Spring Boot安全管理—Spring Security基本配置

Spring Security的基本配置

1. 基本用法

1.1 创建项目，添加依赖

创建一个Spring Boot Web 项目，然后添加spring-boot-starter-security依赖。

<!-- security       --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency>

1.2 添加hello接口

在项目中添加一个简单的/hello接口，内容如下：

@RestControllerpublicclassHelloController{@GetMapping("/hello")publicStringhello(){return"Hello";}}

1.3 启动项目测试

访问/hello接口会自动跳转到登录页面，这个页面有Spring Security提供的。

默认的用户名是user，默认的登录密码在每次启动项目随机生成，查看项目日志：

2. 配置用户名和密码

在application。properties中配置默认的用户名、密码以及用户角色。

spring.security.user.name=chen
spring.security.user.password=123456
spring.security.user.roles=admin

3. 基于内存的认证

开发者可以自定义类继承WebSecurityConfigurerAdapter，进而实现对Spring Security更多的自定义配置。例如基于内存的认证。

@ConfigurationpublicclassMyWebSecurityConfigextendsWebSecurityConfigurerAdapter{@BeanPasswordEncoderpasswordEncoder(){returnNoOpPasswordEncoder.getInstance();}@Overrideprotectedvoidconfigure(AuthenticationManagerBuilder auth)throwsException{
        auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN","USER").and().withUser("chen").password("123456").roles("USER");}}

代码解释：

• 自定义MyWebSecurityConfig继承WebSecurityConfigurerAdapter，并重写configure(AuthenticationManagerBuilder auth)方法，在该方法中配直两个用户，一个用户名是adnin ，密码123456 ，具备两个角色 ADMIN 和 USER；另一个用户名是chen ，密码是123456 ，具备一个角色 USER。

4. HttpSecurity

虽然现在可以实现认证功能，但是受保护的资源都是默认的，而且不能根据实际情况进行角色管理。如果要实现这些功能，就需要重写WebSecurityConfigurerAdapter中的另一个方法，代码如下：

@ConfigurationpublicclassMyWebSecurityConfigextendsWebSecurityConfigurerAdapter{@BeanPasswordEncoderpasswordEncoder(){returnNoOpPasswordEncoder.getInstance();}@Overrideprotectedvoidconfigure(AuthenticationManagerBuilder auth)throwsException{
        auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN","USER").and().withUser("chen").password("123456").roles("USER");}@Overrideprotectedvoidconfigure(HttpSecurity http)throwsException{
        http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN").antMatchers("/user/**").access("hasAnyRole('ADMIN','USER')").antMatchers("/db/**").access("hasRole('admin') and hasRole('DBA')").anyRequest().authenticated().and().formLogin().loginProcessingUrl("/login").permitAll().and().csrf().disable();}}

配置完成后，接下来在Controller中添加如下接口进行测试：

@RestControllerpublicclassHelloController{@GetMapping("/admin/hello")publicStringadmin(){return"hello admin";}@GetMapping("/user/hello")publicStringuser(){return"hello user";}@GetMapping("db/hello")publicStringdba(){return"hello dba";}@GetMapping("/hello")publicStringhello(){return"hello";}}

"admin/hello"接口root和admin用户具有访问权限，“/user/hello”接口admin和chen用户具有访问权限，“/db/hello”只有root用户具有访问权限。

5. 登录表单详细配置

在前后端分离的开发方式中，前后端的数据交互通过JSON进行，要实现这些功能，需要继续完成上文配置。

@ConfigurationpublicclassMyWebSecurityConfigextendsWebSecurityConfigurerAdapter{@BeanPasswordEncoderpasswordEncoder(){returnNoOpPasswordEncoder.getInstance();}@Overrideprotectedvoidconfigure(AuthenticationManagerBuilder auth)throwsException{
        auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN","USER").and().withUser("chen").password("123456").roles("USER");}@Overrideprotectedvoidconfigure(HttpSecurity http)throwsException{
        http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN").antMatchers("/user/**").access("hasAnyRole('ADMIN','USER')").antMatchers("/db/**").access("hasRole('admin') and hasRole('DBA')").anyRequest().authenticated().and().formLogin().loginPage("/login_page").loginProcessingUrl("/login").usernameParameter("name").passwordParameter("passwd").successHandler(newAuthenticationSuccessHandler(){@OverridepublicvoidonAuthenticationSuccess(HttpServletRequest request,HttpServletResponse response,Authentication authentication)throwsIOException,ServletException{Object principal = authentication.getPrincipal();
                        response.setContentType("application/json;charset=utf-8");PrintWriter out = response.getWriter();
                        response.setStatus(200);HashMap<String,Object> map =newHashMap<>();
                        map.put("status",200);
                        map.put("msg",principal);ObjectMapper om =newObjectMapper();
                        out.write(om.writeValueAsString(map));
                        out.flush();
                        out.close();}}).failureHandler(newAuthenticationFailureHandler(){@OverridepublicvoidonAuthenticationFailure(HttpServletRequest request,HttpServletResponse response,AuthenticationException e)throwsIOException,ServletException{
                        response.setContentType("application/json;charset=utf-8");PrintWriter out = response.getWriter();
                        response.setStatus(401);HashMap<String,Object> map =newHashMap<>();
                        map.put("status",401);if(e instanceofLockedException){
                            map.put("msg","账户被锁定，登录失败");}elseif(e instanceofBadCredentialsException){
                            map.put("msg","账户或密码输入错误，登录失败");}elseif(e instanceofDisabledException){
                            map.put("msg","账户被禁用，登录失败");}elseif(e instanceofAccountExpiredException){
                            map.put("msg","账户过期，登录失败");}elseif(e instanceofCredentialsExpiredException){
                            map.put("msg","密码过期，登录失败");}else{
                            map.put("msg","登录失败");}ObjectMapper om=newObjectMapper();
                        out.write(om.writeValueAsString(map));
                        out.flush();
                        out.close();}}).permitAll().and();}}

6. 注销登录

如果想要注销登录，也只需提供简单的配置即可。

.and().logout().logoutUrl("/logout").clearAuthentication(true).addLogoutHandler(newLogoutHandler(){@Overridepublicvoidlogout(HttpServletRequest request,HttpServletResponse response,Authentication authentication){}}).logoutSuccessHandler(newLogoutSuccessHandler(){@OverridepublicvoidonLogoutSuccess(HttpServletRequest request,HttpServletResponse response,Authentication authentication)throwsIOException,ServletException{
                        response.sendRedirect("/login_page");}}).and();