-
springsecurity学习笔记-未完
目录
前言
记录一下学习springsecurity的过程
开发环境:IDEA,springsecurity6
一、概念
1.什么是springsecurity
spring提供的安全管理框架,核心功能是认证,授权
认证:验证当前用户是不是本系统注册的用户,识别具体是哪个用户
授权:通过认证的用户,需要判断是否具有权限进行某个操作
2.对比shiro
springsecurity功能更强大,shiro更容易上手应用
3.执行过程
初学阶段,从我的角度来说,最重要的是先用起来,底层逻辑在一开始我并不重视,但要知道的是整个执行过程是一组过滤器链,核心过滤器有三个
UsernamePasswordAuthenticationFilter:用户名密码认证过滤器,处理登录请求
ExceptionTranslationFilter:异常转换过滤器
FilterSecurityInterceptor:权限过滤器
二、开始项目
1.建立一个空项目,建立module,引入相关依赖
new Project->Empty Project
File->new module->Spring Initializr->Maven->选择需要加入的功能->生成项目,等待依赖导入
必须选择的包括springsecurity,springweb,注意右上角选择自己想要的springboot版本,springboot版本与jdk版本要匹配,否则可能会导致其他依赖的版本混乱
附上依赖pom
- "1.0" encoding="UTF-8"?>
"http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
4.0.0 org.springframework.boot spring-boot-starter-parent 3.1.2 com.example demo 0.0.1-SNAPSHOT crm Demo project for Spring Boot 17 org.springframework.boot spring-boot-starter-security org.springframework.boot spring-boot-starter-thymeleaf org.springframework.boot spring-boot-starter-web org.thymeleaf.extras thymeleaf-extras-springsecurity6 org.springframework.boot spring-boot-devtools runtime true org.projectlombok lombok true org.springframework.boot spring-boot-starter-test test org.springframework.security spring-security-test test org.springframework.boot spring-boot-maven-plugin org.projectlombok lombok
2.启动项目,访问项目
控制台输出如下,意思是自动生成了密码,如果你要在生产环境使用,应该修改配置
- Using generated security password: 7bc86ae1-30a1-435c-bc59-6d894a7ae0b6
- This generated password is for development use only. Your security configuration must be updated before running your application in production.
访问项目localhost:8080,以往我们访问本地项目,直接会进入首页,但这次弹出了一个登录页面
这是springsecurity自带的过滤器,验证当前用户没有登陆,自动跳转到登录页面
这个页面是通过网络下载的bootstrap页面,如果下载的有问题,那么页面展示效果可能会不太好,可以忽略
输入账号密码登录,默认账号为user,密码为刚刚控制台输出的
登陆后跳转到error页面,这并不是登录失败了,只是没有识别到登陆成功后应该跳转到哪
我们可以自己写一个接口访问,比如http://localhost:8080/index,页面输出hello world!
- @RestController
- public class IndexController {
- @GetMapping("/index")
- public String index() {
- return "hello world!";
- }
- }
3.自定义密码
如果我们不想使用默认生成的密码,可以自己配置密码application.yml
- spring:
- security:
- user:
- name: admin
- password: 1234
那么刚才我们没有配置密码的时候,默认密码是怎么生成的呢,security的User类给name和password提供了默认值
- private String name = "user";
- private String password = UUID.randomUUID().toString();
4.自定义登陆页面
显然我们不可能使用security提供的登陆页面
如何让springsecurity能够跳转到我们自定义的登陆页面并验证呢
1.编写页面
注意:
1.这里@{/login},@{/logout}指的是springsecurity提供的认证和退出接口,不是我们自己手写的访问接口2.这里使用了thymeleaf模板引擎,页面存放在templates目录下,如果不用引擎,应当作为静态页面存放在static下,或者通过spring.web.resources.static-locations配置
3.@{/login}的入参必须是username,password,切记不能自由发挥
- login.html
- html>
- <html lang="en" xmlns:th="https://www.thymeleaf.org">
- <head>
- <meta charset="UTF-8">
- <title>登录title>
- head>
- <body>
- <h1>你好h1>
- <form th:action="@{/login}" method="post">
- 用户名:<input type="text" name="username">
- 密码:<input type="password" name="password">
- <input type="submit" value="登录">
- form>
- body>
- html>
- index.html
- html>
- <html lang="en" xmlns:th="https://www.thymeleaf.org">
- <head>
- <meta charset="UTF-8">
- <title>首页title>
- head>
- <body>
- hello world!
- <form th:action="@{/logout}" method="post">
- <input type="submit" value="退出">
- form>
- body>
- html>
2.编写跳转页面的接口
注意:
1.login.html也可写作login2.使用@Controller,而不是@RestController,当然也不可以使用@ResponseBody,因为这样会使返回值成为一个字符串,而不是页面
- @Controller
- public class LoginController {
- /**
- * 登录页
- *
- * @return
- */
- @RequestMapping("/login")
- public String login() {
- return "login.html";
- }
- /**
- * 首页
- *
- * @return
- */
- @RequestMapping("/index")
- public String index() {
- return "index.html";
- }
- }
3.配置springsecurity
- import org.springframework.context.annotation.Bean;
- import org.springframework.context.annotation.Configuration;
- import org.springframework.security.config.Customizer;
- import org.springframework.security.config.annotation.web.builders.HttpSecurity;
- import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
- import org.springframework.security.web.SecurityFilterChain;
- @Configuration
- @EnableWebSecurity //开启springsecurity,自动引入过滤器链SecurityFilterChain
- public class SecurityConfig {
- @Bean
- public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
- /*
- security6
- authorizeHttpRequests():针对http请求的授权配置
- requestMatchers:匹配http请求url,此处指定为/login
- permitAll:给与所有权限,即允许匿名访问(不登陆直接访问)
- anyRequest:其它的所有的请求
- authenticated:需要认证
- */
- http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
- authorizationManagerRequestMatcherRegistry
- .requestMatchers("/login")
- .permitAll()
- .anyRequest()
- .authenticated()
- );
- /*
- loginPage:登陆页面
- loginProcessingUrl:登录接口
- defaultSuccessUrl:登陆成功跳转
- */
- http.formLogin(httpSecurityFormLoginConfigurer ->
- httpSecurityFormLoginConfigurer
- .loginPage("/login").permitAll()
- .loginProcessingUrl("/login")
- .defaultSuccessUrl("/index")
- );
- //关闭跨域漏洞防御
- http.csrf(Customizer.withDefaults());
- //退出
- http.logout(httpSecurityLogoutConfigurer -> httpSecurityLogoutConfigurer.invalidateHttpSession(true));
- //security5,已经被标记为过时,不建议
- // http.authorizeHttpRequests()
- // .requestMatchers("/public/**")
- // .permitAll()
- // .anyRequest()
- // .hasRole("USER")
- // .and()
- // .formLogin()
- // .permitAll();
- return http.build();
- }
- }
5.前后端分离登录配置
此处不讨论前端页面,只关注security配置
与前后端不分的区别:去掉了登录页面和默认跳转页面,相当于入口由前端项目控制,前端页面拿到登录成功的返回值后,通过路由控制跳转首页
- import org.springframework.context.annotation.Bean;
- import org.springframework.context.annotation.Configuration;
- import org.springframework.security.config.Customizer;
- import org.springframework.security.config.annotation.web.builders.HttpSecurity;
- import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
- import org.springframework.security.web.SecurityFilterChain;
- @Configuration
- @EnableWebSecurity //开启springsecurity,自动引入过滤器链SecurityFilterChain
- public class SecurityConfig {
- @Bean
- public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
- /*
- security6
- authorizeHttpRequests():针对http请求的授权配置
- requestMatchers:匹配http请求url,此处指定为/login
- permitAll:给与所有权限,即允许匿名访问(不登陆直接访问)
- anyRequest:其它的所有的请求
- authenticated:需要认证
- */
- http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
- authorizationManagerRequestMatcherRegistry
- .requestMatchers("/login")
- .permitAll()
- .anyRequest()
- .authenticated()
- );
- /*
- loginProcessingUrl:指定登录接口,即前端点击登陆时需要调用的接口名,默认值为/login
- successHandler:成功处理
- failureHandler:失败处理
- */
- http.formLogin(httpSecurityFormLoginConfigurer ->
- httpSecurityFormLoginConfigurer
- .loginProcessingUrl("/login")
- .successHandler(new LoginSuccessHandler())
- .failureHandler(new LoginFailureHandler())
- );
- //关闭跨域漏洞防御,跨域拦截
- http.csrf(Customizer.withDefaults()).cors(Customizer.withDefaults());
- //退出
- http.logout(httpSecurityLogoutConfigurer -> httpSecurityLogoutConfigurer.invalidateHttpSession(true));
- //security5,已经被标记为过时,不建议
- // http.authorizeHttpRequests()
- // .requestMatchers("/public/**")
- // .permitAll()
- // .anyRequest()
- // .hasRole("USER")
- // .and()
- // .formLogin()
- // .permitAll();
- return http.build();
- }
- }
- import jakarta.servlet.ServletException;
- import jakarta.servlet.http.HttpServletRequest;
- import jakarta.servlet.http.HttpServletResponse;
- import org.springframework.security.core.AuthenticationException;
- import org.springframework.security.web.authentication.AuthenticationFailureHandler;
- import java.io.IOException;
- public class LoginFailureHandler implements AuthenticationFailureHandler {
- @Override
- public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
- response.setContentType("text/html;charset=UFT-8");
- response.getWriter().write("loginNo");
- exception.printStackTrace();
- }
- }
- import jakarta.servlet.ServletException;
- import jakarta.servlet.http.HttpServletRequest;
- import jakarta.servlet.http.HttpServletResponse;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
- import java.io.IOException;
- public class LoginSuccessHandler implements AuthenticationSuccessHandler {
- @Override
- public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
- response.setContentType("text/html;charset=UFT-8");
- response.getWriter().write("loginYes");
- authentication.getPrincipal();
- authentication.getAuthorities();
- authentication.getCredentials();
- }
- }
三、权限
在实际应用中,通常使用角色控制菜单的访问,通过权限控制接口的访问(即功能的访问)
看一下增加了权限的SecurityConfig文件
authorizeHttpRequests:增加角色,权限配置
InMemoryUserDetailsManager:在内存中配置几个用户,后续可以改为读取数据库
PasswordEncoder:密码编码器,给密码加密
- package com.example.crm.config.login;
- import org.springframework.boot.autoconfigure.security.SecurityProperties;
- import org.springframework.context.annotation.Bean;
- import org.springframework.context.annotation.Configuration;
- import org.springframework.security.config.Customizer;
- import org.springframework.security.config.annotation.web.builders.HttpSecurity;
- import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
- import org.springframework.security.core.userdetails.User;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.crypto.password.NoOpPasswordEncoder;
- import org.springframework.security.crypto.password.PasswordEncoder;
- import org.springframework.security.provisioning.InMemoryUserDetailsManager;
- import org.springframework.security.web.SecurityFilterChain;
- @Configuration
- @EnableWebSecurity //开启springsecurity,自动引入过滤器链SecurityFilterChain
- public class SecurityConfig {
- @Bean
- public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
- /*
- security6
- authorizeHttpRequests():针对http请求的授权配置
- requestMatchers:匹配http请求url,此处指定为/login
- permitAll:允许匿名访问(不登陆直接访问)
- hasRole,hasAnyRole:指定访问角色
- hasAuthority,hasAnyAuthority:指定权限
- anyRequest:其它的所有的请求
- authenticated:需要认证
- */
- http.authorizeHttpRequests(authorizationManagerRequestMatcherRegistry ->
- authorizationManagerRequestMatcherRegistry
- .requestMatchers("/login").permitAll()
- // .requestMatchers("admin/*").hasRole("admin")
- // .requestMatchers("user/*").hasAnyRole("admin", "user")
- .requestMatchers("admin/*").hasAuthority("admin:get")
- .requestMatchers("user/*").hasAnyAuthority("admin:get", "user:get")
- .anyRequest().authenticated()
- );
- /*
- formLogin:针对登录的配置
- loginProcessingUrl:指定登录接口,即前端点击登陆时需要调用的接口名,默认值为/login
- successHandler:成功处理
- failureHandler:失败处理
- */
- http.formLogin(httpSecurityFormLoginConfigurer ->
- httpSecurityFormLoginConfigurer
- .loginProcessingUrl("/login")
- .successHandler(new LoginSuccessHandler())
- .failureHandler(new LoginFailureHandler())
- );
- /*
- * 异常处理
- */
- http.exceptionHandling(httpSecurityExceptionHandlingConfigurer -> httpSecurityExceptionHandlingConfigurer.accessDeniedPage("/exception"));
- //关闭跨域漏洞防御,跨域拦截
- http.csrf(Customizer.withDefaults()).cors(Customizer.withDefaults());
- //退出
- http.logout(httpSecurityLogoutConfigurer -> httpSecurityLogoutConfigurer.invalidateHttpSession(true));
- return http.build();
- }
- //用户
- @Bean
- public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
- UserDetails admin = User
- .withUsername("admin").password("1234")
- // .roles("admin", "user")
- .authorities("admin:get", "user:get")
- .build();
- UserDetails user = User.withUsername("user").password("1234").roles("user").build();
- return new InMemoryUserDetailsManager(admin, user);
- }
- //密码编码器
- @Bean
- public PasswordEncoder passwordEncoder() {
- return NoOpPasswordEncoder.getInstance();
- }
- }
-
相关阅读:
【机器学习】04. 神经网络模型 MLPClassifier分类算法与MLPRegressor回归算法(代码注释,思路推导)
酷开科技夯实流量基础,构建智慧生活新风尚!
数据库基本操作:如何查询数据库和创建表,以及查看表,复制表,删除表,添加主键,修改主键,删除主键
[附源码]计算机毕业设计基于Springboot学生社团信息管理系统
Vuex的简介以及入门案例
【光学】基于matlab GUI双孔干涉【含Matlab源码 2119期】
Flink开发语言使用Java还是Scala合适?
触发迅雷下载
Spring Cloud Netflix
leetcode《图解数据结构》刷题日志【第五周】(2022/11/21-2022/11/28)
- 原文地址:https://blog.csdn.net/qq_41358151/article/details/134057924
