簡介
springSecurity是針對spring項目的安全框架,也是springBoot底層安全模塊的技術選型,他可以實現強大的web安全控制,對於安全控制,我們僅需要引入spring-boot-starter-security模塊,進行少量的配置,即可實現強大的安全管理.
首先我們需要記住這幾個類:
- WebSecurityConfigurationAdapter:自定義security策略
- AuthenticationManagerBuilder:自定義認證策略
- @EnableWebSecurity:開啓WebSecurity模式, @Enablexxxx就是開啓某個功能
Spring Security的兩個主要的目標是"認證"和’‘授權’’(訪問控制) - 認證(Authentication)
- 授權(Authorization)
這兩個概念是通用的,不僅僅只在springsecurity中存在
package com.qiu.config;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
}
}
這是一個固定的架子
添加權限代碼:
http.authorizeRequests().antMatchers("/")
.permitAll()
.antMatchers("/level1/**").hasRole("vip1")
.antMatchers("/level2/**").hasRole("vip2")
.antMatchers("/level3/**").hasRole("vip3");
這樣就實現了有等級的人就可以訪問相應的地址
如以下代碼:
package com.qiu.config;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//連式編程
//授權
@Override
protected void configure(HttpSecurity http) throws Exception {
//首頁所有人可以訪問,但是功能也只有對應有權限的人才能訪問
http.authorizeRequests().antMatchers("/")
.permitAll()
.antMatchers("/level1/**").hasRole("vip1")
.antMatchers("/level2/**").hasRole("vip2")
.antMatchers("/level3/**").hasRole("vip3");
//沒有權限會默認到登錄頁面,需要開啓登錄的頁面
http.formLogin();
}
//認證,springboot 2.1.x可以直接使用
//密碼驗證:PasswordEncoder
//在springSecurity 5.0+ 新增了很多的加密方法
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//這些數據正常來說應該是從數據庫中讀取
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("qiuzhikang").password(new BCryptPasswordEncoder().encode("123456"))
.roles("vip2","vip3")
.and()
.withUser("root").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2","vip3")
.and()
.withUser("guest").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1");
}
}
如果說需要連接數據庫的話,從官方文檔中可以獲取到這麼一段代碼
附上完整代碼:
package com.qiu.config;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//連式編程
//授權
@Override
protected void configure(HttpSecurity http) throws Exception {
//首頁所有人可以訪問,但是功能也只有對應有權限的人才能訪問
http.authorizeRequests().antMatchers("/")
.permitAll()
.antMatchers("/level1/**").hasRole("vip1")
.antMatchers("/level2/**").hasRole("vip2")
.antMatchers("/level3/**").hasRole("vip3");
//沒有權限會默認到登錄頁面,需要開啓登錄的頁面
http.formLogin().loginPage("/toLogin");
//註銷.開啓了註銷功能,跳回首頁
//防止網站攻擊:get不安全,明文傳輸,post可以,但是需要表單,所以security自己自帶了一個
http.csrf().disable();//關閉csrf功能,登出失敗可能的原因就是這個
http.logout().logoutSuccessUrl("/");
//開啓記住我功能,cookie的實現,默認保存兩週
http.rememberMe().rememberMeParameter("remember");//自定義接收前段的參數
}
//認證,springboot 2.1.x可以直接使用
//密碼驗證:PasswordEncoder
//在springSecurity 5.0+ 新增了很多的加密方法
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//這些數據正常來說應該是從數據庫中讀取
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("qiuzhikang").password(new BCryptPasswordEncoder().encode("123456"))
.roles("vip2","vip3")
.and()
.withUser("root").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2","vip3")
.and()
.withUser("guest").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1");
}
}