Spring Security快速上手、SpringBoot整合Spring Security
一、Spring Security介绍
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。由于它是Spring生态系统中的一员,因此它伴随着整个Spring生态系统不断修正、升级,在spring boot项目中加入spring security更是十分简单,使用Spring Security 减少了为企业系统安全控制编写大量重复代码的工作。
1、工程搭建
使用的是springmvc + web3.0的方式构建Spring Security, 所以没有.xml文件, 取而代之的是配置类;
2、Pom文件引入
<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.zy</groupId><artifactId>spring-security</artifactId><version>1.0-SNAPSHOT</version><packaging>war</packaging><properties><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><maven.compiler.source>1.8</maven.compiler.source><maven.compiler.target>1.8</maven.compiler.target></properties><dependencies><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-web</artifactId><version>5.1.4.RELEASE</version></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-config</artifactId><version>5.1.4.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-webmvc</artifactId><version>5.1.5.RELEASE</version></dependency><dependency><groupId>javax.servlet</groupId><artifactId>javax.servlet-api</artifactId><version>3.0.1</version><scope>provided</scope></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><version>1.18.8</version></dependency></dependencies><build><finalName>security-springmvc</finalName><pluginManagement><plugins><plugin><groupId>org.apache.tomcat.maven</groupId><artifactId>tomcat7-maven-plugin</artifactId><version>2.2</version></plugin><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><configuration><source>1.8</source><target>1.8</target></configuration></plugin><plugin><artifactId>maven-resources-plugin</artifactId><configuration><encoding>utf-8</encoding><useDefaultDelimiters>true</useDefaultDelimiters><resources><resource><directory>src/main/resources</directory><filtering>true</filtering><includes><include>**/*</include></includes></resource><resource><directory>src/main/java</directory><includes><include>**/*.xml</include></includes></resource></resources></configuration></plugin></plugins></pluginManagement></build></project>
3、Spring容器配置
相当于applicationContext.xml文件
@Configuration // 相当于applicationContext.xml@ComponentScan(basePackages = "com.zy",// 排除对Controller的扫描excludeFilters = { @ComponentScan.Filter(type = FilterType.ANNOTATION, value = Controller.class)})public class ApplicationConfig {}
4、Servlet Context配置 WebConfig implements WebMvcConfigurer
相当于springmvc.xml
@Configuration // 相当于springmvc.xml@EnableWebMvc@ComponentScan(basePackages = "com.zy", includeFilters = { @ComponentScan.Filter(type = FilterType.ANNOTATION, value = Controller.class)})public class WebConfig implements WebMvcConfigurer {// 视频解析器@Beanpublic InternalResourceViewResolver viewResolver() {InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();viewResolver.setPrefix("/WEB-INF/view/");viewResolver.setSuffix(".jsp");return viewResolver;}// 配置映射到jsp页面@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("login");}}
5、加载Spring容器
在init包下定义Spring容器初始化类SpringApplicationInitializer,此类实现WebApplicationInitializer接口, Spring容器启动时加载WebApplicationInitializer接口的所有实现类。
// 相当于加载了web.xml文件public class SpringApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {//spring容器,相当于加载 applicationContext.xml@Overrideprotected Class<?>[] getRootConfigClasses() {return new Class[]{ ApplicationConfig.class};}//servletContext,相当于加载springmvc.xml@Overrideprotected Class<?>[] getServletConfigClasses() {return new Class[]{ WebConfig.class};}//url-mapping@Overrideprotected String[] getServletMappings() {return new String[]{ "/"};}}
二、认证
SpringSecurity默认提供认证页面,不需要额外开发。
1、安全配置
spring security提供了用户名密码登录、退出、会话管理等认证功能,只需要配置即可使用。
在
config包下定义WebSecurityConfig,安全配置的内容包括:用户信息、密码编码器、安全拦截机制。@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {// 配置用户信息服务@Beanpublic UserDetailsService userDetailsService() {InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());return manager;}// 对密码进行编码, 使用不加密的对比@Beanpublic PasswordEncoder passwordEncoder() {return NoOpPasswordEncoder.getInstance();}// 配置安全拦截机制@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/**").authenticated() // 对所有/r/**请求必须认证通过,才可以访问.anyRequest().permitAll() // 除了/r/**, 其他请求都可以访问.and().formLogin().successForwardUrl("/login-success"); // 登录成功跳转到/login-success}
}
在
userDetailsService()方法中,我们返回了一个UserDetailsService给Spring容器,Spring Security会使用它来获取用户信息。我们暂时使用InMemoryUserDetailsManager实现类,并在其中分别创建了zhangsan、lisi两个用户,并设置密码和权限。- 而在
configure()中,我们通过HttpSecurity设置了安全拦截规则,其中包含了以下内容:
加载
WebSecurityConfig@Override
protected Class<?>[] getRootConfigClasses() {return new Class[]{ ApplicationConfig.class, WebSecurityConfig.class};
}
2、Spring Security初始化
Spring Security初始化,这里有两种情况
- 若当前环境没有使用Spring或Spring MVC,则需要将 WebSecurityConfig(Spring Security配置类) 传入超类,以确保获取配置,并创建spring context。
相反,若
当前环境已经使用spring,我们应该在现有的springContext中注册Spring Security(上一步已经做将 WebSecurityConfig加载至rootcontext),此方法可以什么都不做。 在init包下定义SpringSecurityApplicationInitializer:// 初始化Spring Security
public class SpringSecurityApplicationInitializerextends AbstractSecurityWebApplicationInitializer {public SpringSecurityApplicationInitializer() {//super(WebSecurityConfig.class);}
}
3、默认根路径请求
在WebConfig.java中添加默认请求根路径跳转到/login,此url为spring security提供
@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}
spring security默认提供的登录页面。
4、认证成功页面
在安全配置中,认证成功将跳转到/login-success,代码如下:
spring security支持form表单认证,认证成功后转向/login-success。
在LoginController中定义/login-success:
@RestControllerpublic class LoginController {@RequestMapping(value = "/login-success",produces = { "text/plain;charset=UTF-8"})public String loginSuccess(){return " 登录成功";}}
5、测试
三、授权
实现授权需要对用户的访问进行拦截校验,校验用户的权限是否可以操作指定的资源,Spring Security默认提供授权实现方法。
在LoginController添加/r/r1或/r/r2
@RestController
public class LoginController {@RequestMapping(value = "/login-success",produces = { "text/plain;charset=UTF-8"})public String loginSuccess(){return " 登录成功";}/** * 测试资源1 * @return */@GetMapping(value = "/r/r1",produces = { "text/plain;charset=UTF-8"})public String r1(){return " 访问资源1";}/** * 测试资源2 * @return */@GetMapping(value = "/r/r2",produces = { "text/plain;charset=UTF-8"})public String r2(){return " 访问资源2";}
}
在安全配置类WebSecurityConfig.java中配置授权规则:
//安全拦截机制(最重要)@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/r1").hasAuthority("p1").antMatchers("/r/r2").hasAuthority("p2").antMatchers("/r/**").authenticated()//所有/r/**的请求必须认证通过.anyRequest().permitAll()//除了/r/**,其它的请求可以访问.and().formLogin()//允许表单登录.successForwardUrl("/login-success");//自定义登录成功的页面地址}
四、小结
通过快速上手,使用Spring Security实现了认证和授权,Spring Security提供了基于账号和密码的认证方式, 通过安全配置即可实现请求拦截,授权功能,Spring Security能完成的不仅仅是这些。
五、SpringBoot整合Spring Security
- 在上面的基础上改良为SpringBoot整合Spring Security
导入相关security的starter(场景启动器)
application.propertiesserver.port=8080
server.servlet.context‐path=/security‐springboot
spring.application.name=security‐springboot
spring.mvc.view.prefix=/WEB‐INF/views/
spring.mvc.view.suffix=.jspSpringBootApplication@SpringBootApplication(exclude = { DataSourceAutoConfiguration.class})
public class SpringBootApp {public static void main(String[] args) {SpringApplication.run(SpringBootApp.class, args);}
}
WebConfig
和springmvc来构建security不同, 因为在 @SpringBootApplication注解会自动将组件都添加到Spring容器中@Configuration // 相当于springmvc.xml
public class WebConfig implements WebMvcConfigurer {// 配置映射到jsp页面@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}
}
WebSecurityConfig@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {// 配置用户信息服务@Beanpublic UserDetailsService userDetailsService() {InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());return manager;}// 对密码进行编码, 使用不加密的对比@Beanpublic PasswordEncoder passwordEncoder() {return NoOpPasswordEncoder.getInstance();}// 配置安全拦截机制
//安全拦截机制(最重要)@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/r1").hasAuthority("p1").antMatchers("/r/r2").hasAuthority("p2").antMatchers("/r/**").authenticated()//所有/r/**的请求必须认证通过.anyRequest().permitAll()//除了/r/**,其它的请求可以访问.and().formLogin()//允许表单登录.successForwardUrl("/login-success");//自定义登录成功的页面地址}}
LoginController
@RestController
public class LoginController {@RequestMapping(value = "/login-success",produces = { "text/plain;charset=UTF-8"})public String loginSuccess(){return " 登录成功";}/** * 测试资源1 * @return */@GetMapping(value = "/r/r1",produces = { "text/plain;charset=UTF-8"})public String r1(){return " 访问资源1";}/** * 测试资源2 * @return */@GetMapping(value = "/r/r2",produces = { "text/plain;charset=UTF-8"})public String r2(){return " 访问资源2";}
}
测试同上
向右看齐
桃扇骨
分手后的思念是犯贱
朱雀
小灰灰
爱被打了一巴掌
还没有评论,来说两句吧...