Springboot and Springsecurity authorization verification, and user login

Introduction to
Springsecurity Springsecurity is a security framework for Spring projects, and it is also the default technology selection of Springboot's underlying security module. It can achieve powerful WEB security control. For security control, we only need to introduce the main categories of the Spring-starter-security module
.

@WebSecurityConfigurerAdapter: custom security strategy
@AuthenticationManagerBuider: custom authentication strategy
@EnableWebSecurity turns on WebSecurity mode, @Enable XXX turns on a certain function
Springsecurity’s two main goals are "authentication" and "authorization" (access control).
The concepts are interoperable Not only in Springsecurity.
Preparation, import dependencies

   <!--引入thymeleaf依赖-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <!--        security依赖-->
         <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

A few simple page directory structures

The effect of the page

Write your own config class Springboot helps us integrate a lot, only need to write a class, inherit WebSecurityConfigurerAdapter add annotation @EnableWebSecurity

package com.jj.config;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class Securityconfig extends WebSecurityConfigurerAdapter {
    
    
//    重写

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    
    
//    设置首页所有人可以访问
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/level1/**").hasRole("vip1")
                .antMatchers("/level2/**").hasRole("vip2")
                .antMatchers("/level3/**").hasRole("vip3");
//        开启登录 ,没有权限退到登录页
        http.formLogin();
    }
}

As a result, when we click it

will return to the login page, because there is no permission, which is

equivalent to Spring's aop aspect-oriented.
Set login account password permissions

//    重写登录的账号密码
//    可以是数据库的，我没有连接数据库，就用的内存的

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    
    
        auth.inMemoryAuthentication()
//                设置fjj 可以看 vip2 ,vip3
                .withUser("fengjiaojaio").password("123456").roles("vip2","vip3")
//                设置憨憨 只能看vip1
               .and() .withUser("憨憨").password("285").roles("vip1");
    }

The version issue should report an error, and it will say that the password is insecure. Maybe it's for the sake of everyone's password, ahhahahahaha

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"
	at org.springframework.security.crypto.password.DelegatingPasswordEncoder$UnmappedIdPasswordEncoder.matches(DelegatingPasswordEncoder.java:254) ~[spring-security-core-5.4.2.jar:5.4.2]
	at org.springframework.security.crypto.password.DelegatingPasswordEncoder.matches(DelegatingPasswordEncoder.java:202) ~[spring-security-core-5.4.2.jar:5.4.2]

** Solution 1: If you don’t want to set password encryption code, you can reduce the version to 2.1.X **
** Solution 2: Add password encryption**

//    重写登录的账号密码
//    可以是数据库的，我没有连接数据库，就用的内存的

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    
    
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
//                设置fjj 可以看 vip2 ,vip3
                .withUser("fengjiaojaio").password(new BCryptPasswordEncoder().encode("123456")).roles("vip2","vip3")
//                设置憨憨 只能看vip1
               .and() .withUser("憨憨").password(new BCryptPasswordEncoder().encode("285")).roles("vip1");
    }

The effect



will say that there is no permission! !
If you connect to the database, the official document gives it, just inject the data source! !

There will be cookies after login, so you need to turn on to eliminate the login, plus this sentence,

write a logout button on the home page.

Here this mapper is written by Spring security.
Click to

download his source code, you can see the comments

Effect


There is a friendly prompt
if you don't want to jump to the login interface, you can also jump to the specified url

**
function! !