1. 创建一个springboot 项目使用idea 创建一个普通的springboot项目就可以。这里我是使用的是war包的方式。并添加了security 和web依赖。 在创建好springboot项目之后,第一次启动会报错,需要在pom文件中自动添加的tomcat依赖去除掉,并把security依赖也注释掉才能正常访问。随后会讲怎么使用。
2.创建security config 配置文件 2.1 将上面注释掉的security 依赖打开。2.2 创建java文件创建一个配置文件,里面存放的是springsecurity相关配置
[size=0.83]
1
package com.budongfeng.securitylearn;
2
3
import org.springframework.context.annotation.Configuration;
4
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
5
import org.springframework.security.config.annotation.web.builders.WebSecurity;
6
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
7
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
8
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
9
10
/**
11
* @program: springlearn
12
* @description: security web config
13
* @author: canghaihongxin
14
* @create: 2018-04-08 11:15
15
**/
16
@Configuration
17
@EnableWebSecurity
18
public class SpringSecurityWebConfig extends WebSecurityConfigurerAdapter {
19
20
/**
21
* HTTP 请求的拦截, 决定了哪些请求会被拦截,以及请求会怎么处理
22
* @param http
23
* @throws Exception
24
*/
25
@Override
26
protected void configure(HttpSecurity http) throws Exception {
27
http.authorizeRequests()
28
.antMatchers("/").permitAll() // "/"这个路径所有的请求都放行
29
.anyRequest().authenticated() // 其他的都登录
30
.and()
31
.logout().permitAll() // 注销所有的都旅放行
32
.and()
33
.formLogin(); // 表单登录放行
34
35
// 关闭默认的csrf的认证
36
http.csrf().disable();
37
}
38
39
/**
40
* 可以对过滤器进行初始化配置,如忽略掉静态资源文件
41
* @param web
42
* @throws Exception
43
*/
44
@Override
45
public void configure(WebSecurity web) throws Exception {
46
web.ignoring().antMatchers("/js/**","/css/**","/images/**");
47
}
48
49
}
创建个controller接口, 来验证securtity是否拦截成功
这里就直接在自动生成启动类上添加了两个注解 @RestController 和@EnableAutoConfiguration。 在浏览器实测,访问hello 会被拦截到登录页面。
@EnableAutoConfiguration: 意思是说当项目添加了依赖,springboot会自动创建依赖相关的配置文件,当然也可以通过显示给这个注解添加参数不让springboot 创建某个配置。
@SpringBootApplication: 注解包含了@EnableAutoConfiguration注解。扫描包注解和其他常用的注解。
[size=0.83]
1
package com.budongfeng.securitylearn;
2
3
import org.springframework.boot.SpringApplication;
4
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
5
import org.springframework.boot.autoconfigure.SpringBootApplication;
6
import org.springframework.web.bind.annotation.GetMapping;
7
import org.springframework.web.bind.annotation.RestController;
8
9
@SpringBootApplication
10
@RestController
11
@EnableAutoConfiguration
12
public class SecuritylearnApplication {
13
14
public static void main(String[] args) {
15
SpringApplication.run(SecuritylearnApplication.class, args);
16
}
17
18
@GetMapping("/")
19
public String home(){
20
return "hello spring security";
21
}
22
23
@GetMapping("/hello")
24
public String hello(){
25
return "hello world";
26
}
27
28
}
29
3. 简单用户登录实现对上面的java config文件进行修改, 相当于在内存中添加了两个用户并设置了用户角色和密码。
[size=0.83]
1
package com.budongfeng.securitylearn;
2
3
import org.springframework.context.annotation.Bean;
4
import org.springframework.context.annotation.Configuration;
5
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
6
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
7
import org.springframework.security.config.annotation.web.builders.WebSecurity;
8
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
9
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
10
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
11
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
12
13
/**
14
* @program: springlearn
15
* @description: security web config
16
* @author: canghaihongxin
17
* @create: 2018-04-08 11:15
18
**/
19
@Configuration
20
@EnableWebSecurity
21
public class SpringSecurityWebConfig extends WebSecurityConfigurerAdapter {
22
23
private static final String[] SECURE_PATTERNS = { "/users", "/users/**/*", "/authorities", "/authorities/**/*" };
24
private static final String[] WILDCARD_PATTERN = { "/**" };
25
26
/**
27
* spring security 要求使用编码器
28
* 这个bean是说不使用编码器
29
* 如果不加,会报下面这个错误
30
* There is no PasswordEncoder mapped for the id “null”
31
* @return
32
*/
33
@Bean
34
public static NoOpPasswordEncoder passwordEncoder() {
35
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
36
}
37
38
@Override
39
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
40
auth.inMemoryAuthentication().withUser("admin").password("{abcd}").roles("ADMIN");
41
}
42
43
/**
44
* HTTP 请求的拦截, 决定了哪些请求会被拦截,以及请求会怎么处理
45
* @param http
46
* @throws Exception
47
*/
48
@Override
49
protected void configure(HttpSecurity http) throws Exception {
50
http.authorizeRequests()
51
.antMatchers("/").permitAll() // "/"这个路径所有的请求都放行
52
.anyRequest().authenticated() // 其他的都登录
53
.and()
54
.logout().permitAll() // 注销所有的都旅放行
55
.and()
56
.formLogin(); // 表单登录放行
57
58
// 关闭默认的csrf的认证
59
http.csrf().disable();
60
}
61
62
/**
63
* 可以对过滤器进行初始化配置,如忽略掉静态资源文件
64
* @param web
65
* @throws Exception
66
*/
67
@Override
68
public void configure(WebSecurity web) throws Exception {
69
web.ignoring().antMatchers("/js/**","/css/**","/images/**");
70
}
71
72
}
73
4. 角色简单限制4.1 修改主访问路径添加两个注解
@EnableGlobalMethodSecurity(prePostEnabled = true) : 是指全局使用security方法。 并开启拦截使用前校验方式。
@PreAuthorize("hasRole('ADMIN')"): 在访问前使用ADMI角色进行校验
[size=0.83]
1
package com.budongfeng.securitylearn;
2
3
import org.springframework.boot.SpringApplication;
4
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
5
import org.springframework.boot.autoconfigure.SpringBootApplication;
6
import org.springframework.security.access.prepost.PreAuthorize;
7
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
8
import org.springframework.web.bind.annotation.GetMapping;
9
import org.springframework.web.bind.annotation.RestController;
10
11
@SpringBootApplication
12
@RestController
13
@EnableAutoConfiguration
14
@EnableGlobalMethodSecurity(prePostEnabled = true)
15
public class SecuritylearnApplication {
16
17
public static void main(String[] args) {
18
SpringApplication.run(SecuritylearnApplication.class, args);
19
}
20
21
@GetMapping("/")
22
public String home(){
23
return "hello spring security";
24
}
25
26
@GetMapping("/hello")
27
public String hello(){
28
return "hello world";
29
}
30
31
@PreAuthorize("hasRole('ADMIN')")
32
@GetMapping("/roleAuth")
33
public String role(){
34
return "admin auth";
35
}
36
}
4.2 修改security配置文件添加一个用户角色
[size=0.83]
1
package com.budongfeng.securitylearn;
2
3
import org.springframework.context.annotation.Bean;
4
import org.springframework.context.annotation.Configuration;
5
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
6
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
7
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
8
import org.springframework.security.config.annotation.web.builders.WebSecurity;
9
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
10
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
11
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
12
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
13
14
/**
15
* @program: springlearn
16
* @description: security web config
17
* @author: canghaihongxin
18
* @create: 2018-04-08 11:15
19
**/
20
@Configuration
21
@EnableWebSecurity
22
public class SpringSecurityWebConfig extends WebSecurityConfigurerAdapter {
23
24
private static final String[] SECURE_PATTERNS = { "/users", "/users/**/*", "/authorities", "/authorities/**/*" };
25
private static final String[] WILDCARD_PATTERN = { "/**" };
26
27
/**
28
* spring security 要求使用编码器
29
* 这个bean是说不使用编码器
30
* 如果不加,会报下面这个错误
31
* There is no PasswordEncoder mapped for the id “null”
32
* @return
33
*/
34
@Bean
35
public static NoOpPasswordEncoder passwordEncoder() {
36
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
37
}
38
39
@Override
40
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
41
auth.inMemoryAuthentication().withUser("admin").password("1").roles("ADMIN");
42
auth.inMemoryAuthentication().withUser("demo").password("1").roles("user");
43
}
44
45
/**
46
* HTTP 请求的拦截, 决定了哪些请求会被拦截,以及请求会怎么处理
47
* @param http
48
* @throws Exception
49
*/
50
@Override
51
protected void configure(HttpSecurity http) throws Exception {
52
http.authorizeRequests()
53
.antMatchers("/").permitAll() // "/"这个路径所有的请求都放行
54
.anyRequest().authenticated() // 其他的都登录
55
.and()
56
.logout().permitAll() // 注销所有的都旅放行
57
.and()
58
.formLogin(); // 表单登录放行
59
60
// 关闭默认的csrf的认证
61
http.csrf().disable();
62
}
63
64
/**
65
* 可以对过滤器进行初始化配置,如忽略掉静态资源文件
66
* @param web
67
* @throws Exception
68
*/
69
@Override
70
public void configure(WebSecurity web) throws Exception {
71
web.ignoring().antMatchers("/js/**","/css/**","/images/**");
72
}
73
74
}
|
|
收藏
淘帖
踩
