SpringSecurity-学习1
下面是我的依赖:
(依赖)
<dependencies>
<!--swagger测试-->
<dependency>
<groupId>com.github.xiaoymin</groupId>
<artifactId>knife4j-openapi3-jakarta-spring-boot-starter</artifactId>
<version>4.1.0</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.33</version>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.5.5</version>
<exclusions>
<exclusion>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>3.0.3</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
可以直接用IDAE快速构建一个JavaWeb项目
接下来开始配置SpringSecurity的配置类
创建一个config文件夹,然后在里面创建一个名为WebSecurityConfig的配置类
一、首先是基于内存校验
@Configuration //开启SpringSecurity的自定义配置 @EnableWebSecurity public class WebSecurityConfig { /** * 内存校验 * @return */ @Bean public UserDetailsService userDetailsService() { //创建基于内存的用户信息管理器 InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(); //使用manager管理UserDetail对象 manager.createUser( //创建UserDetail对象,用于管理用户名用户密码和角色权限 User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build() ); return manager; } }
二、SpringSecurity的默认配置
//默认配置 @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { //authorizeRequests():开启授权保护 //anyRequest():对所有请求开启授权保护 //authenticated():已认证请求会自动被授权 http .authorizeRequests(authorize -> authorize //对所有请求开启授权保护 .anyRequest() //已认证的请求会自动授权 .authenticated() ) .formLogin(from -> { //表单授权方式 from.loginPage("/login").permitAll() //permitAll表示无需授权可访问 .usernameParameter("username").passwordParameter("password") //自定义用户名密码的参数名 .failureUrl("/login?error") ; //自定义校验错误后的URL值 }); // .httpBasic(withDefaults());//基本授权方式 //关闭csrf防御 http.csrf((csrf) -> { csrf.disable(); }); return http.build(); }
三、下面这是根据数据库校验:
1.创建实体类,并在数据库中创建对应的表
@Data public class User { @TableId(type = IdType.AUTO) //主键自增 private Integer id; private String username; private String password; private Boolean enabled; }
配置文件配置数据库信息:
#Mysql数据源 spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver spring.datasource.url=jdbc:mysql://localhost:3306/security-demo spring.datasource.username=root spring.datasource.password=123456 #Mysql日志 mybatis-plus.configuration.log-impl=org.apache.ibatis.logging.stdout.StdOutImpl
创建UserMapper,我这里用的是mybatis-plus
@Mapper public interface UserMapper extends BaseMapper<User> { }
2.创建数据库认证用户配置类DBUserDetailsManager
@Component // 直接加这个注解,就不用在配置类里加Bean了 //继承UserDetailsManager, UserDetailsPasswordService ----类似与WebSecurityConfig里的InMemoryUserDetailsManager public class DBUserDetailsManager implements UserDetailsManager, UserDetailsPasswordService { @Resource UserMapper userMapper; @Override public UserDetails updatePassword(UserDetails user, String newPassword) { return null; } @Override public void createUser(UserDetails userDetails) { User user = new User(); user.setUsername(userDetails.getUsername()); user.setPassword(userDetails.getPassword()); user.setEnabled(true); int insert = userMapper.insert(user); } @Override public void updateUser(UserDetails user) { } @Override public void deleteUser(String username) { } @Override public void changePassword(String oldPassword, String newPassword) { } @Override public boolean userExists(String username) { return false; } /** * 从用户名中获取用户信息 * @param username * @return * @throws UsernameNotFoundException */ @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { QueryWrapper<User> userQueryWrapper = new QueryWrapper<>(); userQueryWrapper.eq("username", username); User user = userMapper.selectOne(userQueryWrapper); if (user == null) { throw new UsernameNotFoundException(username);} else { //权限列表 Collection<GrantedAuthority> authorities = new ArrayList<>(); //组装security里的User对象 org.springframework.security.core.userdetails.User userDetail = new org.springframework.security.core.userdetails.User( user.getUsername(), user.getPassword(), user.getEnabled(), true, //用户账号是否过期 true, //用户凭证是否过期 true, //是否未过期 authorities); //权限列表 return userDetail; } } }
3.写一个接口测试一下用户的添加和查询,创建一个UserController
@RestController @RequestMapping("/user") public class UserController { @Resource DBUserDetailsManager dbUserDetailsManager; @Resource private UserService userService; @GetMapping("/list") public List<User> getUsers() { return userService.list(); } @PostMapping("/addUser") public void addUser(@RequestBody User user) { userService.saveSecurityUser(user); } }
UserService
public interface UserService extends IService<User> { Boolean saveSecurityUser(User user); }
UserServiceImpl
@Service public class UserServiceImpl extends ServiceImpl<UserMapper, User> implements UserService { @Resource private DBUserDetailsManager dbUserDetailsManager; @Override public Boolean saveSecurityUser(User user) { //使用org.springframework.security.core.userdetails里的User的withUserDetails构造userDetails UserDetails userDetails = org.springframework.security.core.userdetails.User .withDefaultPasswordEncoder() .username(user.getUsername()) .password(user.getPassword()) .build(); dbUserDetailsManager.createUser(userDetails); return null; } }
可以去Swagger里面去测试一下添加和查询,删除修改功能和上面类似。
注意:测试时记得关闭scrf防御。不然Swagger测试时会报错。
难产难产难产
浙公网安备 33010602011771号