SpringSecurity菜鳥教程

一：簡(jiǎn)單配置權(quán)限管理

SecurityConfg的配置

package com.example.demo11.config;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.password.PasswordEncoder;import java.util.Objects;@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter {@Beanpublic PasswordEncoder passwordEncoder() {return new PasswordEncoder() {@Overridepublic String encode(CharSequence charSequence) {return charSequence.toString();}@Overridepublic boolean matches(CharSequence charSequence, String s) {return Objects.equals(charSequence.toString(), s);}};}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication().withUser("用戶").password("123").roles("vip1").and().withUser("管理員").password("123").roles("vip2").and().withUser("超級(jí)管理員").password("123").roles("vip1", "vip2");}//配置忽略掉的 URL 地址,一般用于js,css,圖片等靜態(tài)資源@Overridepublic void configure(WebSecurity web) throws Exception {//web.ignoring() 用來(lái)配置忽略掉的 URL 地址，一般用于靜態(tài)文件web.ignoring().antMatchers("/js/**", "/css/**", "/fonts/**", "/images/**", "/lib/**");}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/css/**", "/js/**", "/images/**").permitAll();//開啟運(yùn)行iframe嵌套頁(yè)面http.headers().frameOptions().disable();http.authorizeRequests().antMatchers("/level1/vip1").hasRole("vip1").antMatchers("/level2/vip2").hasRole("vip2");//沒(méi)有權(quán)限會(huì)到默認(rèn)的登錄頁(yè)面http.formLogin();} }

IndexController的代碼

package com.example.demo11.controller;import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping;@Controller public class IndexController {@GetMapping("/index")public String index(){return "index";}@GetMapping("/level1/vip1")public String level1Vip1(){return "level1/vip1";}@GetMapping("/level2/vip2")public String level2Vip1(){return "level2/vip2";} }

由于沒(méi)有設(shè)置springsecurity全部攔截，主頁(yè)可以允許所有人訪問(wèn)

二：自定義登錄頁(yè)面，記住密碼

1自定義登陸頁(yè)面
改變SecurityConfig中的配置
這個(gè)需要自己寫一個(gè)登錄的接口

@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/css/**", "/js/**", "/images/**").permitAll();//開啟運(yùn)行iframe嵌套頁(yè)面http.headers().frameOptions().disable();http.authorizeRequests().antMatchers("/level1/vip1").hasRole("vip1").antMatchers("/level2/vip2").hasRole("vip2");//任何請(qǐng)求都必須經(jīng)過(guò)身份認(rèn)證http.authorizeRequests().anyRequest().authenticated();//沒(méi)有權(quán)限會(huì)到默認(rèn)的登錄頁(yè)面http.formLogin()//登錄的頁(yè)面.loginPage("/login").usernameParameter("username")//自定義表單的用戶名的name,默認(rèn)為username.passwordParameter("password")//自定義表單的密碼的name,默認(rèn)為password.loginProcessingUrl("/dologin")//表單請(qǐng)求的地址，一般與form的action屬性一致，注意：不用自己寫doLogin接口，只要與form的action屬性一致即可.successForwardUrl("/index")//登錄成功后跳轉(zhuǎn)的頁(yè)面（重定向）.failureForwardUrl("/login")//登錄失敗后跳轉(zhuǎn)的頁(yè)面（重定向）.and().logout() //開啟注銷功能.logoutSuccessUrl("/login") //注銷后跳轉(zhuǎn)到哪一個(gè)頁(yè)面.clearAuthentication(true)// 配置注銷登錄請(qǐng)求URL為"/logout"（默認(rèn)也就是 /logout）.clearAuthentication(true) // 清除身份認(rèn)證信息.invalidateHttpSession(true) //使Http會(huì)話無(wú)效.permitAll().and().csrf().disable();} login.html文件

2.記住密碼和注銷功能

//開啟記住我功能,cookie接收，默認(rèn)保存兩周，自定義接收其前端http.rememberMe().rememberMeParameter("remember");

注銷功能：

三：基于數(shù)據(jù)庫(kù)自定義的表單驗(yàn)證

1.數(shù)據(jù)庫(kù)表
這里的登錄認(rèn)證只涉及到三張表：用戶表（user）、角色表(role)、用戶角色中間表(user_role)。

/*Navicat Premium Data TransferSource Server : test3Source Server Type : MySQLSource Server Version : 80015Source Host : localhost:3306Source Schema : test2Target Server Type : MySQLTarget Server Version : 80015File Encoding : 65001Date: 31/05/2020 22:01:56 */SET NAMES utf8mb4; SET FOREIGN_KEY_CHECKS = 0;-- ---------------------------- -- Table structure for role -- ---------------------------- DROP TABLE IF EXISTS `role`; CREATE TABLE `role` (`id` int(11) NOT NULL AUTO_INCREMENT,`name` varchar(32) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,PRIMARY KEY (`id`) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;-- ---------------------------- -- Records of role -- ---------------------------- INSERT INTO `role` VALUES (1, 'ROLE_vip0'); INSERT INTO `role` VALUES (2, 'ROLE_vip1'); INSERT INTO `role` VALUES (3, 'ROLE_vip2'); INSERT INTO `role` VALUES (4, 'ROLE_vip3');-- ---------------------------- -- Table structure for user -- ---------------------------- DROP TABLE IF EXISTS `user`; CREATE TABLE `user` (`id` int(11) NOT NULL AUTO_INCREMENT,`username` varchar(32) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,`password` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,PRIMARY KEY (`id`) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;-- ---------------------------- -- Records of user -- ---------------------------- INSERT INTO `user` VALUES (1, 'root', '$2a$10$RMuFXGQ5AtH4wOvkUqyvuecpqUSeoxZYqilXzbz50dceRsga.WYiq'); INSERT INTO `user` VALUES (3, '灰太狼', '$2a$10$RMuFXGQ5AtH4wOvkUqyvuecpqUSeoxZYqilXzbz50dceRsga.WYiq'); INSERT INTO `user` VALUES (4, '喜羊羊', '$2a$10$RMuFXGQ5AtH4wOvkUqyvuecpqUSeoxZYqilXzbz50dceRsga.WYiq'); INSERT INTO `user` VALUES (5, '懶羊羊', '$2a$10$RMuFXGQ5AtH4wOvkUqyvuecpqUSeoxZYqilXzbz50dceRsga.WYiq'); INSERT INTO `user` VALUES (6, '小灰灰', '$2a$10$RMuFXGQ5AtH4wOvkUqyvuecpqUSeoxZYqilXzbz50dceRsga.WYiq');-- ---------------------------- -- Table structure for user_role -- ---------------------------- DROP TABLE IF EXISTS `user_role`; CREATE TABLE `user_role` (`id` int(11) NOT NULL AUTO_INCREMENT,`uid` int(11) NULL DEFAULT NULL,`rid` int(11) NULL DEFAULT NULL,PRIMARY KEY (`id`) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 5 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;-- ---------------------------- -- Records of user_role -- ---------------------------- INSERT INTO `user_role` VALUES (1, 1, 1); INSERT INTO `user_role` VALUES (2, 1, 2); INSERT INTO `user_role` VALUES (3, 1, 3); INSERT INTO `user_role` VALUES (4, 1, 4); INSERT INTO `user_role` VALUES (5, 3, 2); INSERT INTO `user_role` VALUES (6, 4, 3); INSERT INTO `user_role` VALUES (7, 6, 4); INSERT INTO `user_role` VALUES (8, 5, 1);SET FOREIGN_KEY_CHECKS = 1;

注意：這里的role跟上面的例子相比多加了ROLE_前綴。這是因?yàn)橹暗膔ole都是通過(guò)springsecurity的api賦值過(guò)去的，他會(huì)自行幫我們加上這個(gè)前綴。但是現(xiàn)在我們使用的是自己的數(shù)據(jù)庫(kù)里面讀取出來(lái)的權(quán)限，然后封裝到自己的實(shí)體類中。所以這時(shí)候需要我們自己手動(dòng)添加這個(gè)ROLE_前綴。經(jīng)過(guò)測(cè)試如果不加ROLE_前綴的話，可以做數(shù)據(jù)庫(kù)的認(rèn)證，但無(wú)法做授權(quán)

2.建實(shí)體類User，注意User需要實(shí)現(xiàn)UserDetails接口，并且實(shí)現(xiàn)該接口下的7個(gè)接口

package com.example.demo11.pojo;import lombok.AllArgsConstructor; import lombok.Data; import lombok.NoArgsConstructor; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails;import java.util.ArrayList; import java.util.Collection; import java.util.List;@Data @AllArgsConstructor @NoArgsConstructor public class User implements UserDetails {private Integer id;private String userName;private String passWord;private List<Role> roles;//該用戶對(duì)應(yīng)的角色/*** 返回用戶的權(quán)限集合。* @return*/@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {List<SimpleGrantedAuthority> authorities = new ArrayList<>();for (Role role : roles){authorities.add(new SimpleGrantedAuthority(role.getName()));System.out.println(authorities);}return authorities;}/*** 返回賬號(hào)的密碼* @return*/@Overridepublic String getPassword() {return passWord;}/*** 返回賬號(hào)的用戶名* @return*/@Overridepublic String getUsername() {return userName;}/*** 賬號(hào)是否失效，true:賬號(hào)有效，false賬號(hào)失效。* @return*/@Overridepublic boolean isAccountNonExpired() {return true;}/*** 賬號(hào)是否被鎖，true:賬號(hào)沒(méi)被鎖，可用；false：賬號(hào)被鎖，不可用* @return*/@Overridepublic boolean isAccountNonLocked() {return true;}/*** 賬號(hào)認(rèn)證是否過(guò)期，true:沒(méi)過(guò)期，可用；false：過(guò)期，不可用* @return*/@Overridepublic boolean isCredentialsNonExpired() {return true;}/*** 賬號(hào)是否可用，true:可用，false:不可用* @return*/@Overridepublic boolean isEnabled() {return true;} }

角色表實(shí)體類Role,這個(gè)類不用實(shí)現(xiàn)上述接口

package com.zsc.po;import lombok.AllArgsConstructor; import lombok.Data; import lombok.NoArgsConstructor;@Data @NoArgsConstructor @AllArgsConstructor public class Role {private Integer id;private String name;//角色的名字 }

接下來(lái)做數(shù)據(jù)庫(kù)的查詢，創(chuàng)建持久層接口（UserMapper和RoleMapper）

package com.example.demo.mapper;import com.example.demo.pojo.Role; import org.apache.ibatis.annotations.Mapper; import org.springframework.stereotype.Repository;import java.util.List;@Mapper @Repository public interface RoleMapper {/*** 通過(guò)用戶id獲取用戶角色集合** @param userId 用戶id* @return List<Role> 角色集合*/List<Role> getRolesByUserId(Integer userId);} package com.example.demo.mapper;import com.example.demo.pojo.User; import org.apache.ibatis.annotations.Mapper; import org.springframework.stereotype.Repository;import java.util.List;@Mapper @Repository public interface UserMapper {/*** 通過(guò)用戶名獲取用戶信息** @param username 用戶名* @return User 用戶信息*/List<User> getUserByUsername(String username);}

持久層接口對(duì)應(yīng)配置文件（UserMapper.xml和RoleMapper.xml）

<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapperPUBLIC "-//mybatis.org//DTD Mapper 3.0//EN""http://mybatis.org/dtd/mybatis-3-mapper.dtd"><mapper namespace="com.example.demo.mapper.RoleMapper"><resultMap id="roleMap" type="com.example.demo.pojo.Role"><id column="id" property="id"></id><result column="name" property="name"></result></resultMap><select id="getRolesByUserId" resultMap="roleMap">select * from role r,user_role ur where r.id = ur.rid and ur.uid = #{userId}</select></mapper> <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE mapperPUBLIC "-//mybatis.org//DTD Mapper 3.0//EN""http://mybatis.org/dtd/mybatis-3-mapper.dtd"><mapper namespace="com.example.demo.mapper.UserMapper"><resultMap id="userMap" type="com.example.demo.pojo.User"><id column="id" property="id"></id><result column="username" property="userName"></result><result column="password" property="passWord"></result><collection property="roles" ofType="com.example.demo.pojo.Role"><id property="id" column="rid"></id><result column="rname" property="name"></result></collection></resultMap><select id="getUserByUsername" resultMap="userMap">select * from user where username = #{username}</select> </mapper>

源碼地址：SpringSecurity

總結(jié)

以上是生活随笔為你收集整理的SpringSecurity简单教程(源码开源免费提供）的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。