1. Introduction
Spring Security is a top-level project in the Spring community, and it is also the Security framework officially recommended by Spring Boot. In addition to regular Authentication and Authorization, Spring Security also provides advanced features such as ACLs, LDAP, JAAS, CAS, etc. to meet security requirements in complex scenarios
2. Understanding
1. Starting from AAA
【Chinese name】:Authentication, authorization and billing
【English name】:Authentication, Authorization and Accounting
【Abbreviation】:AAA
2. What is Authentication?
There is no ROLE in the AAA system, ROLE=ONE Special Authority OR Some Related Authorities Group
2, Role and Authority
Role=A certain person (Principle) with a set of permissions (Authority/Permission)
Coarse-grained design 1: A role is represented by an Authority,
For example: Authorities={ROLE_ADMIN},
Represents the administrator role Authorities={ROLE_USER}, represents the ordinary user role
Authorities={ROLE_USER, ROLE_ADMIN}, representing dual-identity user roles
Coarse-grained design 2: A role is represented by the Authority that represents the name of the role itself, and the Authority of the corresponding specific authority, for example: Authorities={ROLE_ADMIN, OP_CreateUser, OP_Drop_User, OP_FrozenUser}, which represents the administrator role and has three A specific permission Authorities={ROLE_USER, OP_ChangePassword, OP_List_Reports}, which represents the role of a common user, with two permissions
3、Spring Security Authentication
3. Practical use
1. Dependency jar package:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
2. Implement basic login
@Configuration
public class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/admin/**")
.authenticated()
.and().formLogin().permitAll();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("**/js/**", "**/css/**", "**/images/**", "**/**/favicon.ico");
}
}
3. JDBC login configuration
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import leader.utils.PasswordHash;
@EnableGlobalMethodSecurity(prePostEnabled = true) //Enable global method validation
@Configuration
public class JDBCSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource datasource ;
@Override
protected void configure(HttpSecurity http) throws Exception {
JdbcTokenRepositoryImpl repository = getTokenRepository() ;
/*Disable csrf authentication method*/
http.csrf().disable() ;
/*Login and logout matching url*/
//.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
// The op_createuser role is required to access /manager/createuser
// The manager role is required to access /manager/**
http.authorizeRequests().antMatchers("/manager/createuser").hasAnyRole("op_createuser")
.antMatchers("/manager/**").hasAnyRole("manager")
.and().formLogin().permitAll().and()
/*Let the browser enable remember me, and enable the remember me button on the login page after opening*/
.rememberMe().tokenRepository( repository ).tokenValiditySeconds(31536000).and()
.logout().permitAll().and();
}
/**Change remember me to jdbc link mode for verification*/
public JdbcTokenRepositoryImpl getTokenRepository() {
JdbcTokenRepositoryImpl r = new JdbcTokenRepositoryImpl();
r.setDataSource(datasource);
return r;
}
@Override
public void configure(WebSecurity web) throws Exception {
/*Configuring js css images, etc. does not require login interception*/
web.ignoring().antMatchers("**/js/**", "**/css/**", "**/images/**", "**/**/favicon.ico");
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
/** Specify the user login method, specify the password encryption method, use PasswordHash encryption here, you can change it to MD5, or PBE method*/
auth.userDetailsService(jdbcUserDetailsManager()).passwordEncoder(new PasswordEncoder() {
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
/*Verify whether the password is correct, rawPassword is the password entered for login, and encodedPassword is the password saved in the database*/
return ((String)rawPassword).equals(encodedPassword);
}
@Override
public String encode(CharSequence rawPassword) {
/*Encrypt the registered password*/
return (String) rawPassword;
}
});
}
/**Enable jdbc login, you need to create a user table, the table structure is given later*/
public UserDetailsManager jdbcUserDetailsManager() throws Exception {
JdbcUserDetailsManager userMan = new JdbcUserDetailsManager();
userMan.setDataSource(datasource);
userMan.setRolePrefix("ROLE_");
return userMan;
}
}
4. Create table structure
DROP TABLE IF EXISTS users ;
CREATE TABLE users (
username VARCHAR(20) NOT NULL,
PASSWORD VARCHAR(150) NOT NULL,
enabled TINYINT(1) DEFAULT NULL,
PRIMARY KEY (username)
) ENGINE=INNODB DEFAULT CHARSET=utf8 ;
DROP TABLE IF EXISTS authorities;
CREATE TABLE authorities (
id BIGINT(20) NOT NULL AUTO_INCREMENT,
username VARCHAR(20) NOT NULL,
authority VARCHAR(50) NOT NULL,
PRIMARY KEY (id)
) ENGINE=INNODB DEFAULT CHARSET=utf8;
DROP TABLE IF EXISTS persistent_logins ;
CREATE TABLE persistent_logins (
id INT(11) NOT NULL AUTO_INCREMENT COMMENT 'ID',
username VARCHAR(50) DEFAULT '' COMMENT 'username',
series VARCHAR(50) DEFAULT '' COMMENT 'series',
token VARCHAR(64) DEFAULT '' COMMENT 'tokenValue',
last_used DATETIME DEFAULT NULL COMMENT 'last_used',
KEY id (id),
KEY series (series)
) ENGINE=INNODB DEFAULT CHARSET=utf8;
-- user leader , password : 123456
INSERT INTO users(username,PASSWORD,enabled)VALUES('leader' , '123456' , 1) ;
INSERT authorities(username,authority)VALUES('admin' , 'admin') ;