What do you want to see without looking at the official documentation?
Although it is not the integration of Spring Boot and Spring Security, it is necessary to take a look.
Actual combat
Not based on front-end and back-end separation, play this first and then consider the front-end and back-end separation.
Import maven dependencies
<dependencies>
...
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
...
</dependencies>
Nothing is configured to start directly, the account is user, and the automatic password generation will be printed on the console;
Custom configuration class
Create Spring Security Java configuration. This configuration creates a Servlet filter, called springSecurityFilterChain, which is responsible for all security in the application (protecting the application url, verifying the submitted username and password, redirecting to the login form, etc.)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
@Override
public UserDetailsService userDetailsService(){
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
//这里是否可以自定义逻辑呢?
//配置之后登陆账号密码就成了 user 与password 这样可以看出来.
manager.createUser(User.withUsername("user").password("password").roles("USER").build());
return manager;
}
}
HttpSecurity
protected void configure(HttpSecurity http) throws Exception {
http.formLogin() // 定义当需要用户登录时候,转到的登录页面。
.and()
.authorizeRequests() // 定义哪些URL需要被保护、哪些不需要被保护
.anyRequest() // 任何请求,登录后可以访问
.authenticated();
}
Custom landing page
From the official documentation
<c:url value="/login" var="loginUrl"/>
<form action="${loginUrl}" method="post"> 1
<c:if test="${param.error != null}"> 2
<p>
Invalid username and password.
</p>
</c:if>
<c:if test="${param.logout != null}"> 3
<p>
You have been logged out.
</p>
</c:if>
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username"/> 4
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password" name="password"/> 5
</p>
<input type="hidden" 6
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
<button type="submit" class="btn">Log in</button>
</form>
1. POST sent to / login URL will try to authenticate the user
2. If the query parameter error exists, try to verify and fail
3. If the query parameter logout exists, the user has successfully logged out
4. The username must appear as an HTTP parameter named username
5. The password must appear as an HTTP parameter named password
6. Reference to the cross-site request forgery (CSRF) section
Link demand customization
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/signup", "/about").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
.anyRequest().authenticated()
.and()
// ...
.formLogin();
}
Wait ... please see the official documentation.
You can do it with this blogger and
I won't carry it.