【SpringBoot】整合SpringSecurity框架

一、整合Springsecurity

引入依赖

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-test</artifactId>
    <scope>test</scope>
</dependency>

重启项目

会自动跳转到SpringSecurity提供的登陆页面

登陆的用户名是：user

登陆的密码在启动项目的过程中，已经在日志中输出

二、自定义登录验证信息

2.1 自定义登陆页面

新建自定义的登录html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>登录</title>
</head>
<body>
<h2>自定义登录页面</h2>
<form action="/login.do" method="post">
    <table>
        <tr>
            <td>用户名:</td>
            <td><input type="text" name="username"></td>
        </tr>
        <tr>
            <td>密码:</td>
            <td><input type="password" name="password"></td>
        </tr>
        <tr>
            <td colspan="2">
                <button type="submit">登录</button>
            </td>
        </tr>
    </table>
</form>
</body>
</html>

创建SpringSecurity的配置类

package com.example.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * SpringSecurity的配置类
 */
@Configuration
@EnableWebSecurity//放开SpringSecurity
public class SpringSecurityConfig  extends WebSecurityConfigurerAdapter {

    /**
     *  http请求的配置,自定义登录页面
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginPage("/login.html") // 指定自定义的登录界面
                .loginProcessingUrl("/login.do") // 必须和登录表单的 action一致
                .and()
                .authorizeRequests() // 定义哪些资源被保护
                .antMatchers("/login.html")
                .permitAll() // login.html可以匿名访问
                .anyRequest()
                .authenticated(); //出来登录页面其他都需要认证
        http.csrf().disable();// 禁用跨越攻击
    }
}

注意点
1. 表单的登录action必须和配置类中的loginProcessingUrl一致
2. 此时的账号密码还是系统生成的

2.2 自定义登录认证

修改配置类

package com.example.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

/**
 * SpringSecurity的配置类
 */
@Configuration
@EnableWebSecurity//放开SpringSecurity
public class SpringSecurityConfig  extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    /**
     * 认证的配置
     * @param auth
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // 配置自定义的账号密码
        // auth.inMemoryAuthentication()
        //         .withUser("zhang")
        //         .password("{noop}123")//加{noop}代表不使用密码验证
        //         .roles("USER");// 用户具有的角色
        //获得BCryptPasswordEncoder加密编码
        BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
        //加密操作
        //encoder.encode("123");
        //对密码不加密的话，在自定义的配置类中加上{noop}
        //auth.userDetailsService(userDetailsService);
        auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
    }

    /**
     *  http请求的配置,自定义登录页面
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginPage("/login.html") // 指定自定义的登录界面
                .loginProcessingUrl("/login.do") // 必须和登录表单的 action一致
                .and()
                .authorizeRequests() // 定义哪些资源被保护
                .antMatchers("/login.html")
                .permitAll() // login.html可以匿名访问
                .anyRequest()
                .authenticated(); //出来登录页面其他都需要认证
        http.csrf().disable();// 禁用跨越攻击
    }
}

取得UserDetailService对象

自定义接口，实现UserDetailService接口

package com.example.service;

import org.springframework.security.core.userdetails.UserDetailsService;

public interface IUserDetailService extends UserDetailsService {

}

自定义接口实现类

package com.example.service.impl;

import org.springframework.security.core.userdetails.User;
import com.example.service.IUserDetailService;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

import java.util.ArrayList;
import java.util.List;

public class UserDetailServiceImpl implements IUserDetailService {

    /**
     * 假设实现数据库连接操作
     * @param username 登陆页面传过来的用户名
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        // 模拟数据库操作 根据账号查询
        String password = "456";
        // 假设查询出来的用户的角色
        List<SimpleGrantedAuthority> list = new ArrayList<>();
        list.add(new SimpleGrantedAuthority("USER1"));
        /**
         * 第一个参数：用户名
         * 第二个参数：密码，不需要使用密码验证的时候，加上{noop}，需要的时候去掉
         * 第三个参数：拥有的权限
         */
        UserDetails userDetails = new User(username,password,list);
        return userDetails;
    }
}