一、 Spring-security 介绍
Spring-security核心功能:
- 认证 (你是谁)
- 授权 (可以干什么)
- 攻击防护 (防止伪造身份)
二、结合springboot 项目使用
1.导入依赖
<!-- spring security-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
<version>3.0.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
2.构建配置类,在config目录下 SecurityConfig
两个关键注解:
package com.janson.config;
import com.janson.service.impl.UserServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserServiceImpl userService;
//请求授权验证
@Override
protected void configure(HttpSecurity http) throws Exception {
// .denyAll(); //拒绝访问
// .authenticated(); //需认证通过
// .permitAll(); //无条件允许访问
// 访问权限
http.authorizeRequests()
.antMatchers("/","/index").permitAll()
.antMatchers("/register","/login","/toLogin").permitAll()
.antMatchers("/swagger-ui.html","/v2/**","/swagger-resources/**").permitAll()
.antMatchers("/*").authenticated();
// 登录配置
http.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/toLogin")
.loginProcessingUrl("/login") // 登陆表单提交请求
.defaultSuccessUrl("/index"); // 设置默认登录成功后跳转的页面
// 注销配置
http.headers().contentTypeOptions().disable();
http.headers().frameOptions().disable(); // 图片跨域
http.csrf().disable();//关闭csrf功能:跨站请求伪造,默认只能通过post方式提交logout请求
http.logout().logoutSuccessUrl("/");
// 记住我配置
http.rememberMe().rememberMeParameter("remember");
}
// 用户授权验证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
// 密码加密方式
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
package com.janson.service.impl;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.janson.entity.User;
import com.janson.entity.UserRole;
import com.janson.mapper.UserMapper;
import com.janson.service.UserRoleService;
import com.janson.service.UserService;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import javax.servlet.http.HttpSession;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
/**
* <p>
* 服务实现类
* </p>
*
* @author janson
* @since 2022-03-29
*/
@Service
public class UserServiceImpl extends ServiceImpl<UserMapper, User> implements UserService, UserDetailsService {
@Autowired
UserService userService;
@Autowired
UserRoleService roleService;
@Autowired
HttpSession session;
// 用户登录逻辑和验证处理
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
// 通过用户名查询用户
User user = userService.getOne(new QueryWrapper<User>().eq("username", s));
// 放入session
session.setAttribute("loginUser",user);
//创建一个新的UserDetails对象,最后验证登陆的需要
UserDetails userDetails=null;
if(user!=null){
//System.out.println("未加密:"+user.getPassword());
//String BCryptPassword = new BCryptPasswordEncoder().encode(user.getPassword());
// 登录后会将登录密码进行加密,然后比对数据库中的密码,数据库密码需要加密存储!
String password = user.getPassword();
//创建一个集合来存放权限
Collection<GrantedAuthority> authorities = getAuthorities(user);
//实例化UserDetails对象
userDetails=new org.springframework.security.core.userdetails.User(s,password,
true,
true,
true,
true, authorities);
}
return userDetails;
}
// 获取角色信息,用于上边验证身份
private Collection<GrantedAuthority> getAuthorities(User user){
List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>();
UserRole role = roleService.getById(user.getRoleId());
//注意:这里每个权限前面都要加ROLE_。否在最后验证不会通过
authList.add(new SimpleGrantedAuthority("ROLE_"+role.getName()));
return authList;
}
}