本文介绍了如何使用SpringBoot结合SpringSecurity开发权限管理应用。首先创建了一个maven工程并引入了相关依赖,然后配置了SpringBoot的启动类和应用属性。接着,在安全配置中定义了用户信息服务和安全拦截机制,设置了不同角色访问不同资源的规则。最后,通过Controller展示了登录和资源访问的示例。文章结尾提到后续将讲解工作原理并完善功能,如数据库查询用户、会话管理和退出功能。
如何通过Spring Boot开发Spring Security应用,Spring Boot提供spring-boot-starter-security用于开发Spring Security应用。
创建maven工程
创建maven工程 security-spring-boot,工程结构如下:
引入以下依赖:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.cyj</groupId>
<artifactId>security-spring-boot</artifactId>
<version>1.0-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.3.RELEASE</version>
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<dependencies>
<!--spring boot web 依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!--spring security依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!--lombok 依赖-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.0</version>
</dependency>
<!--spring boot test 依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<finalName>security-spring-boot</finalName>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<configuration>
<encoding>utf-8</encoding>
<useDefaultDelimiters>true</useDefaultDelimiters>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
<includes>
<include>**/*</include>
</includes>
</resource>
<resource>
<directory>src/main/java</directory>
<includes>
<include>**/*.xml</include>
</includes>
</resource>
</resources>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
spring 容器配置
SpringBoot工程启动会自动扫描启动类所在包下的所有Bean,加载到spring容器。
(一)Spring Boot配置文件
在resources下添加application.properties,内容如下:
server.port=8080
server.servlet.context‐path=/security‐spring-boot
spring.application.name = security‐spring-boot
(二)Spring Boot 启动类
package com.cyj.security.springboot;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
/**
* @program: Spring-Security-OAuth2
* @Description:
* @Author C_Y_J
* @create: 2021-01-28 20:11
**/
@SpringBootApplication
public class SecuritySpringBootApp {
public static void main(String[] args) {
SpringApplication.run(SecuritySpringBootApp.class, args);
}
}
安全配置
由于Spring boot starter自动装配机制,这里无需使用@EnableWebSecurity,WebSecurityConfig内容如下
package com.cyj.security.springboot.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
/**
* @program: Spring-Security-OAuth2
* @Description:
* @Author C_Y_J
* @create: 2021-01-28 20:27
**/
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* 定义用户信息服务(查询用户信息)
*
* @return
*/
@Bean
@Override
public UserDetailsService userDetailsService() {
//暂时使用内存查询
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());
manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());
return manager;
}
/**
* 密码编码器
*
* @return
*/
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
/**
* 安全拦截机制(最重要)
*
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/r/r1").hasAuthority("p1")
.antMatchers("/r/r2").hasAuthority("p2")
//所有/r/**的请求必须认证通过
.antMatchers("/r/**").authenticated()
//除了/r/**,其它的请求可以访问
.anyRequest().permitAll();
http
//允许表单登录
.formLogin()
//自定义登录成功的页面地址
.successForwardUrl("/login-success");
}
}
controller
package com.cyj.security.springboot.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* @program: Spring-Security-OAuth2
* @Description:
* @Author C_Y_J
* @create: 2021-01-28 20:41
**/
@RestController
public class LoginController {
@RequestMapping(value = "/login-success", produces = {"text/plain;charset=utf-8"})
public String loginSuccess() {
return " 登录成功";
}
@GetMapping(value = "/r/r1", produces = {"text/plain;charset=UTF-8"})
public String r1() {
return " 访问资源1";
}
@GetMapping(value = "/r/r2", produces = {"text/plain;charset=UTF-8"})
public String r2() {
return " 访问资源2";
}
}
测试
访问 http://localhost:8080/security-spring-boot/login
输入正确的账号和密码,登录成功
访问/r/r1和/r/r2,有权限时则正常访问,否则返回403(拒绝访问)
后续文章是讲解工作原理
讲完工作原理后,我将在目前的工程基础上完善:数据库查询用户,讲解会话,会话控制,退出功能
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
