springboot + springsecurity6.x的配置securityConfig.java
登录页面的DIY
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(author ->
author.requestMatchers("/login").permitAll()
.anyRequest().authenticated()
);
//登录页面和登录接口的设置
http.formLogin(login->
login.loginPage("/login").permitAll() // 登录页面,走自己的路由
.loginProcessingUrl("/login") // 登录接口,也可以DIY
.defaultSuccessUrl("/index")
);
http.csrf(Customizer.withDefaults()); //csrf漏洞防御
http.logout(logout-> logout.invalidateHttpSession(true));// logout设置
return http.build();
}
认证和授权
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(author ->
// 权限
author
.requestMatchers("/admin/api").hasAuthority("admin:api")
.requestMatchers("/user/api").hasAnyAuthority("admin:api","user:api")
.requestMatchers("/app/api").permitAll()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated()
);
http.exceptionHandling(e -> e.accessDeniedPage("/noAuth/api"));
http.formLogin(login->
login.loginPage("/login").permitAll()
.loginProcessingUrl("/login")
.defaultSuccessUrl("/index")
);
http.csrf(Customizer.withDefaults());
http.logout(logout-> logout.invalidateHttpSession(true));
return http.build();
}
@Bean // 认证
public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
UserDetails admin = User.withUsername("admin").password(passwordEncoder().encode("root"))
.authorities("admin:api","user:api").build();
UserDetails user = User.withUsername("user").password(passwordEncoder().encode("root"))
.authorities("user:api").build();
return new InMemoryUserDetailsManager(admin,user);
}
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(author ->
// 配置角色,进行权接口权限的分配
author
.requestMatchers("/admin/api").hasRole("admin")
.requestMatchers("/user/api").hasAnyRole("user","admin")
.requestMatchers("/app/api").permitAll()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated()
);
// 没有权限异常处理页面跳转
http.exceptionHandling(e -> e.accessDeniedPage("/noAuth/api"));
http.formLogin(login->
login.loginPage("/login").permitAll()
.loginProcessingUrl("/login")
.defaultSuccessUrl("/index")
);
http.csrf(Customizer.withDefaults());
// logout接口
http.logout(logout-> logout.invalidateHttpSession(true));
return http.build();
}
@Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
//注意这里也要加密,相当与数据库中的密码存储的应该是密文
UserDetails admin = User.withUsername("admin").password(passwordEncoder().encode("root")).roles("admin","user").build();
UserDetails user = User.withUsername("user").password(passwordEncoder().encode("root")).roles("user").build();
return new InMemoryUserDetailsManager(admin,user);
}
// 这个是明文加密,前端输入的密码,加密后与数据库中的比较
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
ant匹配模式(略)
? 表示匹配单个字符
* 表示匹配0到任意个字符
** 表示匹配到任意个目录