springboot整合springsecurity

最新推荐文章于 2025-05-30 17:12:28 发布

原创最新推荐文章于 2025-05-30 17:12:28 发布 · 284 阅读

0 ·

CC 4.0 BY-SA版权

springbootcloud 专栏收录该内容

46 篇文章

订阅专栏

本文详细介绍了如何在Spring Boot项目中使用Spring Security进行权限管理，包括配置依赖、自定义认证和授权过程、处理登录失败与成功、从数据库加载用户信息及权限、以及使用Thymeleaf模板引擎整合Spring Security。

1.引入springsecurity的启动依赖

<dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
</dependency>

2.增加配置类

@Configuration
@EnableWebSecurity
public class DemoSecurity extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserService userService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //配置用户数据从数据库中读取,密码使用NoOpPasswordEncoder类加密处理(明文密码)，
        //如果数据库里的密码字段使用了md5等加密，这里就要用相应的加密类处理
        auth.userDetailsService(userService).passwordEncoder(NoOpPasswordEncoder.getInstance());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/css/**").permitAll()//配置不进行权限校验的url
                .antMatchers("/tologin").permitAll()
                .antMatchers("/mylogin").permitAll()
                .antMatchers("/**").authenticated()//配置拦截校验所有请求(这里会自动放开前面配置的不进行校验的url)
                .and().formLogin()//登录相关配置
                    .loginPage("/tologin")//登录页面
                    .loginProcessingUrl("/mylogin")//登录表单提交的url,这里配置什么值，表单的action中就填写这个url
                    .usernameParameter("myusername")//登录表单提交的用户名参数名称
                    .passwordParameter("mypassword")//登录表单提交的密码参数名称
                    .successHandler(authenticationSuccessHandler())//登录成功后，跳转的主页
                    .failureHandler(authenticationFailureHandler())//登录失败处理
                .and().logout()//登出相关配置
                    .logoutRequestMatcher(new AntPathRequestMatcher("/mylogout", "GET")).logoutSuccessUrl("/tologin")
                .and().exceptionHandling()//校验异常相关配置
                    .accessDeniedPage("/mycontroller/401");//登录成功后访问没有权限的资源
    }

    public AuthenticationFailureHandler authenticationFailureHandler() {
        return new AuthenticationFailureHandler() {
            @Override
            public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
                request.setAttribute("msg","用户名或密码错误！");//返回错误信息
                request.getRequestDispatcher("/tologin").forward(request,response);//转发的到登录界面
            }
        };
    }

    public AuthenticationSuccessHandler authenticationSuccessHandler() {
      return   new AuthenticationSuccessHandler() {
            @Override
            public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
                request.getRequestDispatcher("/mycontroller/test?msg=1234").forward(request,response);//登录成功后转发至首页
            }
        };
    }
}

3.从数据库获取权限信息，userservice要实现org.springframework.security.core.userdetails.UserDetailsService接口

@Service
public class UserService implements UserDetailsService {
    @Autowired
    private UserDao userDao;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userDao.selectUserAndRoles(username);
        if (user == null) {
            return new User();
        }
        return  user;
    }
}

4.User实体要实现org.springframework.security.core.userdetails.UserDetails接口

public class User implements Serializable, UserDetails {
    private Integer id;

    private Integer age;

    private String password;

    private String username;

    private Integer ctryId;
    private List<Role> roles;

   //用户权限数据
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return roles;
    }

    //账号没有过期
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    //账号没有锁定
    @Override
    public boolean isAccountNonLocked() { return true; }

    //证书没有过期
    @Override
    public boolean isCredentialsNonExpired() { return true; }

    //客户有效
    @Override
    public boolean isEnabled() {
        return true;
    }
}

5.Role实体要实现org.springframework.security.core.GrantedAuthority接口

public class Role implements GrantedAuthority {
    private int id;
    private String roleName;
    
    //角色名称
    @Override
    public String getAuthority() {
        return this.roleName;
    }
}

6.thmeleaf中使用springsecurity的标签

引入依赖

 <dependency>
       <groupId>org.thymeleaf.extras</groupId>
       <artifactId>thymeleaf-extras-springsecurity4</artifactId>
       <version>3.0.2.RELEASE</version>
 </dependency>

页面添加命名空间

<html lang="en" xmlns:th="http://www.thymeleaf.org"
                xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">

注意：在使用hasRole判断权限时，例如hasRole（'admin'） ,数据库中的角色名称必须是ROLE_admin。因为springsecurity在实现hasRole方法时，会自动在admin前增加ROLE_前缀