第一步:加入security启动器依赖:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
第二步:创建security的配置类:
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
//aop:横切,不需要修改源代码,相同的还有拦截器等
@EnableWebSecurity //spring托管
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//链式编程
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/").permitAll() //所有人可以访问
.antMatchers("/level1/**").hasRole("vip1")//"vip1"角色才能访问
.antMatchers("/level2/**").hasRole("vip2")
.antMatchers("/level3/**").hasRole("vip3");
//没有权限则默认会到登录页面 为什么会进入login页面 --看源码>约定大于配置
http.formLogin();
http.logout().logoutSuccessUrl("/");//logoutSuccessUrl()设置注销成功跳转的页面;
}
//认证,
//密码编译,否则会报500,服务器异常错误
//加入加密编码
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication() //内存中认证,数据库认证则为jdbcAuthentication()
.passwordEncoder(new BCryptPasswordEncoder())
.withUser("min").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2") //添加用户权限,用户名为min,密码为123456,身份角色有vip1/2
.and()
.withUser("root").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2","vip3")
.and()
.withUser("person").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1");
}
}
特别说明:
- 继承的WebSecurityConfigurerAdapter不要导错包了,否则会缺失方法
- 关于security配置中的方法都是链式编程的思想(简单上手)
- 使用到了AOP的知识,不需要修改源代码,相同的还有拦截器等
- configure(HttpSecurity http)该重写方法是依靠url地址来识别的
- 500服务器异常:在给用户密码的时候记得使用加密编码,否则高一点的Security会报500异常,这也是为了安全着想,否则反编译过来看到源码就危险了!
- 403权限不够异常
http.formLogin()中体现了spring的约定大于配置,如,没有角色认证的用户在请求到权限网页时会自动跳转到login页面.看源码,有说明!
- 登录与注销的跳转页面应为:/toLogin与/logout,在
http.logout()中的源码有说明
/**
* Provides logout support. This is automatically applied when using
* {@link WebSecurityConfigurerAdapter}. The default is that accessing the URL
* "/logout" will log the user out by invalidating the HTTP Session, cleaning up any
* {@link #rememberMe()} authentication that was configured, clearing the
* {@link SecurityContextHolder}, and then redirect to "/login?success".
*
* <h2>Example Custom Configuration</h2>
*
* The following customization to log out when the URL "/custom-logout" is invoked.
* Log out will remove the cookie named "remove", not invalidate the HttpSession,
* clear the SecurityContextHolder, and upon completion redirect to "/logout-success".
*
* <pre>
* @Configuration
* @EnableWebSecurity
* public class LogoutSecurityConfig extends WebSecurityConfigurerAdapter {
*
* @Override
* protected void configure(HttpSecurity http) throws Exception {
* http.authorizeRequests().antMatchers("/**").hasRole("USER").and().formLogin()
* .and()
* // sample logout customization
* .logout().deleteCookies("remove").invalidateHttpSession(false)
* .logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success");
* }
*
* @Override
* protected void configure(AuthenticationManagerBuilder auth) throws Exception {
* auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
* }
* }
* </pre>
* @return the {@link LogoutConfigurer} for further customizations
* @throws Exception
*/
public LogoutConfigurer<HttpSecurity> logout() throws Exception {
return getOrApply(new LogoutConfigurer<>());
}