This article Source: GitHub · Click here || GitEE · Click here
A, Security Introduction
1, the basic concept
Spring Security is able to provide a secure access control declarative security framework Spring-based solutions for enterprise applications. It provides a set of Bean can be configured in the Spring application context, full use of Spring's IOC, DI, AOP (Aspect Oriented Programming) function to provide secure access control declarative application system, reducing prepared for security control a lot of duplication of work code.
2, the core API reading
1)、SecurityContextHolder
The most basic object that holds the current session user authentication, permissions, authentication and other core data. SecurityContextHolder default ThreadLocal to store authentication information policies, strategies and thread-bound. When the user exits, automatically clears the authentication information for the current thread.
Initialization Source: Prominent use of ThreadLocal thread.
private static void initialize() {
if (!StringUtils.hasText(strategyName)) {
strategyName = "MODE_THREADLOCAL";
}
if (strategyName.equals("MODE_THREADLOCAL")) {
strategy = new ThreadLocalSecurityContextHolderStrategy();
} else if (strategyName.equals("MODE_INHERITABLETHREADLOCAL")) {
strategy = new InheritableThreadLocalSecurityContextHolderStrategy();
} else if (strategyName.equals("MODE_GLOBAL")) {
strategy = new GlobalSecurityContextHolderStrategy();
} else {
try {
Class<?> clazz = Class.forName(strategyName);
Constructor<?> customStrategy = clazz.getConstructor();
strategy = (SecurityContextHolderStrategy)customStrategy.newInstance();
} catch (Exception var2) {
ReflectionUtils.handleReflectionException(var2);
}
}
++initializeCount;
}2)、Authentication
Source
public interface Authentication extends Principal, Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
Object getCredentials();
Object getDetails();
Object getPrincipal();
boolean isAuthenticated();
void setAuthenticated(boolean var1) throws IllegalArgumentException;
}Source code analysis
1)、getAuthorities,权限列表,通常是代表权限的字符串集合;
2)、getCredentials,密码,认证之后会移出,来保证安全性;
3)、getDetails,请求的细节参数;
4)、getPrincipal, 核心身份信息,一般返回UserDetails的实现类。3)、UserDetails
Encapsulate the details of user information.
public interface UserDetails extends Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
String getPassword();
String getUsername();
boolean isAccountNonExpired();
boolean isAccountNonLocked();
boolean isCredentialsNonExpired();
boolean isEnabled();
}4)、UserDetailsService
Implement the interface, custom user authentication process, usually read the database, compared to the user's login information for authentication, authorization.
public interface UserDetailsService {
UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
}5)、AuthenticationManager
Certification process top-level interface. Can implement an interface to customize your own AuthenticationManager authentication, Spring provides a default implementation, ProviderManager.
public interface AuthenticationManager {
Authentication authenticate(Authentication var1) throws AuthenticationException;
}Second, integration with SpringBoot2
1, process description
1)、三个页面分类,page1、page2、page3
2)、未登录授权都不可以访问
3)、登录后根据用户权限,访问指定页面
4)、对于未授权页面,访问返回403:资源不可用2, rely on the core
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>3, core configuration
/**
* EnableWebSecurity注解使得SpringMVC集成了Spring Security的web安全支持
*/
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 权限配置
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
// 配置拦截规则
http.authorizeRequests().antMatchers("/").permitAll()
.antMatchers("/page1/**").hasRole("LEVEL1")
.antMatchers("/page2/**").hasRole("LEVEL2")
.antMatchers("/page3/**").hasRole("LEVEL3");
// 配置登录功能
http.formLogin().usernameParameter("user")
.passwordParameter("pwd")
.loginPage("/userLogin");
// 注销成功跳转首页
http.logout().logoutSuccessUrl("/");
//开启记住我功能
http.rememberMe().rememberMeParameter("remeber");
}
/**
* 自定义认证数据源
*/
@Override
protected void configure(AuthenticationManagerBuilder builder) throws Exception{
builder.userDetailsService(userDetailService())
.passwordEncoder(passwordEncoder());
}
@Bean
public UserDetailServiceImpl userDetailService (){
return new UserDetailServiceImpl () ;
}
/**
* 密码加密
*/
@Bean
public BCryptPasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
/*
* 硬编码几个用户
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("spring").password("123456").roles("LEVEL1","LEVEL2")
.and()
.withUser("summer").password("123456").roles("LEVEL2","LEVEL3")
.and()
.withUser("autumn").password("123456").roles("LEVEL1","LEVEL3");
}
*/
}4. The certification process
@Service
public class UserDetailServiceImpl implements UserDetailsService {
@Resource
private UserRoleMapper userRoleMapper ;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// 这里可以捕获异常,使用异常映射,抛出指定的提示信息
// 用户校验的操作
// 假设密码是数据库查询的 123
String password = "$2a$10$XcigeMfToGQ2bqRToFtUi.sG1V.HhrJV6RBjji1yncXReSNNIPl1K";
// 假设角色是数据库查询的
List<String> roleList = userRoleMapper.selectByUserName(username) ;
List<GrantedAuthority> grantedAuthorityList = new ArrayList<>() ;
/*
* Spring Boot 2.0 版本踩坑
* 必须要 ROLE_ 前缀, 因为 hasRole("LEVEL1")判断时会自动加上ROLE_前缀变成 ROLE_LEVEL1 ,
* 如果不加前缀一般就会出现403错误
* 在给用户赋权限时,数据库存储必须是完整的权限标识ROLE_LEVEL1
*/
if (roleList != null && roleList.size()>0){
for (String role : roleList){
grantedAuthorityList.add(new SimpleGrantedAuthority(role)) ;
}
}
return new User(username,password,grantedAuthorityList);
}
}5, test interface
@Controller
public class PageController {
/**
* 首页
*/
@RequestMapping("/")
public String index (){
return "home" ;
}
/**
* 登录页
*/
@RequestMapping("/userLogin")
public String loginPage (){
return "pages/login" ;
}
/**
* page1 下页面
*/
@PreAuthorize("hasAuthority('LEVEL1')")
@RequestMapping("/page1/{pageName}")
public String onePage (@PathVariable("pageName") String pageName){
return "pages/page1/"+pageName ;
}
/**
* page2 下页面
*/
@PreAuthorize("hasAuthority('LEVEL2')")
@RequestMapping("/page2/{pageName}")
public String twoPage (@PathVariable("pageName") String pageName){
return "pages/page2/"+pageName ;
}
/**
* page3 下页面
*/
@PreAuthorize("hasAuthority('LEVEL3')")
@RequestMapping("/page3/{pageName}")
public String threePage (@PathVariable("pageName") String pageName){
return "pages/page3/"+pageName ;
}
}6, the login screen
Here to Security and configuration files, respectively.
<div align="center">
<form th:action="@{/userLogin}" method="post">
用户名:<input name="user"/><br>
密 码:<input name="pwd"><br/>
<input type="checkbox" name="remeber"> 记住我<br/>
<input type="submit" value="Login">
</form>
</div>Third, the source address
GitHub·地址
https://github.com/cicadasmile/middle-ware-parent
GitEE·地址
https://gitee.com/cicadasmile/middle-ware-parent