当前位置:
首页 >
前端技术
> javascript
>内容正文
javascript
Spring Security快速上手
生活随笔
收集整理的这篇文章主要介绍了
Spring Security快速上手
小编觉得挺不错的,现在分享给大家,帮大家做个参考.
Spring Security介绍
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。
由于它是Spring生态系统中的一员,因此它伴随着整个Spring生态系统不断修正、升级,
在spring boot项目中加入spring security更是十分简单,
使用Spring Security 减少了为企业系统安全控制编写大量重复代码的工作。
创建工程
创建maven工程
创建maven工程 security-spring-security,工程结构如下:
Spring容器配置
package com.dym.security.springmvc.config;import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller;@Configuration //相当于applicationContext.xml @ComponentScan(basePackages = "com.dym.security.springmvc",excludeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class ApplicationConfig {//在此配置除了Controller的其它bean,比如:数据库链接池、事务管理器、业务bean等。}Servlet Context配置
package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.view.InternalResourceViewResolver;@Configuration//就相当于springmvc.xml文件 @EnableWebMvc @ComponentScan(basePackages = "com.dym.security.springmvc",includeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class WebConfig implements WebMvcConfigurer {//视图解析器@Beanpublic InternalResourceViewResolver viewResolver(){InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();viewResolver.setPrefix("/WEB-INF/view/");viewResolver.setSuffix(".jsp");return viewResolver;}@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}}加载 Spring容器
在init包下定义Spring容器初始化类SpringApplicationInitializer,
此类实现WebApplicationInitializer接口,
Spring容器启动时加载WebApplicationInitializer接口的所有实现类。
认证 —— 认证页面
springSecurity默认提供认证页面,不需要额外开发
安全配置
spring security提供了用户名密码登录、退出、会话管理等认证功能,只需要配置即可使用。
1) 在config包下定义WebSecurityConfig,安全配置的内容包括:用户信息、密码编码器、安全拦截机制
在userDetailsService()方法中,
返回了一个UserDetailsService类型的对象给spring容器,
Spring Security会使用它来获取用户信息。
暂时使用 InMemoryUserDetailsManager实现类,
并在其中分别创建了zhangsan、lisi两个用户,并设置密码和权限。
而在configure()中,我们通过HttpSecurity设置了安全拦截规则,其中包含了以下内容:
(1)url匹配/r/**的资源,经过认证后才能访问。
(2)其他url完全开放。
(3)支持form表单认证,认证成功后转向/login-success。
2) 加载 WebSecurityConfig
修改SpringApplicationInitializer的getRootConfigClasses()方法,添加WebSecurityConfig.class:
Spring Security初始化
Spring Security初始化,这里有两种情况
1. 若当前环境没有使用Spring或Spring MVC,
则需要将 WebSecurityConfig(Spring Security配置类) 传入超类,以确保获取配置,并创建spring context。
在init包下定义SpringSecurityApplicationInitializer:
package com.dym.security.springmvc.init;import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;public class SpringSecurityApplicationInitializerextends AbstractSecurityWebApplicationInitializer {public SpringSecurityApplicationInitializer() {super(WebSecurityConfig.class);} }2. 若当前环境已经使用spring,
我们应该在现有的springContext中注册Spring Security(上一步已经做将WebSecurityConfig加载至rootcontext),此方法可以什么都不做。
默认根路径请求
在WebConfig.java中添加默认请求根路径跳转到/login,此url为spring security提供:
@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}spring security默认提供的登录页面。
认证成功页面
在安全配置中,认证成功将跳转到/login-success,代码如下:
//安全拦截机制(最重要)@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/r1").hasAuthority("p1").antMatchers("/r/r2").hasAuthority("p2").antMatchers("/r/**").authenticated()//所有/r/**的请求必须认证通过.anyRequest().permitAll()//除了/r/**,其它的请求可以访问.and().formLogin()//允许表单登录.successForwardUrl("/login-success");//自定义登录成功的页面地址}spring security支持form表单认证,认证成功后转向/login-success。
在LoginController中定义/login-success:
测试
(1)启动项目,访问 http://localhost:8080/security-spring-security/ 路径地址
页面会根据WebConfig中addViewControllers配置规则,跳转至/login,/login是pring Security提供的登录页面。
(2)登录
1、输入错误的用户名、密码
2、输入正确的用户名、密码,登录成功
(3)退出
1、请求/logout退出
2、退出 后再访问资源自动跳转到登录页面
授权
实现授权需要对用户的访问进行拦截校验,校验用户的权限是否可以操作指定的资源,
Spring Security默认提供授权实现方法。
在LoginController添加/r/r1或/r/r2
在安全配置类WebSecurityConfig.java中配置授权规则:
测试:
1、登录成功
2、访问/r/r1和/r/r2,有权限时则正常访问,否则返回403(拒绝访问)
ApplicationConfig.java
package com.dym.security.springmvc.config;import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller;@Configuration //相当于applicationContext.xml @ComponentScan(basePackages = "com.dym.security.springmvc",excludeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class ApplicationConfig {//在此配置除了Controller的其它bean,比如:数据库链接池、事务管理器、业务bean等。}WebConfig.java
package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.view.InternalResourceViewResolver;@Configuration//就相当于springmvc.xml文件 @EnableWebMvc @ComponentScan(basePackages = "com.dym.security.springmvc",includeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class WebConfig implements WebMvcConfigurer {//视图解析器@Beanpublic InternalResourceViewResolver viewResolver(){InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();viewResolver.setPrefix("/WEB-INF/view/");viewResolver.setSuffix(".jsp");return viewResolver;}@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}}WebSecurityConfig.java
package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager;@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {//定义用户信息服务(查询用户信息)@Beanpublic UserDetailsService userDetailsService(){InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());return manager;}//密码编码器@Beanpublic PasswordEncoder passwordEncoder(){return NoOpPasswordEncoder.getInstance();}//安全拦截机制(最重要)@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/r1").hasAuthority("p1").antMatchers("/r/r2").hasAuthority("p2").antMatchers("/r/**").authenticated()//所有/r/**的请求必须认证通过.anyRequest().permitAll()//除了/r/**,其它的请求可以访问.and().formLogin()//允许表单登录.successForwardUrl("/login-success");//自定义登录成功的页面地址} }SpringApplicationInitializer.java
package com.dym.security.springmvc.init;import com.dym.security.springmvc.config.ApplicationConfig; import com.dym.security.springmvc.config.WebConfig; import com.dym.security.springmvc.config.WebSecurityConfig; import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;public class SpringApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {//spring容器,相当于加载 applicationContext.xml@Overrideprotected Class<?>[] getRootConfigClasses() {return new Class[]{ApplicationConfig.class, WebSecurityConfig.class};}//servletContext,相当于加载springmvc.xml@Overrideprotected Class<?>[] getServletConfigClasses() {return new Class[]{WebConfig.class};}//url-mapping@Overrideprotected String[] getServletMappings() {return new String[]{"/"};} }SpringSecurityApplicationInitializer.java
package com.dym.security.springmvc.init;import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;public class SpringSecurityApplicationInitializerextends AbstractSecurityWebApplicationInitializer {public SpringSecurityApplicationInitializer() {//super(WebSecurityConfig.class);} }LoginController.java
package com.dym.security.springmvc.controller;import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController;@RestController public class LoginController {@RequestMapping(value = "/login-success",produces = {"text/plain;charset=UTF-8"})public String loginSuccess(){return " 登录成功";}/*** 测试资源1* @return*/@GetMapping(value = "/r/r1",produces = {"text/plain;charset=UTF-8"})public String r1(){return " 访问资源1";}/*** 测试资源2* @return*/@GetMapping(value = "/r/r2",produces = {"text/plain;charset=UTF-8"})public String r2(){return " 访问资源2";} }
总结
以上是生活随笔为你收集整理的Spring Security快速上手的全部内容,希望文章能够帮你解决所遇到的问题。
- 上一篇: shiro 实现登录验证功能
- 下一篇: Spring Security 应用详解