Spring Security(一)

前言

  看到公司的2012年项目(祖传代码，业务涉及全国，大项目)使用Spring Security作为安全框架；在此基于现在spring 5写下这边SpringBoot整合Spring Security基于SpringBoot的Spring Security，学习得一步一步得来，技术栈：
SpringBoot+springsecurity
所用框架均为2019年11月16日 14:39:51最新版本
这里使用Semantics前端框架，元素丰富，觉得很好用

    <!--使用Semantics CDN-->
    <link href="https://cdn.bootcss.com/semantic-ui/2.4.1/semantic.min.css" rel="stylesheet">
    <script src="https://cdn.bootcss.com/semantic-ui/2.4.1/semantic.min.js"></script>

一、搭建项目

搭建个项目名为springsecurity：

image.png

为了减少不必要的框架使用，这里只选择springboot的web、thymeleaf、security
Maven如下：

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.1.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.lingkang</groupId>
    <artifactId>springsecurity</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>springsecurity</name>
    <description>Demo project for Spring Boot</description>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <!--html页面使用sec标签，属于spring5 security-->
        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
            <version>3.0.4.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <optional>true</optional>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

二、配置security

package com.lingkang.springsecurity.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

/**
 * @author linke
 * @date 2019-11-16 下午 15:10
 * @description
 */
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    //授权
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //授权规则，除了要授权的，其他所有人能访问
        http.authorizeRequests()
                .antMatchers("/vip1/**").hasAnyRole("vip1")
                .antMatchers("/vip2/**").hasAnyRole("vip2")
                .antMatchers("/vip3/**").hasAnyRole("vip3")
                .anyRequest().permitAll(); //其他页面所有人能访问

        //启动登陆页面
        //定制登陆页面，表单提交的路径loginProcessingUrl
        http.formLogin().loginPage("/toLogin").loginProcessingUrl("/login");

        //注销功能 ,跳回首页
        //关闭跨域认证请求，否则你需要post来注销
        http.logout().logoutSuccessUrl("/")
        .and().csrf().disable();

        //开启记住我功能，表单提交remember的参数
        http.rememberMe().rememberMeParameter("remember");
    }

    //认证
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //spring5+ 加了很多密码验证
        //要求提高安全必须加密密码-->passwordEncoder(new BCryptPasswordEncoder())
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
                .withUser("123")
                .password(new BCryptPasswordEncoder().encode("123")).roles("vip1")
                .and().withUser("user")
                .password(new BCryptPasswordEncoder().encode("123")).roles("vip2", "vip3")
                .and().withUser("root")
                .password(new BCryptPasswordEncoder().encode("123")).roles("vip1", "vip2", "vip3");
    }
}

controller

@Controller
public class WebController {

    @GetMapping(path = {"/", "/index"})
    public String index() {
        return "index";
    }

    @GetMapping("toLogin")
    public String toLogin() {
        return "login";
    }

    @GetMapping("/vip1/{id}")
    public String vip1(@PathVariable("id")String id){
        return "vip1/"+id;
    }

    @GetMapping("/vip2/{id}")
    public String vip2(@PathVariable("id")String id){
        return "vip2/"+id;
    }

    @GetMapping("/vip3/{id}")
    public String vip3(@PathVariable("id")String id){
        return "vip3/"+id;
    }
}

image.png

三运行效果：

使用到thymeleaf的布局和thymeleaf-security5

image.png
image.png
项目源码：
https://github.com/xcocean/springsecurity