Spring Security
简介
Spring Security 是 Spring Resource 下的一个安全组件,易于应用于SpringBoot 中,也易继承至SpringCloud 中。
依赖
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
配置
1.配置WebSecurityConfigurerAdapter
package com.forezp.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; @EnableWebSecurity @Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter { /** * 1.继承 WebSecurityConfigureAdapter * 2.@EnableWebSecurity 开启 web授权认证 * 3.注入 AuthenticationManagerBuilder 类的Bean * 4.此功能只用于验证用户信息 */ @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { // auth // .inMemoryAuthentication() // .withUser("forezp").password("123456").roles("USER") // ; //auth.userDetailsService(userDetailsService()); auth.userDetailsService(userDetailsService); } }
2.配置httpSecurity
package com.forezp.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// @formatter:off
/**
* 配置哪些资源需要验证
* 是否所有用户需要验证
* 哪些请求是基于表单的验证
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/css/**", "/index").permitAll()
.antMatchers("/user/**").hasRole("USER")
.antMatchers("/blogs/**").hasRole("USER")
.and()
.formLogin().loginPage("/login").failureUrl("/login-error")
.and()
.exceptionHandling().accessDeniedPage("/401");
http.logout().logoutSuccessUrl("/");
}
// @formatter:on
}
3.配置方法级别上的保护
@EnableGlobalMethodSecurity注解可以开启方法级别上的保护
-
- prePostEnable:@preAuthorize 与 @PostAuthorize
- secureEnable: @Secured 是否可以
- jsr@250Enable: 对JSR-250 注解是否可用
浙公网安备 33010602011771号