应的角色才能访问
60.                 .and()
61.                 .formLogin()   //基于 Form 表单登录验证
62.                 .loginPage(“/login”).failureUrl(“/login?error=true”) // 自定义登录界面
63.                 .and().rememberMe().key(KEY) // 启用 remember me
64.                 .and().exceptionHandling().accessDeniedPage(“/403”);  // 处理异常，拒绝访问就重定向到 403 页面
65.         http.csrf().ignoringAntMatchers(“/h2-console/”); // 禁用 H2 控制台的 CSRF 防护
66.         http.headers().frameOptions().sameOrigin(); // 允许来自同一来源的H2 控制台的请求
67.     }
69.     /*
70.       认证信息管理
71.      
72.       @param auth
73.       @throws Exception
74.      */
75.     @Autowired
76.     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
77.         //auth.userDetailsService(userDetailsService);
78.         auth.userDetailsService(customUserService());
79.         auth.authenticationProvider(authenticationProvider());
80.     }
82. }

七、HTML 页面

首页：http://localhost:8080

登录页面：http://localhost:8080/login

登录错误页面：http://localhost:8080/login?error=true

退出登录：http://localhost:8080/logout

index.html

1. <!DOCTYPE html>
2. <html xmlns=”http://www.w3.org/1999/xhtml”
3.       xmlns:th=”http://www.thymeleaf.org”
4.       xmlns:sec=”http://www.thymeleaf.org/thymeleaf-extras-springsecurity4”>
5. <head>
6.     <meta charset=“UTF-8”>
7.     <meta name=“viewport”
8.           content=“width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no”>
9. </head>
10. <body>
12. <!–匿名–>
13. <div sec:authorize=“isAnonymous()”>
14.     未登录，点击 <a th:href=“@{/login}”>登录</a>
15. </div>
17. <!–登录–>
18. <div sec:authorize=“isAuthenticated()”>
19.     <p>已登录</p>
20.     <p>登录名：<span sec:authentication=“name”></span></p>
21.     <p>角色：<span sec:authentication=“principal.authorities”></span></p>
22.     <p>Username：<span sec:authentication=“principal.username”></span></p>
23.     <p>Password：<span sec:authentication=“principal.password”></span></p>
24.     <p>Email ：<span sec:authentication=“principal.email”></span></p>
25.     <p>Name：<span sec:authentication=“principal.name”></span></p>
26.     <p>Status：<span sec:authentication=“principal.status”></span></p>
27.     <p>拥有的角色：
28.     <span sec:authorize=“hasRole(‘ROLE_ADMIN’)”>管理员</span>
29.     <span sec:authorize=“hasRole(‘ROLE_USER’)”>用户</span>
30.     </p>
31. </div>
32. </body>
33. </html>

login.html

1. <!DOCTYPE html>
2. <html xmlns=”http://www.w3.org/1999/xhtml”
3.       xmlns:th=”http://www.thymeleaf.org”>
4. <head>
5.     <meta http-equiv=“Content-Type” content=“text/html; charset=utf-8”/>
6.     <meta name=“viewport” content=“width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no”>
7.     <title>登录页面</title>
8. <body>
10. <form th:action=“@{login}” method=“post” id=“loginForm”>
11.     <span th:if=“{param.error}"</span>&nbsp;<span class="attribute">th:text</span>=<span class="attribute-value">" $\text{{param.error}"</span>\&nbsp;<span class="attribute">th:text</span>=<span class="attribute-value">"}$${param.error}"</span>&nbsp;<span class="attribute">th:text</span>=<span class="attribute-value">"${session.SPRING_SECURITY_LAST_EXCEPTION.message}”></span>
12.     用户名：<input type=“text” name=“username” class=“username” id=“username” placeholder=“用户名” autocomplete=“off”/> <br>
13.     密　码：<input type=“password” name=“password” class=“password” id=“password” placeholder=“密码”
14.                 oncontextmenu=“return false”
15.                 onpaste=“return false”/> <br>
16.     <input type=“checkbox” name=“remember-me”/>记住我 <br>
17.     <input id=“submit” type=“submit” value=“登录”/>
18. </form>
20. </body>
21. </html>

八、运行效果

1、访问首页：http://localhost:8080