- SSM + Shiro
- Spring Boot/Spring Cloud + Spring Security
项目创建
[XML] 纯文本查看 复制代码
1234<
dependency
>
<
groupId
>org.springframework.boot</
groupId
>
<
artifactId
>spring-boot-starter-security</
artifactId
>
</
dependency
>
初次体验
[Java] 纯文本查看 复制代码
1234567@RestController
public
class
HelloController {
@GetMapping
(
"/hello"
)
public
String hello() {
return
"hello"
;
}
}
- 可以通过 form 表单来认证
- 可以通过 HttpBasic 来认证
用户名配置
- 在 application.properties 中进行配置
- 通过 Java 代码配置在内存中
- 通过 Java 从数据库中加载
spring.security.user.name=javaboyspring.security.user.password=123
[Java] 纯文本查看 复制代码
010203040506070809101112131415@Configuration
public
class
SecurityConfig
extends
WebSecurityConfigurerAdapter {
@Override
protected
void
configure(AuthenticationManagerBuilder auth)
throws
Exception {
//下面这两行配置表示在内存中配置了两个用户
auth.inMemoryAuthentication()
.withUser(
"javaboy"
).roles(
"admin"
).password(
"$2a$10$OR3VSksVAmCzc.7WeaRPR.t0wyCsIj24k0Bne8iKWV1o.V9wsP8Xe"
)
.and()
.withUser(
"lisi"
).roles(
"user"
).password(
"$2a$10$p1H8iWa8I4.CA.7Z8bwLjes91ZpY.rYREGHQEInNtAp4NzL6PLKxi"
);
}
@Bean
PasswordEncoder passwordEncoder() {
return
new
BCryptPasswordEncoder();
}
}
登录配置
[Java] 纯文本查看 复制代码
010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960@Configuration
public
class
SecurityConfig
extends
WebSecurityConfigurerAdapter {
@Autowired
VerifyCodeFilter verifyCodeFilter;
@Override
protected
void
configure(HttpSecurity http)
throws
Exception {
http.addFilterBefore(verifyCodeFilter, UsernamePasswordAuthenticationFilter.
class
);
http
.authorizeRequests()
//开启登录配置
.antMatchers(
"/hello"
).hasRole(
"admin"
)
//表示访问 /hello 这个接口,需要具备 admin 这个角色
.anyRequest().authenticated()
//表示剩余的其他接口,登录之后就能访问
.and()
.formLogin()
//定义登录页面,未登录时,访问一个需要登录之后才能访问的接口,会自动跳转到该页面
.loginPage(
"/login_p"
)
//登录处理接口
.loginProcessingUrl(
"/doLogin"
)
//定义登录时,用户名的 key,默认为 username
.usernameParameter(
"uname"
)
//定义登录时,用户密码的 key,默认为 password
.passwordParameter(
"passwd"
)
//登录成功的处理器
.successHandler(
new
AuthenticationSuccessHandler() {
@Override
public
void
onAuthenticationSuccess(HttpServletRequest req, HttpServletResponse resp, Authentication authentication)
throws
IOException, ServletException {
resp.setContentType(
"application/json;charset=utf-8"
);
PrintWriter out = resp.getWriter();
out.write(
"success"
);
out.flush();
}
})
.failureHandler(
new
AuthenticationFailureHandler() {
@Override
public
void
onAuthenticationFailure(HttpServletRequest req, HttpServletResponse resp, AuthenticationException exception)
throws
IOException, ServletException {
resp.setContentType(
"application/json;charset=utf-8"
);
PrintWriter out = resp.getWriter();
out.write(
"fail"
);
out.flush();
}
})
.permitAll()
//和表单登录相关的接口统统都直接通过
.and()
.logout()
.logoutUrl(
"/logout"
)
.logoutSuccessHandler(
new
LogoutSuccessHandler() {
@Override
public
void
onLogoutSuccess(HttpServletRequest req, HttpServletResponse resp, Authentication authentication)
throws
IOException, ServletException {
resp.setContentType(
"application/json;charset=utf-8"
);
PrintWriter out = resp.getWriter();
out.write(
"logout success"
);
out.flush();
}
})
.permitAll()
.and()
.httpBasic()
.and()
.csrf().disable();
}
}
忽略拦截
- 设置该地址匿名访问
- 直接过滤掉该地址,即该地址不走 Spring Security 过滤器链
[Java] 纯文本查看 复制代码
1234567@Configuration
public
class
SecurityConfig
extends
WebSecurityConfigurerAdapter {
@Override
public
void
configure(WebSecurity web)
throws
Exception {
web.ignoring().antMatchers(
"/vercode"
);
}
}