使用Spring Security对接口实现访问权限
1 <!-- 加入security依赖 --> 2 <dependency> 3 <groupId>org.springframework.boot</groupId> 4 <artifactId>spring-boot-starter-security</artifactId> 5 </dependency>
1 package com.example.demo.api.rest.api.config; 2 3 import org.springframework.context.annotation.Bean; 4 import org.springframework.context.annotation.Configuration; 5 import org.springframework.security.config.annotation.web.builders.HttpSecurity; 6 import org.springframework.security.core.userdetails.User; 7 import org.springframework.security.core.userdetails.UserDetailsService; 8 import org.springframework.security.crypto.factory.PasswordEncoderFactories; 9 import org.springframework.security.provisioning.InMemoryUserDetailsManager; 10 import org.springframework.security.web.SecurityFilterChain; 11 12 @Configuration 13 @SuppressWarnings("all") 14 public class WebSecurityConfig { 15 16 private final static String ACCOUNT_CLIENT_AUTHORITY = "admin"; 17 18 //配置BASIC Auth账号密码 19 @Bean 20 UserDetailsService userDetailsService() { 21 InMemoryUserDetailsManager users = new InMemoryUserDetailsManager(); 22 users.createUser(User.withUsername("aaa") 23 .password(PasswordEncoderFactories.createDelegatingPasswordEncoder().encode("bbb")) 24 .authorities(ACCOUNT_CLIENT_AUTHORITY).build()); 25 return users; 26 } 27 28 /** 29 * 配置不同接口访问权限 30 * 31 * @param http 32 * @return 33 * @throws Exception 34 * @ 备注:.authorizeRequests().antMatchers("/api/BasicAuth_no").permitAll() 允许访问/api/BasicAuth_no 35 */ 36 @Bean 37 SecurityFilterChain filterChain(HttpSecurity http) throws Exception { 38 return http 39 .authorizeRequests().antMatchers("/api/BasicAuth-no").permitAll() 40 .antMatchers("/**").hasAuthority(ACCOUNT_CLIENT_AUTHORITY).anyRequest().authenticated() 41 .and() 42 .httpBasic() 43 .and() 44 .csrf() 45 .disable() 46 .build(); 47 } 48 }
然后写两个接口
1 package com.example.demo.api.rest.api.controller; 2 3 import org.springframework.web.bind.annotation.RequestBody; 4 import org.springframework.web.bind.annotation.RequestMapping; 5 import org.springframework.web.bind.annotation.RestController; 6 7 @RestController 8 @SuppressWarnings("all") 9 @RequestMapping("api") 10 public class ApiController { 11 12 /** 13 * http://localhost:8080/api/testBasicAuth-no 14 * @param body 15 * @return 16 */ 17 @RequestMapping("BasicAuth-no") 18 public String BasicAuth_no(@RequestBody String body){ 19 System.out.println(body); 20 return "不需要访问权限"; 21 } 22 23 @RequestMapping("BasicAuth-yes") 24 public String BasicAuth_yes(@RequestBody String body){ 25 System.out.println(body); 26 return "需要访问权限"; 27 } 28 }
测试1,访问:BasicAuth-no(不需要访问权限)
测试2,访问:BasicAuth-yes(需要访问权限)
一、没有使用账号密码,提示401
二、使用账号密码,访问通过
原创文章,转载请说明出处,谢谢合作