Spring Security(Spring安全框架)學習筆記(一)簡介、自定義登錄頁面、放過靜態資源
Spring Security(Spring安全框架)學習筆記(二)登錄接口,登錄參數,登錄回調,註銷登錄
Spring Security(Spring安全框架)學習筆記(三)返回json格式數據,適用前後端分離場景
Spring Security(Spring安全框架)學習筆記(四)授權操作、權限繼承
Spring Security(Spring安全框架)學習筆記(五)整合Mysql數據庫
一、SpringSecurity介紹
- 簡介:是爲基於J2EE企業應用軟件提供了全面安全服務。
- 發展:Acigi Security -> Spring Security,配置繁瑣門檻高,springboot簡化配置。
- 核心功能:
- 認證(登錄)
- 授權(權限鑑別)
Spring Security 目前支持認證一體化如下認證技術:
HTTP BASIC authentication headers (一個基於IEFT RFC 的標準)
HTTP Digest authentication headers (一個基於IEFT RFC 的標準)
HTTP X.509 client certificate exchange (一個基於IEFT RFC 的標準)
LDAP (一個非常常見的跨平臺認證需要做法,特別是在大環境)
Form-based authentication (提供簡單用戶接口的需求)
OpenID authentication
Computer Associates Siteminder
JA-SIG Central Authentication Service (CAS,這是一個流行的開源單點登錄系統)
Transparent authentication context propagation for Remote Method Invocation and HttpInvoker (一個Spring遠程調用協議)
二、第一個springSecurity程序
- 新建Maven工程 -> 導入相關依賴
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.0.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>com.hx</groupId>
<artifactId>springSecurity_03</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>springSecurity_01</name>
<description>springSecurity_03</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
- 新建Controller層
package com.hx.security;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloController {
@GetMapping("/hello")
public String hello() {
return "<h1>HELLO</h1>";
}
}
- 運行項目,輸入地址 http://127.0.0.1:8080/hello 訪問,跳轉到 http://127.0.0.1:8080/login 輸入賬號
user
和控制檯輸出的隨機密碼在Using generated security password:
後面登錄即可訪問 ,亦可手動配置,如下圖所示。 - 目錄結構與賬號密碼配置:
springSecurity加密方案,配置類配置賬號密碼方法
package com.hx.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean // 密碼加密實例
PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance(); // 採用不加密方式
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception { // 配置用戶名,密碼
//這裏的配置會覆蓋properties配置文件中配置的賬號密碼
auth.inMemoryAuthentication().withUser("whx").password("a").roles("admin")
.and().withUser("hx").password("a").roles("user"); // 配置多個使用and連接,一個就不用加and()
}
}
三、自定義登錄頁面,與放過無關安全靜態資源
- 在SecurityConfig中增加配置
package com.hx.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean // 密碼加密實例
PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance(); // 採用不加密方式
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception { // 配置用戶名,密碼
//這裏的配置會覆蓋properties配置文件中配置的賬號密碼
auth.inMemoryAuthentication().withUser("whx").password("a").roles("admin")
.and().withUser("hx").password("a").roles("user"); // 配置多個使用and連接,一個就不用加and()
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**","/css/**","images/**"); //放過靜態資源下的js,css,img資源,否則css無法作用
}
@Override
protected void configure(HttpSecurity http) throws Exception { //http安全配置
//authorizeRequests開啓配置 //anyRequest所有請求都攔截 //formLogin表單配置 //loginPage指定登錄頁面(登錄接口) //permitAll放過相關頁面 //關閉csrf
http.authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage("/login.html").permitAll().and().csrf().disable();
}
}
- 登錄頁面代碼
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
<form action="/login.html" method="post"> <!-- 必須指定爲post請求,地址爲login.html -->
用戶名:<input name="username"> <br> <!-- 指定名稱username,遵循規範 -->
密碼:<input name="password"> <br> <!-- 指定名稱password,遵循規範 -->
<button type="submit">提交</button>
</form>
</body>
</html>