當前位置:
首頁 >
前端技术
> javascript
>内容正文
javascript
Spring Security快速上手
生活随笔
收集整理的這篇文章主要介紹了
Spring Security快速上手
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
Spring Security介紹
Spring Security是一個能夠為基于Spring的企業應用系統提供聲明式的安全訪問控制解決方案的安全框架。
由于它是Spring生態系統中的一員,因此它伴隨著整個Spring生態系統不斷修正、升級,
在spring boot項目中加入spring security更是十分簡單,
使用Spring Security 減少了為企業系統安全控制編寫大量重復代碼的工作。
創建工程
創建maven工程
創建maven工程 security-spring-security,工程結構如下:
Spring容器配置
package com.dym.security.springmvc.config;import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller;@Configuration //相當于applicationContext.xml @ComponentScan(basePackages = "com.dym.security.springmvc",excludeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class ApplicationConfig {//在此配置除了Controller的其它bean,比如:數據庫鏈接池、事務管理器、業務bean等。}Servlet Context配置
package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.view.InternalResourceViewResolver;@Configuration//就相當于springmvc.xml文件 @EnableWebMvc @ComponentScan(basePackages = "com.dym.security.springmvc",includeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class WebConfig implements WebMvcConfigurer {//視圖解析器@Beanpublic InternalResourceViewResolver viewResolver(){InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();viewResolver.setPrefix("/WEB-INF/view/");viewResolver.setSuffix(".jsp");return viewResolver;}@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}}加載 Spring容器
在init包下定義Spring容器初始化類SpringApplicationInitializer,
此類實現WebApplicationInitializer接口,
Spring容器啟動時加載WebApplicationInitializer接口的所有實現類。
認證 —— 認證頁面
springSecurity默認提供認證頁面,不需要額外開發
安全配置
spring security提供了用戶名密碼登錄、退出、會話管理等認證功能,只需要配置即可使用。
1) 在config包下定義WebSecurityConfig,安全配置的內容包括:用戶信息、密碼編碼器、安全攔截機制
在userDetailsService()方法中,
返回了一個UserDetailsService類型的對象給spring容器,
Spring Security會使用它來獲取用戶信息。
暫時使用 InMemoryUserDetailsManager實現類,
并在其中分別創建了zhangsan、lisi兩個用戶,并設置密碼和權限。
而在configure()中,我們通過HttpSecurity設置了安全攔截規則,其中包含了以下內容:
(1)url匹配/r/**的資源,經過認證后才能訪問。
(2)其他url完全開放。
(3)支持form表單認證,認證成功后轉向/login-success。
?
2) 加載 WebSecurityConfig
修改SpringApplicationInitializer的getRootConfigClasses()方法,添加WebSecurityConfig.class:
Spring Security初始化
Spring Security初始化,這里有兩種情況
1. 若當前環境沒有使用Spring或Spring MVC,
??? 則需要將 WebSecurityConfig(Spring Security配置類) 傳入超類,以確保獲取配置,并創建spring context。
??? 在init包下定義SpringSecurityApplicationInitializer:
package com.dym.security.springmvc.init;import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;public class SpringSecurityApplicationInitializerextends AbstractSecurityWebApplicationInitializer {public SpringSecurityApplicationInitializer() {super(WebSecurityConfig.class);} }2. 若當前環境已經使用spring,
??? 我們應該在現有的springContext中注冊Spring Security(上一步已經做將WebSecurityConfig加載至rootcontext),此方法可以什么都不做。
??
默認根路徑請求
在WebConfig.java中添加默認請求根路徑跳轉到/login,此url為spring security提供:
@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}spring security默認提供的登錄頁面。
認證成功頁面
在安全配置中,認證成功將跳轉到/login-success,代碼如下:
//安全攔截機制(最重要)@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/r1").hasAuthority("p1").antMatchers("/r/r2").hasAuthority("p2").antMatchers("/r/**").authenticated()//所有/r/**的請求必須認證通過.anyRequest().permitAll()//除了/r/**,其它的請求可以訪問.and().formLogin()//允許表單登錄.successForwardUrl("/login-success");//自定義登錄成功的頁面地址}spring security支持form表單認證,認證成功后轉向/login-success。
在LoginController中定義/login-success:
測試
(1)啟動項目,訪問 http://localhost:8080/security-spring-security/ 路徑地址
頁面會根據WebConfig中addViewControllers配置規則,跳轉至/login,/login是pring Security提供的登錄頁面。
(2)登錄
1、輸入錯誤的用戶名、密碼
2、輸入正確的用戶名、密碼,登錄成功
(3)退出
1、請求/logout退出
2、退出 后再訪問資源自動跳轉到登錄頁面
授權
實現授權需要對用戶的訪問進行攔截校驗,校驗用戶的權限是否可以操作指定的資源,
Spring Security默認提供授權實現方法。
在LoginController添加/r/r1或/r/r2
在安全配置類WebSecurityConfig.java中配置授權規則:
測試:
1、登錄成功
2、訪問/r/r1和/r/r2,有權限時則正常訪問,否則返回403(拒絕訪問)
ApplicationConfig.java
package com.dym.security.springmvc.config;import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller;@Configuration //相當于applicationContext.xml @ComponentScan(basePackages = "com.dym.security.springmvc",excludeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class ApplicationConfig {//在此配置除了Controller的其它bean,比如:數據庫鏈接池、事務管理器、業務bean等。}WebConfig.java
package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.view.InternalResourceViewResolver;@Configuration//就相當于springmvc.xml文件 @EnableWebMvc @ComponentScan(basePackages = "com.dym.security.springmvc",includeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class WebConfig implements WebMvcConfigurer {//視圖解析器@Beanpublic InternalResourceViewResolver viewResolver(){InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();viewResolver.setPrefix("/WEB-INF/view/");viewResolver.setSuffix(".jsp");return viewResolver;}@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}}WebSecurityConfig.java
package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager;@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {//定義用戶信息服務(查詢用戶信息)@Beanpublic UserDetailsService userDetailsService(){InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());return manager;}//密碼編碼器@Beanpublic PasswordEncoder passwordEncoder(){return NoOpPasswordEncoder.getInstance();}//安全攔截機制(最重要)@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/r1").hasAuthority("p1").antMatchers("/r/r2").hasAuthority("p2").antMatchers("/r/**").authenticated()//所有/r/**的請求必須認證通過.anyRequest().permitAll()//除了/r/**,其它的請求可以訪問.and().formLogin()//允許表單登錄.successForwardUrl("/login-success");//自定義登錄成功的頁面地址} }SpringApplicationInitializer.java
package com.dym.security.springmvc.init;import com.dym.security.springmvc.config.ApplicationConfig; import com.dym.security.springmvc.config.WebConfig; import com.dym.security.springmvc.config.WebSecurityConfig; import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;public class SpringApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {//spring容器,相當于加載 applicationContext.xml@Overrideprotected Class<?>[] getRootConfigClasses() {return new Class[]{ApplicationConfig.class, WebSecurityConfig.class};}//servletContext,相當于加載springmvc.xml@Overrideprotected Class<?>[] getServletConfigClasses() {return new Class[]{WebConfig.class};}//url-mapping@Overrideprotected String[] getServletMappings() {return new String[]{"/"};} }SpringSecurityApplicationInitializer.java
package com.dym.security.springmvc.init;import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;public class SpringSecurityApplicationInitializerextends AbstractSecurityWebApplicationInitializer {public SpringSecurityApplicationInitializer() {//super(WebSecurityConfig.class);} }LoginController.java
package com.dym.security.springmvc.controller;import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController;@RestController public class LoginController {@RequestMapping(value = "/login-success",produces = {"text/plain;charset=UTF-8"})public String loginSuccess(){return " 登錄成功";}/*** 測試資源1* @return*/@GetMapping(value = "/r/r1",produces = {"text/plain;charset=UTF-8"})public String r1(){return " 訪問資源1";}/*** 測試資源2* @return*/@GetMapping(value = "/r/r2",produces = {"text/plain;charset=UTF-8"})public String r2(){return " 訪問資源2";} }?
?
總結
以上是生活随笔為你收集整理的Spring Security快速上手的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: shiro 实现登录验证功能
- 下一篇: Spring Security 应用详解