spring-boot之(7) web security
前面把基本环境说得差不多了,下面就基于以前的环境集成各种框架,当然第一个框架是权限框架,这里也选择Spring系列的Spring-Security。
- Maven加入依赖
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
- 编写SpringSecurity配置代码
熟悉Spring-Security的同学,仔细查看下面代码的话,发现和配置文件配置SpringSecurity差不多
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private SimpleUserDetailService userDetailService; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailService); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/", "/login").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll() .and() //此处需要加上,不然提交登录表单是POST请求会报错 .csrf().disable(); } }
为什么要把csrf设置为无效,请参考http://blog.csdn.net/u012373815/article/details/55047285。
因为我没有用写死的用户名密码,而实现了对应的逻辑
@Service public class SimpleUserDetailService implements UserDetailsService { @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { return new User("root", "root"); } }
也需要重写UserDetails
public class User implements UserDetails { private String username; private String passwrod; public User(){} public User(String username, String passwrod){ this.username = username; this.passwrod = passwrod; } @Override public Collection<? extends GrantedAuthority> getAuthorities() { Set<GrantedAuthority> set = new HashSet<GrantedAuthority>(); set.add(new SimpleGrantedAuthority("ROLE_LOGIN")); return set; } @Override public String getPassword() { return passwrod; } @Override public String getUsername() { return username; } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } }
- 提供登录页面
登录页面是基于之前的freemarker写的,先在controller中提供方法,然后提供ftl的动态页面
@Controller public class PageController { @RequestMapping("/good") public String good(Map<String, Object> attribute){ attribute.put("username", "hello freemarker"); return "good"; } @GetMapping("/login") public String login(){ return "login"; } }
页面代码如下
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <form action="/login" method="post"> <div> <span>用户名</span> <input type="text" name="username" value="root" /> </div> <div> <span>密码</span> <input type="password" name="password" value="root" /> </div> <div> <input type="submit" name="submit" value="submit" /> </div> </form> </body> </html>
- 测试
先访问http://ip:port/good,发现页面跳转到登录页面,然后输入用户名密码点击提交按钮。然后在访问http://ip:port/good会发现访问成功了。
- 另附加说明
本文只介绍Spring-boot集成Spring-Security的方法,不介绍Spring-Security的知识,大家可自行参考http://docs.spring.io/spring-security/site/docs/5.0.0.BUILD-SNAPSHOT/reference/htmlsingle/#jc-method
- 参考文件
https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#boot-features-security
http://blog.csdn.net/u012373815/article/details/55047285
浙公网安备 33010602011771号