thymeleaf+springsecurity整合

使用简单的内存模式进行thymeleaf+springsecurity整合

1. 创建项目后倒入maven

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
            <version>3.0.4.RELEASE</version>
        </dependency>

2. 创建控制器

image.png

package com.example.redpack.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class RouteController {
    @RequestMapping({"/","index"})
    public String index(){
        return "index";
    }

    @RequestMapping("level1/1")
    public String level1(){
        return "level1/1";
    }
    @RequestMapping("level2/1")
    public String level2(){
        return "level2/1";
    }
    @RequestMapping("level3/1")
    public String level3(){
        return "level3/1";
    }
}

3. 创建SecurityConfig

image.png

package com.example.redpack.config;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    //认证
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//        super.configure(auth);
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
                .withUser("test").password(new BCryptPasswordEncoder().encode("test")).roles("level1", "level2", "level3")
                .and()
                .withUser("guest").password(new BCryptPasswordEncoder().encode("guest")).roles("level1");
    }

    //授权
    @Override
    protected void configure(HttpSecurity http) throws Exception {
//        super.configure(http);
        //授权用户角色可以访问
        http.authorizeRequests()
                .antMatchers("/", "/index").permitAll()
                .antMatchers("/level1/**").hasRole("level1")
                .antMatchers("/level2/**").hasRole("level2")
                .antMatchers("/level3/**").hasRole("level3");
        http.csrf().disable();//关闭csrf,不能get请求logout
        http.formLogin();//开启登录，必须开启，否则无法使用认证
        http.formLogin().usernameParameter("username").passwordParameter("password");//设置表单的username和password,方便自定义
        http.rememberMe();
    }
}

4. 创建html页面

//index.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<h2>index</h2>
fds
<ul>
    <div sec:authorize="isAuthenticated()">
        <div sec:authentication="name"></div>
        <a href="/logout">退出</a>
    </div>
    <div sec:authorize="isAnonymous()">
        <a href="/login">登录</a>
    </div>
    <li sec:authorize="hasRole('level1')"><a href="/level1/1">level1</a></li>
    <li sec:authorize="hasRole('level2')"><a href="/level2/1">level2</a></li>
    <li sec:authorize="hasRole('level3')"><a href="/level3/1">level3</a></li>
</ul>
</body>
</html>

其他页面内容省略只是测试能否实现权限控制。

5. 效果

guest用户登录，没有level2和level3菜单
test用户登录，所有的菜单都显示

6. 注意事项

maven版本和index.html页面内的xml路径，尤其是xmlns:sec。
sec标签参考： https://github.com/thymeleaf/thymeleaf-extras-springsecurity