application.yml
server:
port: 80
spring:
thymeleaf:
cache: false #关闭Thymeleaf缓存
mengxuegu:
security:
authentication:
loginPage: /login/page #响应认证(登录)页面URL
loginProcessingUrl: /login/form #登录表单提交处理URL
usernameParameter: name # 登录表单用户名的属性名
passwordParameter: pwd # 登录表单密码的属性名
staticPaths: # 静态资源 "/dist/**", "/modules/**", "/plugins/**"
- /dist/**
- /modules/**
- /plugins/**
创建AuthenticationProperties类
package com.mengxuegu.security.properties;
import lombok.Data;
@Data
public class AuthenticationProperties {
// application.yml 没配置取默认值
private String loginPage = "/login/page";
private String loginProcessingUrl = "/login/form";
private String usernameParameter = "name";
private String passwordParameter = "pwd";
private String[] staticPaths = {"/dist/**", "/modules/**", "/plugins/**"};
}
创建SecurityProperties类
package com.mengxuegu.security.properties;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
@Component // 不要少了
@ConfigurationProperties( prefix = "mengxuegu.security")
public class SecurityProperties {
// 将application.yml 中的 mengxuegu.security.authentication 下面的值绑定到此对象中
private AuthenticationProperties authentication;
public AuthenticationProperties getAuthentication() {
return authentication;
}
public void setAuthentication(AuthenticationProperties authentication) {
this.authentication = authentication;
}
}
在SpringSecurityConfig中应用
package com.mengxuegu.security.config;
import com.mengxuegu.security.properties.SecurityProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* alt+/ 导包
* ctrl+o 覆盖
* @Auther: 梦学谷 www.mengxuegu.com
*/
@EnableWebSecurity // 开启springsecurity过滤链 filter
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
Logger logger = LoggerFactory.getLogger(getClass());
@Autowired
private SecurityProperties securityProperties;
@Bean
public PasswordEncoder passwordEncoder(){
// 明文+随机盐值-》加密存储
return new BCryptPasswordEncoder();
}
/**
* 认证管理器:
* 1. 认证信息(用户名,密码)
* @param auth
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
String password = passwordEncoder().encode("123456");
logger.info("加密之后存储的密码:"+password);
auth.inMemoryAuthentication().withUser("root").password(password).authorities("ADMIN");
}
/**
* 资源权限配置:
* 1. 被拦截的资源
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("用户认证");
// http.httpBasic() // 采用 httpBasic认证方式
http.formLogin() // 表单登录方式
.loginPage(securityProperties.getAuthentication().getLoginPage()) //配置登录页面
.loginProcessingUrl(securityProperties.getAuthentication().getLoginProcessingUrl()) //登录表单提交处理url,默认是/login
.usernameParameter(securityProperties.getAuthentication().getUsernameParameter())
.passwordParameter(securityProperties.getAuthentication().getPasswordParameter())
.and()
.authorizeRequests() // 认证请求
.antMatchers(securityProperties.getAuthentication().getLoginPage()).permitAll()
.anyRequest().authenticated() //所有访问该应用的http请求都要通过身份认证才可以访问
; // 注意不要少了分号
}
/**
* 一般针对静态资源放行
* @param web
*/
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers(securityProperties.getAuthentication().getStaticPaths());
}
}
