SpringSecurity入坑

Posted Z.

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SpringSecurity入坑相关的知识,希望对你有一定的参考价值。

SpringSecurity入坑第一步:内存的权限验证与授权
构建依赖 pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.shaojie.authority</groupId>
    <artifactId>authority</artifactId>
    <version>1.0-SNAPSHOT</version>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.0.RELEASE</version>
        <relativePath/>
    </parent>

    <properties>
        <java.version>1.8</java.version>
        <maven.compiler.source>${java.version}</maven.compiler.source>
        <maven.compiler.target>${java.version}</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <spring-cloud.version>Hoxton.RC1</spring-cloud.version>
    </properties>

    <!--管理依赖-->
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>Hoxton.RC1</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <!--lombok-->
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>

        <!-- Spring Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <!--spring-data-jpa-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <!--lombok-->
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
        </dependency>
        <!-- mysql -->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
        </dependency>
        <!-- druid 连接池 -->
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>1.1.21</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

构建权限验证

package com.shaojie.authority.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

/**
 * @author ShaoJie
 * @Date 2019/10/25
 */
@Configuration
// 启动 SpringSecurity 的过滤器链
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    /**
     * 授权
     *
     * @param auth
     * @throws Exception
     */
    // 代替配置文件 <security:authentication-manager></security:authentication-manager>
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // 老版本的角色设置 在  springboot 2.0 以后 不能这样设置
//        auth.inMemoryAuthentication()
//                .withUser("shaojie").password("123456")
//                .authorities("PRODUCT_ADD");

        // inMemoryAuthentication 内存验证
        auth.inMemoryAuthentication()
                .passwordEncoder(passwordEncoder())
                .withUser("shaojie")
                .password(passwordEncoder().encode("123456"))
                // .roles("PRODUCT_ADD","PRODUCT_LIST");
                // authorities 和 roles 都是设置权限 这里使用 roles 不能访问 403
                .authorities("PRODUCT_ADD", "PRODUCT_LIST");

    }

    /**
     * 验证
     *
     * @param http
     * @throws Exception
     */
    // 代替配置文件 <security:http></security:http>
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                // antMatchers 设置拦截的请求  hasAnyAuthority 设置所拥有的角色访问权限
                .antMatchers("/product/add").hasAnyAuthority("PRODUCT_ADD")
                .antMatchers("/product/update").hasAnyAuthority("PRODUCT_UPDATE")
                .antMatchers("/product/list").hasAnyAuthority("PRODUCT_LIST")
                .antMatchers("/product/delete").hasAnyAuthority("PRODUCT_DELETE")
                // permitAll 所有的权限都能访问
                .antMatchers("/login").permitAll()
                .antMatchers("/**")
                // fullyAuthenticated 不允许匿名用户查看
                .fullyAuthenticated()
                .and()
                // httpbasic 登录
                // .httpBasic();
                // 表单登录 登录请求的页面
                .formLogin().loginPage("/login")
                // 修改 spring 提供的 默认登陆参数
                // .usernameParameter("name")
                // .passwordParameter("password")
                .and()
                // 开启记住我功能
                .rememberMe()
                .and()
                // 开启登出
                .logout()
                .and()
                // 禁用跨域的保护
                .csrf().disable();
    }
}

构建错误页面配置
验证没有权限时跳转

package com.shaojie.authority.security;

import org.springframework.boot.web.server.ConfigurableWebServerFactory;
import org.springframework.boot.web.server.ErrorPage;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;

/**
 * @author ShaoJie
 * @Date 2019/10/25
 */
@Configuration
public class ErrorPageConfig {

    // 使用 WebServerFactoryCustomizer 接口替换 EmbeddedServletContainerCustomizer 组件完成对嵌入式Servlet容器的配置
    @Bean
    public WebServerFactoryCustomizer<ConfigurableWebServerFactory> webServerFactoryCustomizer(){
        return new WebServerFactoryCustomizer<ConfigurableWebServerFactory>() {
            @Override
            public void customize(ConfigurableWebServerFactory factory) {
                factory.addErrorPages(new ErrorPage(HttpStatus.FORBIDDEN,"/403"));
            }
        };
    }

}

login.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <h2>登录页面</h2>
    <form th:action="@{/userlogin}" method="post">
        账号:<input type="text" name="username"><br>
        密码:<input type="password" name="password"><br>
        <button type="submit">登录</button>
    </form>
</body>
</html>

值得注意一下这里的<input>的属性name

官方源码 写的很清楚 默认就是 username 和 password

* protected void configure(HttpSecurity http) throws Exception {
*         http.authorizeRequests().antMatchers(&quot;/**&quot;).hasRole(&quot;USER&quot;).and().formLogin()
     *                 .usernameParameter(&quot;username&quot;) // default is username
     *                 .passwordParameter(&quot;password&quot;) // default is password
     *                 .loginPage(&quot;/authentication/login&quot;) // default is /login with an HTTP get
     *                 .failureUrl(&quot;/authentication/login?failed&quot;) // default is /login?error
     *                 .loginProcessingUrl(&quot;/authentication/login/process&quot;); // default is /login
     *                                                                         // with an HTTP
     *                                                                         // post
     *     }

index.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>我的页面</title>
</head>
<body>
以下是网站的功能 <br>
    <a href="" th:href="@{product/add}">商品的添加</a><br>
    <a href="" th:href="@{product/update}">商品修改</a><br>
    <a href="" th:href="@{product/list}">商品的查询</a><br>
    <a href="" th:href="@{product/delete}">商品的删除</a>
</body>
</html>

403.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>错误页面</title>
</head>
<body>
    你没有权限访问
</body>
</html>

add.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>产品的增加</title>
</head>
<body>
    产品的增加
</body>
</html>

delete.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>产品的删除</title>
</head>
<body>
    产品的删除
</body>
</html>

list.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>产品的查询</title>
</head>
<body>
    产品的查询
</body>
</html>
update.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>产品的修改</title>
</head>
<body>
    产品的修改
</body>
</html>

整体使用内存做授权验证, 后续整理基于JDBC 做权限授权,整体一套下来的话,基本上对于springsecurity有一个基本的了解,入坑第一步建议以基础入手,大部分的配置建议查看官方源码 ,对于登出以及记住密码,细节在 源码HttpSecurity类中有详细说明,这里不做过多的说明。只提供基础的Demo示例

喜欢编程的,请关注我的博客https://www.lzmvlog.top/

以上是关于SpringSecurity入坑的主要内容,如果未能解决你的问题,请参考以下文章

Spring Security:无法让真正的用户使用显示过期的 SessionRegistry 登录

VUE 入坑系列 一 基础语法

入坑写代码2——C#解析xml文件续集

入坑写代码1——c#解析xml文件

Rust入坑指南:步步为营

初识Python-文件类型(入坑篇)