springsecurity 6.x

springboot + springsecurity6.x的配置securityConfig.java

登录页面的DIY

@Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(author ->
                    author.requestMatchers("/login").permitAll()
                    .anyRequest().authenticated()
        );
        //登录页面和登录接口的设置
        http.formLogin(login->
            login.loginPage("/login").permitAll()  // 登录页面,走自己的路由
                    .loginProcessingUrl("/login") // 登录接口,也可以DIY
                    .defaultSuccessUrl("/index")
        );

        http.csrf(Customizer.withDefaults()); //csrf漏洞防御
        http.logout(logout-> logout.invalidateHttpSession(true));// logout设置
        return http.build();
    }

认证和授权

  • 权限管理
@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(author ->
              // 权限
            author
                    .requestMatchers("/admin/api").hasAuthority("admin:api")
                    .requestMatchers("/user/api").hasAnyAuthority("admin:api","user:api")
                    .requestMatchers("/app/api").permitAll()
                    .requestMatchers("/login").permitAll()
                    .anyRequest().authenticated()
        );
        http.exceptionHandling(e -> e.accessDeniedPage("/noAuth/api"));
        http.formLogin(login->
            login.loginPage("/login").permitAll()
                    .loginProcessingUrl("/login")
                    .defaultSuccessUrl("/index")
        );
        http.csrf(Customizer.withDefaults());
        http.logout(logout-> logout.invalidateHttpSession(true));
        return http.build();
    }

    @Bean // 认证
    public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
        UserDetails admin = User.withUsername("admin").password(passwordEncoder().encode("root"))
                .authorities("admin:api","user:api").build();
        UserDetails user = User.withUsername("user").password(passwordEncoder().encode("root"))
                .authorities("user:api").build();
        return new InMemoryUserDetailsManager(admin,user);
    }

    @Bean
    PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
}
  • 角色管理
@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(author ->
                // 配置角色,进行权接口权限的分配
            author
                    .requestMatchers("/admin/api").hasRole("admin")
                    .requestMatchers("/user/api").hasAnyRole("user","admin")
                    .requestMatchers("/app/api").permitAll()
                    .requestMatchers("/login").permitAll()
                    .anyRequest().authenticated()
        );
		// 没有权限异常处理页面跳转
        http.exceptionHandling(e -> e.accessDeniedPage("/noAuth/api"));

        http.formLogin(login->
            login.loginPage("/login").permitAll()
                    .loginProcessingUrl("/login")
                    .defaultSuccessUrl("/index")
        );
        http.csrf(Customizer.withDefaults());
		
		// logout接口
        http.logout(logout-> logout.invalidateHttpSession(true));
        return http.build();
    }

    @Bean
    public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
	//注意这里也要加密,相当与数据库中的密码存储的应该是密文
        UserDetails admin = User.withUsername("admin").password(passwordEncoder().encode("root")).roles("admin","user").build();
        UserDetails user = User.withUsername("user").password(passwordEncoder().encode("root")).roles("user").build();
        return new InMemoryUserDetailsManager(admin,user);
    }
	// 这个是明文加密,前端输入的密码,加密后与数据库中的比较
    @Bean
    PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
}

ant匹配模式(略)

? 表示匹配单个字符
* 表示匹配0到任意个字符
** 表示匹配到任意个目录
posted @ 2023-09-25 10:13  MaoShine  阅读(268)  评论(0编辑  收藏  举报