web应用系统中,可能需要根据角色对用户的访问权限做限制,或是某些方法级别的访问限制,
Spring Security则就是这样一个现成的可以为我们提供认证和授权的功能,为了初步了解
Spring Security,这里使用springboot整合spring security来了解springsecurity功能,步骤:
1、创建maven工程,添加maven依赖,这里简单添加两个依赖:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.3.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.1.5.RELEASE</version>
</dependency>
</dependencies>
2、实现UserDetailsService,UserDetailsService只是一个含有一个方法的接口,无任何实现,
具体的实现需要有实现类去定义,其作用可参考https://blog.csdn.net/qq_39329616/article
/details/89978773,下面这张图也是引自该网友
以下是UserDetailsService的实现类:
@Service
public class UserDetailServiceImpl implements UserDetailsService {
@Autowired
private PasswordEncoder passwordEncoder;
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
// 可以从数据库中筛选出来,然后进行判断
if("employee".equals(username)){
Employee employee=new Employee();
employee.setUsername("employee");
employee.setPassword("123456");
GrantedAuthority grantedAuthority=new SimpleGrantedAuthority("ROLE_EMPLOYEE");
grantedAuthorities.add(grantedAuthority);
return new User(employee.getUsername(),
passwordEncoder.encode(employee.getPassword()),
grantedAuthorities);
}
if("admin".equals(username)){
Admin admin=new Admin();
admin.setUsername("admin");
admin.setPassword("123456");
GrantedAuthority grantedAuthority=new SimpleGrantedAuthority("ROLE_ADMIN");
grantedAuthorities.add(grantedAuthority);
return new User(admin.getUsername(),
passwordEncoder.encode(admin.getPassword()),
grantedAuthorities);
}
return null;
}
}
上面引用的有两个类:admin,employee;定义如下:
public class Admin {
private String username,password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
Employee类同上,定义略....
3、定义配置类,配置类需要继承WebSecurityConfigurerAdapter,这里有一篇该类的源码级别的介绍,
大牛就是大牛,https://blog.csdn.net/u012702547/article/details/107655180,膜拜一下....
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
//将自定义的UserDetailsServiceImpl注入进来
@Autowired
private UserDetailsService userDetailsService;
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()//禁用了 csrf 功能
.authorizeRequests()//限定签名成功的请求
.antMatchers("/decision/**","/govern/**","/employee/*").hasAnyRole("EMPLOYEE","ADMIN")//对decision和govern 下的接口 需要 USER 或者 ADMIN 权限
.antMatchers("/employee/login").permitAll()///employee/login 不限定
.antMatchers("/admin/**").hasRole("ADMIN")//对admin下的接口 需要ADMIN权限
.antMatchers("/oauth/**").permitAll()//不拦截 oauth 开放的资源
.anyRequest().permitAll()//其他没有限定的请求,允许访问
.and().anonymous()//对于没有配置权限的其他请求允许匿名访问
.and().formLogin()//使用 spring security 默认登录页面
.and().httpBasic();//启用http 基础验证
}
}
4、定义一个Controller类,Admin的controller定义如下:
@RestController
@RequestMapping("/admin")
public class AdminController {
@GetMapping("/greeting")
public String greeting() {
return "Hello,World!";
}
@GetMapping("/login")
public String login() {
return "login sucess";
}
}
ok,所有内容定义完毕,这里只是定义了后端访问,可用Postman进行调试,postman调试内容如下:
上面的用户是admin用户,分别访问了admin和employee的资源,访问结果正常,用employee访问时如下:
从上图可以看出,employee用户可以访问employee资源,但是不能访问admin的资源,这就达到了
访问权限的控制,security功能有待进一步认识,以上内容大多参考自https://www.jianshu.com
/p/6a7dcef02bd5,发现很多网友真的很给力。。。
