springsecurity实战

springsecurity是一种安全性框架,主要用于进行权限验证,下面是其基本使用方法:

• pom.xml

<dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-core</artifactId>
      <version>RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-config</artifactId>
      <version>RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-web</artifactId>
      <version>RELEASE</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-taglibs</artifactId>
      <version>RELEASE</version>
    </dependency>
    <dependency>
      <groupId>com.alibaba</groupId>
      <artifactId>druid</artifactId>
      <version>1.0.11</version>
    </dependency>
    <dependency>
      <groupId>org.thymeleaf.extras</groupId>
      <artifactId>thymeleaf-extras-springsecurity4</artifactId>
      <version>2.1.2.RELEASE</version>
    </dependency>

• 设置filterproxy

  filterproxy是一个特殊的拦截器,用于拦截请求.在springsecurity中,我们需要注册DelegatingFilterProxy.只需要一个继承了
  AbstractSecurityWebApplicationInitializer的类即可,spring会自动找到它,并且在web容器注册

/**
 * 开启springsecurity
 */
public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer{

}

• 编写安全性配置

  我们需要安全性配置来配置对应的安全属性.注意,该配置类应该在继承AbstractSecurityWebApplicationInitializer的类
  的子包下.

全部的安全配置见下:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    DataSource dataSource;
    @Autowired
    UserRepository userRepository;

    @Bean
    public SaltSource saltSource() {
        //设置盐为hlhdidi
        return new SaltSource() {
            @Override
            public Object getSalt(UserDetails userDetails) {
                return "hlhdidi";
            }
        };
    }

    // 设置盐,用户服务service和md5编码
    @Bean
    public AuthenticationProvider authenticationProvider(){
        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        provider.setUserDetailsService(new UserInfoService(userRepository));
        provider.setPasswordEncoder(new Md5PasswordEncoder());
        provider.setSaltSource(saltSource());
        return provider;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider());
    }



    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // 对/user进行认证,对于其他请求允许通过
        http.authorizeRequests().antMatchers("/user").authenticated()
                .antMatchers("/item/**").authenticated()
                .antMatchers("/item/**").hasAuthority("ADMIN") //item/**的请求需要权限验证.
                .anyRequest().permitAll(); // 其他请求允许通过
       // loginPage是调用/login返回的接口,登出成功访问的url为/home,开通rememberMe.
        http.formLogin().loginPage("/login").and().logout().logoutSuccessUrl("/home")
                .and().rememberMe()
                .tokenValiditySeconds((2419200)).key("userKey");//设置token时间和私钥名称.
        // 关闭csrf,否则logout会有问题
        http.csrf().disable();
    }

}

• rememberMe

  上面的安全配置开启了rememberMe,这里我们需要的就是提供rememberMe的选项,可以看看login.html页面,它提供了rememberMe的
  checkbox,它在Login.html页面里.

  <!--springsecurity会自动识别这个Login..-->
     <form name="f" th:action="@{/login}" method="post">
         username : <input type="text" name="username" /><br/>
         password : <input type="password" name="password"/> <br/>
         <input type="submit" value="LOGIN"/>
         <!--checkbox会被识别-->
         remember me :<input id="remember_me" name="remember-me" type="checkbox"/>
     </form>

• 自定义的用户服务

  即UserDetailService.如下:

public class UserInfoService  implements UserDetailsService {

    UserRepository userRepository;

    public UserInfoService(UserRepository userRepository) {
        this.userRepository = userRepository;
    }

    @Override
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException {
        UserInfo user = userRepository.findUserByUsername(username);

        if(user != null) {
            List<GrantedAuthority> authorities = new ArrayList<>();
            // 设置用户的权限.
            authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
            return new User(user.getUsername(),user.getPassword(),authorities);
        }
        // 抛出异常不会打印在日志里面,会调回登录页面
        throw new UsernameNotFoundException("can not found username !");
    }


}

• 保护视图

  采用thymeleaf的一些标签可以去保证某些连接不被没权限的用户访问,如下所示:

  首先需要引入thymeleaf对应的springsecurity标签库

<html lang="en" xmlns = "http://www.w3.org/1999/xhtml"
      xmlns:th = "http://www.thymeleaf.org"
      xmlns:sec = "http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">

接着使用标签:

<span sec:authorize-url="/item/detail">
            <td align="center" width="150px"><a th:href="@{'/item/detail/' + ${i.id}}">详情</a></td>
</span>

• 配置错误页面

需要注意的是springsecurity如果没有权限访问会跳转到一个默认的错误页面.因此我们需要配置错误页面,只需在web.xml里面
声明即可.

<error-page>
		<error-code>403</error-code>
		<location>/WEB-INF/templates/error/error_403.html</location>
	</error-page>