Springboot 集成Spring Security教程 (二)
本文我们继续 Springboot 集成 Security, 在本文中我们将实现自定义登录验证信息
上篇教程 (一): http://www.izuul.com/index.php/2019/04/05/springboot-security1/
我的博客: http://www.izuul.com
在上篇基础上新建 config 包, 并且新建 SecurityConfig 配置类
一. 在内存中创建登录用户
以下代码做了基本配置, 通过AuthenticationManagerBuilder在内存中创建一个用户izuul,密码也是 izuul,角色是 USER.
这个过程主要要添加PasswordEncoder(编码器), 否则报错
package com.izuul.springsecurity.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.*;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public void config(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.passwordEncoder(passwordEncoder())
.withUser("izuul")
.password(passwordEncoder().encode("izuul"))
.roles("USER");
}
}
启动项目访问: <http://localhost:8080/ 并输入账号(izuul) 密码(izuul), 登录
项目登录成功就会进入主页
二. 配置 HttpSecurity 资源控制
在上文中 SecurityConfig 配置类中复写 configure 方法
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/users/**").hasRole("USER")
.and()
.formLogin().loginPage("/login").failureUrl("/login-error")
.and()
.logout().logoutUrl("/logout");
}
这段代码中进行了如下配置:
- 根路径 “/” 允许全部访问请求
- 路径 “/users/**” 只允许角色是 USER 的访问, hasRole() 方法也可以用多参数方法 hasAnyRole()
- 登录路径设置为 /login
- 登录失败跳转到 /login-error
- 注销路径 /login
HttpSecurity 配置好了下面开始写 controller 路径
新建 controller 包并且新建 SecurityController 类
SecurityController 中很简单就使用默认请求方式吧
package com.izuul.springsecurity.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class SecurityController {
@RequestMapping("/")
public String index() {
return "index";
}
@RequestMapping("/login")
public String login() {
return "login";
}
@RequestMapping("/login-error")
public String loginError(Model model) {
model.addAttribute("error", true);
model.addAttribute("msg", "登录失败");
return "login";
}
@RequestMapping("/logout")
public String logout() {
return "logout";
}
@RequestMapping("/users")
public String users() {
return "user";
}
}
创建对应的 4 个 html 页面
index.html
<!DOCTYPE html>
<html lang="en"
xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
izuul 主页
<br>
<a th:href="@{/login}">登录</a>
<br>
<a th:href="@{/users}">users</a>
</body>
</html>
login.html
<!DOCTYPE html>
<html lang="en"
xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<div>
<form th:action="@{/login}" method="post">
<span th:if="${error}" th:text="${msg}" style="color: red"></span>
<br>
<label>
用户名:
<input name="username" type="text">
</label>
<br>
<label>
密码:
<input name="password" type="password">
</label>
<br>
<button>提交</button>
</form>
</div>
</body>
</html>
logout.html
<!DOCTYPE html>
<html lang="en"
xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
注销成功
</body>
</html>
user.html
<!DOCTYPE html>
<html lang="en"
xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>user</title>
</head>
<body>
user页面
<br>
<a th:href="@{/logout}">注销</a>
</body>
</html>
访问进行测试:
输入一个错误的密码
登录成功
下一篇教程会将用户登录信息存入数据库