Spring Boot Security（一）

Spring Security 配置

参考 https://docs.spring.io/spring-security/site/docs/5.4.1/guides/#hello-world

1、首先在 pom.xml 文件中添加 Spring Security

<dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-security</artifactId>
</dependency>

2、编写配置文件

package com.wkw.bms.test.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;

/**
 * @author : Administrator
 * @project : BMS
 * @date : 2020/10/20 21:37
 **/

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
    /**
     * 登录表单用户名 name 和密码 name 属性名
     */
    private String USER_NAME_ATTRIBUTE = "username";
    private String USER_PASSWORD_ATTRIBUTE = "password";
    /**
     * 规则定义
     */
    private String USER_ROLE = "USER";
    private String ADMIN_ROLE = "ADMIN";

    /**
     * 定义授权规则
     * @param http
     * @throws Exception
     */
    @Override
    protected void configure (HttpSecurity http)
    throws Exception
    {
        // 认证配置
        http.authorizeRequests()
                // 登录页面无需权限
                .antMatchers("/login","/error","/about").permitAll()
                // 过滤掉静态文件
                .antMatchers("/css/**","/data/**","/fonts/**","/icons-reference/**","/img/**","/js/**","/vendor/**").permitAll()
                // 其他页面都需登录访问
                .antMatchers("/**").hasRole(USER_ROLE)
                // 系统管理员页面需管理员权限
                .antMatchers("/sys/**").hasRole(ADMIN_ROLE)
                .anyRequest()
                .authenticated();
        //登录配置
        http.formLogin()
                // 自定义的登录页
                .loginPage("/login")
                // 处理登录请求的 url，和 login.html 中 表单中 action 一致，SpringBoot 将自动进行认证，认证成功之后将请求发送给 successForwardUrl 处理
                .loginProcessingUrl("/login-check")
                .usernameParameter(USER_NAME_ATTRIBUTE)
                .passwordParameter(USER_PASSWORD_ATTRIBUTE)
                // 且 successForwardUrl 必须接受 POST 请求
                .successForwardUrl("/login-check")
                .permitAll()
                .and()
                .rememberMe();


        // 登出配置
        http.logout()
                .logoutUrl("/logout")
                .invalidateHttpSession(true)
                .logoutSuccessUrl("/login")
                .permitAll()
                .and()
                .csrf()
                .disable();

    }

    /**
     * 定义认证规则
     * @param auth
     * @throws Exception
     */
    @Override
    protected void configure (AuthenticationManagerBuilder auth)
    throws Exception
    {
        //super.configure(auth);
        auth.inMemoryAuthentication()
                .withUser("zolmk").password("zolmk").roles(USER_ROLE,ADMIN_ROLE);
    }

    @Bean
    public PasswordEncoder passwordEncoder()
    {
        return new com.wkw.bms.test.config.PasswordEncoder();
    }
}

3、对应的 Controller

package com.wkw.bms.controller;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * @author : Administrator
 * @project : BMS
 * @date : 2020/10/25 19:02
 **/

@Controller
@RequestMapping("/")
public class BaseController
{
    @RequestMapping(value = {"/login","/login.html"},method = RequestMethod.GET)
    public String login()
    {
        return "login";
    }
    @RequestMapping(value = {"/login-check"},method = RequestMethod.POST)
    public String loginCheck(HttpServletRequest request,HttpServletResponse response)
    {
        // 在这里传一些信息
        return "redirect:index.html";
    }

    @RequestMapping(value = {"/index","/index.html","/main.html","/"},method = RequestMethod.GET)
    public String index()
    {
        return "index";
    }

    @RequestMapping(value = {"/charts","/charts.html"},method = RequestMethod.GET)
    public String charts()
    {
        return "charts";
    }

    @RequestMapping(value = {"/forms","/forms.html"},method = RequestMethod.GET)
    public String forms()
    {
        return "forms";
    }

    @RequestMapping(value = {"/register","/register.html"},method = RequestMethod.GET)
    public String register()
    {
        return "register";
    }
    @RequestMapping(value = {"/tables","/tables.html"},method = RequestMethod.GET)
    public String tables()
    {
        return "tables";
    }


}

4、对应的 PasswordEncoder（自己定制）

package com.wkw.bms.test.config;

/**
 * @author : Administrator
 * @project : BMS
 * @date : 2020/10/24 22:04
 **/

public class PasswordEncoder implements org.springframework.security.crypto.password.PasswordEncoder
{

    @Override
    public String encode (CharSequence rawPassword)
    {
        return rawPassword.toString();
    }

    @Override
    public boolean matches (CharSequence rawPassword, String encodedPassword)
    {
        return rawPassword.toString().equals(encodedPassword);
    }
}