Spring Security是一個安全框架,因為現在對于我們開發來講安全是十分重要的,
在java領域我們主要用的兩個安全框架,一個是Shiro,一個是Spring Security,Shiro因為它的一個輕量級的特性我們用的比較多,Spring Security相比于Shiro屬于重量級的一個框架,但是它的功能要比Shiro強大很多,同時它的權限控制也更加細化,Spring Security是Spring家族的一個產品,可以跟我們的Spring應用很好的整合到一塊,就不需要去欄位外的整合了,
安全框架其實就是對客戶端訪問的一個權限控制,
我們之前寫的如果我們要訪問一個首頁,訪問首頁用戶必須得先登錄,它得是一個登錄狀態,我們之前是怎么判斷的呢(我們之前是加了一個過濾器),然后對請求進行了攔截,攔截完成之后判斷session是否存在,如果存在就讓它繼續往后走,如果不存在就直接給它回傳到登錄頁面,這個實際上就是一個權限控制,
Spring Security就是自動幫我們完成這個權限控制的,(用了這個框架以后我們就不需要自己去寫過濾器了,它會自動幫我們進行各種各樣的驗證),
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.southwind</groupId>
<artifactId>springbootspringsecurity22</artifactId>
<version>1.0-SNAPSHOT</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
</project>
2.創建Handler
package com.southwind.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class HelloHandler {
@GetMapping("/index")
public String index(){
return "index";
}
}
3.創建html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>世界你好</h1>
</body>
</html>
4.創建組態檔applicatiom.yml
spring:
thymeleaf:
prefix: classpath:/templates/
suffix: .html
5.創建啟動類
package com.southwind.controller;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class,args);
}
}
默認的用戶名是user
spring:
thymeleaf:
prefix: classpath:/templates/
suffix: .html
security:
user:
name: admin
password: 123123
接下來我們來看它最核心的東西:權限管理
在實際開發中我們一般不會直接將權限和用戶系結,(實際開發中我們會將權限賦給角色,角色賦給用戶)
定義兩個HTML資源:index.html,admin.html,同時定義兩個角色ADMIN(管理員兩個都可以訪問)和USER(用戶只可以訪問index.html)
7.創建SecurityConfig類,
package com.southwind.config;
import org.springframework.security.crypto.password.PasswordEncoder;
public class MyPasswordEncoder implements PasswordEncoder {
@Override
public String encode(CharSequence charSequence) {
return charSequence.toString();
}
@Override
public boolean matches(CharSequence charSequence, String s) {
return s.equals(charSequence.toString());
}
}
package com.southwind.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration //表示它是配置的一個類
@EnableWebSecurity //讓WebSecurity生效
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//用來添加賬戶和角色
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder())
.withUser("user").password(new MyPasswordEncoder().encode("000")).roles("USER")
.and()
.withUser("admin").password(new MyPasswordEncoder().encode("123")).roles("ADMIN","USER");
}
//用來設定角色和權限的關系
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/admin").hasRole("ADMIN")
.antMatchers("/index").access("hasRole('ADMIN') or hasRole('USER')")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.csrf()
.disable();
}
}
8.修改Handler
package com.southwind.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class HelloHandler {
//用來訪問資源
@GetMapping("/index")
public String index(){
return "index";
}
//用來訪問資源
@GetMapping("/admin")
public String admin(){
return "admin";
}
//用來做登錄的
@GetMapping("/login")
public String login(){
return "login";
}
}
9.login.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form th:action="@{/login}" method="post"></form>
用戶名:<input type="text" name="username"><br/>
密碼:<input type="text" name="password"><br/>
<input type="submit" value="登錄">
</body>
</html>
10.index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>世界你好</h1>
<form action="/logout" method="post">
<input type="submit" value="退出">
</form>
</body>
</html>
11.admin.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>后臺管理系統</h1>
<form action="/logout" method="post">
<input type="submit" value="退出">
</form>
</body>
</html>
舉例當我訪問index時候會先跳轉到login,然后通過controller跳轉到自己寫的login.html,然后點擊表單把資料提交到Spring Securiry的login,然后才會到達index.html
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/100714.html
標籤:其他