本文共 15704 字,大约阅读时间需要 52 分钟。
securtiy.user.name=user # 内存中的默认用户账户securtiy.user.password= # 用户密码securtiy.user.role = USER # 用户角色,默认是 USERsecurtiy.require-ssl = false # 是否需要 SSL 支持,默认不需要securtiy.enable-csrf=false # 是否开启“跨站请求伪造” 支持。默认关闭securtiy.basic.enabled = truesecurtiy.basic.path= # /**securtiy.basic.authorize -mode=securtiy.filter-order=0securtiy.headers.xss=falsesecurtiy.headers.cache=falsesecurtiy.headers.frame=falsesecurtiy.headers.content-type=falsesecurity.headers.hsts=allsecurity.sessions=statelesssecurity.igonre= # 用逗号隔开无需拦截的路径
@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception{ auth.inMemoryAuthentication .withUser("ts").password("ts").roles("ROLE_ADMIN") .and() .withUser("demo").password("demo").roles("ROLE_USER");}
@AutowiredDataSource dataSource;@Overrideprotected void configure(AuthenicationManagerBuild auth) throws Exception{ auth.jdbcAuthentication().dataSource(dataSource);}
public class CustomUserService implements UserDetailsService{ @Autowired customRepository repository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { customUser user = repository.findByUserName(username); Listauth = new ArrayList<>(); auth.add(new SimpleGrantedAuthority("ROLE_ADMIN"); return new User(user.getUsername(),user.getPassword(),auth); }}
@BeanUserDetailsService customUserService(){ return new CustomUserService();}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception{ auth.userDetailsService(customUserService());}
方法 | 作用 |
---|---|
access(String) | Spring EL 表达式结果为 true 时可访问 |
anonymous() | 匿名可访问 |
denyAll() | 用户不能访问 |
fullyAuthenticated() | 用户完全认证可访问(非 remember 下自动登录) |
hasAnyAuthority(String…) | 如果用户有参数,则其中任一权限可访问 |
hasAnyRole(String…) | 如果用户有参数,则其中任一角色可访问 |
hasAuthority(String) | 如果用户有参数,则其权限可访问 |
hasIpAddress(String) | 如果用户来自参数中的 IP 可访问 |
hasRole(String) | 用户若有参数中的角色可以访问 |
permitAll() | 用户可以任意访问 |
rememberMe() | 允许通过 remember-me 登录的用户访问 |
authenticated() | 用户登录后可访问 |
@Overrideprotected void configure(HttpSecurity http) throws Exception{ http.authorizeRequests() // 开始请求权限配置 .antMatchers("/admin/**").hasRole("ROLE_ADMIN) //只有拥有 ROLE_ADMIN 角色的用户才可以访问路径 /admin/** .antMatchers("/user/**").hasAnyRole("ROLE_ADMIN","ROLE_USER") .anyRequest().authenticated(); //其余所有用户需要登录认证才能访问}
@Overrideprotected void configure(HttpSecurity http) throws Exception{ http .formLogin() //开始登录制作 .loginPage("/login") //登录页面 .defaultSuccessUrl("/index") //登录成功后跳转的页面 .failureUrl("/login?error") //登录失败后跳转的页面 .permitAll() .and() .rememberMe() //开启 Cookie 存储用户信息 .tokenVailditySeconds(1209600) //指定 cookie 的有效期为1209600秒,即两个星期 .key("myKey") // cookie 中的私钥 .and() .logout() //定制注销行为 .logoutUrl("/custom-logout") //指定注销的 URL 路径 .logoutSuccessUrl("/logout-success") //注销成功后跳转页面 .permitAll();}
com.oracle ojdbc6 11.2.0.2.0 org.thymeleaf.extras thymeleaf-extras-springsecurity4
spring.datasource.driver-class-name=oracle.jdbc.OracleDriverspring.datasource.url=jdbc\:oracle\:thin\:@localhost\:1521\:xespring.datasource.username=bootspring.datasource.password=bootlogging.file=log.loglogging.level.org.springframework.security=INFOspring.thymeleaf.cache=falsespring.jpa.hibernate.ddl-auto=updatespring.jpa.show-sql=true
package com.pyc.mysecurity.domain;import javax.persistence.Entity;import javax.persistence.GeneratedValue;import javax.persistence.Id;@Entitypublic class SysRole { @Id @GeneratedValue private Long id; private String name; public void setId(Long id) { this.id = id; } public Long getId() { return id; } public void setName(String name) { this.name = name; } public String getName() { return name; }}
package com.pyc.mysecurity.domain;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.SimpleGrantedAuthority;import org.springframework.security.core.userdetails.UserDetails;import javax.persistence.*;import java.util.ArrayList;import java.util.Collection;import java.util.List;// 令用户实体实现 UserDetails 接口,从而用户实体即为 Spring Security 所使用的用户// Make the user entity implement the UserDetails interface so that// the user entity is the user used by Spring Security@Entitypublic class SysUser implements UserDetails { private static final Long serialVersionUID=1L; @Id @GeneratedValue private Long id; private String username; private String password; // 配置用户和角色的多对多关系 // Configure many-to-many relationships for users and roles @ManyToMany(cascade = { CascadeType.REFRESH},fetch = FetchType.EAGER) private Listroles; // 重写 getAuthorities 方法,将用户的角色作为权限 // Overwrite the getAuthorities method so that can make the roles of user became authority @Override public Collection getAuthorities(){ List authorities = new ArrayList (); List roles = this.getRoles(); for(SysRole role:roles){ authorities.add(new SimpleGrantedAuthority(role.getName())); } return authorities; } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } public void setId(Long id) { this.id = id; } public Long getId() { return id; } public void setPassword(String password) { this.password = password; } @Override public String getPassword() { return password; } public void setUsername(String username) { this.username = username; } @Override public String getUsername() { return username; } public List getRoles() { return roles; } public void setRoles(List roles) { this.roles = roles; }}
insert into SYS_USER(id, username, password)values (1, 'pyc', 'pyc');insert into SYS_USER(id, username, password)values (2, 'ycy', 'ycy');insert into SYS_ROLE(id, name) values (1, 'ROLE_ADMIN');insert into SYS_ROLE(id, name) values (2, 'ROLE_USER');insert into SYS_USER_ROLES(SYS_USER_ID, ROLES_ID) values (1, 1);insert into SYS_USER_ROLES(SYS_USER_ID, ROLES_ID) values (2,2);
package com.pyc.mysecurity.domain;public class Msg { private String title; private String content; private String etraInfo; public Msg(String title, String content, String etraInfo){ super(); this.content=content; this.title=title; this.etraInfo=etraInfo; } public void setTitle(String title) { this.title = title; } public String getTitle() { return title; } public void setContent(String content) { this.content = content; } public String getContent() { return content; } public void setEtraInfo(String etraInfo) { this.etraInfo = etraInfo; } public String getEtraInfo() { return etraInfo; }}
package com.pyc.mysecurity.dao;import com.pyc.mysecurity.domain.SysUser;import org.springframework.data.jpa.repository.JpaRepository;public interface SysUserRepository extends JpaRepository{ SysUser findByUsername(String username);}
package com.pyc.mysecurity.service;import com.pyc.mysecurity.dao.SysUserRepository;import com.pyc.mysecurity.domain.SysUser;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;// 自定义需实现 UserDetailsService 接口// Custom service needs to implement UserDetailsService interface@Servicepublic class CustomUserService implements UserDetailsService { @Autowired SysUserRepository userRepository; // overwrite loadUserByUsername method to get account @Override public UserDetails loadUserByUsername(String username){ SysUser user = userRepository.findByUsername(username); if(user == null){ throw new UsernameNotFoundException("用户名不存在"); } return user; }}
package com.pyc.mysecurity.config;import org.springframework.context.annotation.Configuration;import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;@Configurationpublic class WebMvcConfig extends WebMvcConfigurerAdapter { @Override public void addViewControllers(ViewControllerRegistry registry) { registry.addViewController("/login").setViewName("login"); }}
package com.pyc.mysecurity.config;import com.pyc.mysecurity.service.CustomUserService;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;import org.springframework.security.core.userdetails.UserDetailsService;// 拓展的 Spring Security 配置需要继承 WebSecurityConfigurerAdapter// extend spring security need to extend WebSecurityConfigurerAdapter@Configurationpublic class WebSecurityConfig extends WebSecurityConfigurerAdapter { // booking a bean of CustomUserService @Bean UserDetailsService customUserService(){ return new CustomUserService(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // 添加自定义的 user detail service 认证 // add custom user detail service authentication auth.userDetailsService(customUserService()); } @Override protected void configure(HttpSecurity http) throws Exception { // any request must to authorize so that can login http.authorizeRequests().anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .failureUrl("/login?error") .permitAll() .and() .logout().permitAll(); }}
登录 Successfully logout
Happening some error, please try again
Login by account and password
Not too much message to display
package com.pyc.mysecurity.web;import com.pyc.mysecurity.domain.Msg;import org.springframework.stereotype.Controller;import org.springframework.ui.Model;import org.springframework.web.bind.annotation.RequestMapping;@Controllerpublic class WebController { @RequestMapping("/") public String index(Model model){ Msg msg = new Msg("Demo Title", "Demo Content", "additional msg, only admin can see"); model.addAttribute("msg",msg); return "home"; }}
转载地址:http://flqgn.baihongyu.com/