SpringSecurity(安全)
在web开发中,安全第一位!过滤器,拦截器~
功能性需求:否
做网站:安全应该在什么时候考虑?设计之初!
漏洞,隐私泄露~
架构一旦确定~
shiro、SpringSecurity:很像~除了类不一样,名字不一样;
认证,授权(vip1,vip2,vip3)
功能权限
访问权限
菜单权限
…拦截器,过滤器:大量的原生代码~兄余
MVC-Spring—SpringBoot—框架思想
Aop:做一个配置类
简介
Spring Security是针对Spring项目的安全框架,也是Spring Boot底层安全模块默认的技术选型,他可以实现强大的Web安全控制,对于安全控制,我们仅需要引入spring-boot-starter-security模块,进行少量的配置,即可实现强大的安全管理!
记住几个类:
- WebSecurityConfigurerAdapter:自定义Security策略
- AuthenticationManagerBuilder:自定义认证策略
- @EnableWebSecurity:开启WebSecurity模式
Spring Security的两个主要目标是“认证”和“授权”(访问控制)。
“认证”(Authentication)
“授权”(Authorization)
这个概念是通用的,而不是只在Spring Security中存在。
搭建环境
创建一个有web功能的springboot项目
关闭缓存
spring.thymeleaf.cache=false
导入素材
导入依赖
<!--thymeleaf模板--><dependency><groupId>org.thymeleaf</groupId><artifactId>thymeleaf-spring5</artifactId></dependency><dependency><groupId>org.thymeleaf.extras</groupId><artifactId>thymeleaf-extras-java8time</artifactId></dependency>
配置路由跳转控制
@Controllerpublic class RouterController {@RequestMapping({"/","/index"})public String index() {return "index";}@RequestMapping("/toLogin")public String toLogin() {return "views/login";}@RequestMapping("/level1/{id}")public String level1(@PathVariable("id") int id) {return "views/level1/"+id;}@RequestMapping("/level2/{id}")public String level2(@PathVariable("id") int id) {return "views/level2/"+id;}@RequestMapping("/level3/{id}")public String level3(@PathVariable("id") int id) {return "views/level3/ "+id;}}
构建Security
导入依赖
<!--security--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency>
完善拦截器功能
//Aop: 拦截器@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter {//授权//链式编程@Overrideprotected void configure(HttpSecurity http) throws Exception {//主页所有人可以访问,功能页只有对应有权限的人才访问//请求授权的规则http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/level1/**").hasRole("vip1").antMatchers("/level2/**").hasRole("vip2").antMatchers("/level3/**").hasRole("vip3");//没有权限默认会到登录页面http.formLogin();}//认证,springboot 2.1.X可以直接使用~//密码编码:PasswordEncoder//在Spring Secutiry 5.0+ 新增了很多的加密方法@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {//这些数据正常应该从数据库中读auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder()).withUser("root").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2","vip3").and().withUser("6b92d6").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2").and().withUser("dafran").password(new BCryptPasswordEncoder().encode("123456")).roles("vip3");}}
权限控制和注销
导入依赖
<!--security-thymeleaf整合包--><dependency><groupId>org.thymeleaf.extras</groupId><artifactId>thymeleaf-extras-springsecurity4</artifactId><version>3.0.4.RELEASE</version></dependency>
降低SpringBoot版本为:2.0.9.RELEASE
增加注销及关闭csrf功能
//防止网站工具:get,posthttp.csrf().disable(); //关闭csrf功能,登录失败可能存在的原因//注销,开启注销功能,跳转到首页http.logout().logoutSuccessUrl("/");
前端修改
<!--如果未登录--><div sec:authorize="!isAuthenticated()"><a class="item" th:href="@{/toLogin}"><i class="address card icon"></i> 登录</a></div><!--如果登录: 用户名、角色、注销--><div sec:authorize="isAuthenticated()"><a class="item">用户名:<span sec:authentication="name"></span><!-- 角色:<span sec:authentication="principal.getAuthorities()"></span>--></a></div><div sec:authorize="isAuthenticated()"><!--注销--><a class="item" th:href="@{/logout}"><i class="sign-out icon"></i> 注销</a></div>
<div class="column" sec:authorize="hasRole('vip1')"><div class="ui raised segment"><div class="ui"><div class="content"><h5 class="content">Level 1</h5><hr><div><a th:href="@{/level1/1}"><i class="bullhorn icon"></i> Level-1-1</a></div><div><a th:href="@{/level1/2}"><i class="bullhorn icon"></i> Level-1-2</a></div><div><a th:href="@{/level1/3}"><i class="bullhorn icon"></i> Level-1-3</a></div></div></div></div></div><div class="column" sec:authorize="hasRole('vip2')"><div class="ui raised segment"><div class="ui"><div class="content"><h5 class="content">Level 2</h5><hr><div><a th:href="@{/level2/1}"><i class="bullhorn icon"></i> Level-2-1</a></div><div><a th:href="@{/level2/2}"><i class="bullhorn icon"></i> Level-2-2</a></div><div><a th:href="@{/level2/3}"><i class="bullhorn icon"></i> Level-2-3</a></div></div></div></div></div><div class="column" sec:authorize="hasRole('vip3')"><div class="ui raised segment"><div class="ui"><div class="content"><h5 class="content">Level 3</h5><hr><div><a th:href="@{/level3/1}"><i class="bullhorn icon"></i> Level-3-1</a></div><div><a th:href="@{/level3/2}"><i class="bullhorn icon"></i> Level-3-2</a></div><div><a th:href="@{/level3/3}"><i class="bullhorn icon"></i> Level-3-3</a></div></div></div></div></div>
记住我和首页定制
增加配置
//开启记住我功能 cookie,默认保存两周http.rememberMe().rememberMeParameter("remember");//没有权限默认会到登录页面,定制登录页http.formLogin().loginPage("/toLogin").usernameParameter("user").passwordParameter("pwd").loginProcessingUrl("/login");
同时修改html
<div class="ui form"><form th:action="@{/login}" method="post"><div class="field"><label>Username</label><div class="ui left icon input"><input type="text" placeholder="Username" name="user"><i class="user icon"></i></div></div><div class="field"><label>Password</label><div class="ui left icon input"><input type="password" name="pwd"><i class="lock icon"></i></div></div><div class="field"><input type="checkbox" name="remember">记住我</div><input type="submit" class="ui blue submit button"/></form></div>
其中`th:action="@{/login}"`与`.loginPage("/login")`对应;或者增加`.loginPage("/toLogin").loginProcessingUrl("/login")``.usernameParameter("user").passwordParameter("pwd")`与`input`的name属性相同
若有收获,就点个赞吧
0 人点赞
