第十三章-SpringBoot 与安全
安全框架
- shiro
- Spring Security
认证 Authentication 建立用户,证明 授权 Authorization 访问权限
登录&认证&授权依赖
org.springframework.boot
spring-boot-starter-security
org.springframework.boot
spring-boot-starter-web
控制器
package com.example.demo.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloController {
@GetMapping("/hello")
public String hello() {
return "hello";
}
}
访问http://localhost:8080/hello 没有登录会跳转到 /login
用户名:user
密码:控制台 Using generated security password
自定义用户名密码
application.properties
#自定义用户名和密码
spring.security.user.name=user
spring.security.user.password=1234567
配置认证和授权
package com.example.demo.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//下面这两行配置表示在内存中配置了两个用户
auth.inMemoryAuthentication()
.withUser("admin").roles("admin").password("$2a$10$7yOhpFTiwfkZaLRaArPJDu.Si4oWwQKmPIcnzPOOgBwstxoEh4gaK")
.and()
.withUser("user").roles("user").password("$2a$10$YjknRoz.3BfTOVQZbcxgN.v5w.yLrOGY8glV.IvqSBUVy29C..vU6");
}
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()//开启登录配置
.antMatchers("/hello").hasRole("admin")//表示访问 /hello 这个接口,需要具备 admin 这个角色
.anyRequest().authenticated()//表示剩余的其他接口,登录之后就能访问
.and()
.formLogin()
//定义登录页面,未登录时,访问一个需要登录之后才能访问的接口,会自动跳转到该页面
.loginPage("/login")
// 登录处理接口
.loginProcessingUrl("/doLogin")
// 定义登录时,用户名的 key,默认为 username
.usernameParameter("username")
// 定义登录时,用户密码的 key,默认为 password
.passwordParameter("password")
//登录成功的处理器
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest req, HttpServletResponse resp, Authentication authentication) throws IOException, ServletException {
resp.setContentType("application/json;charset=utf-8");
PrintWriter out = resp.getWriter();
out.write("success");
out.flush();
}
})
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest req, HttpServletResponse resp, AuthenticationException exception) throws IOException, ServletException {
resp.setContentType("application/json;charset=utf-8");
PrintWriter out = resp.getWriter();
out.write("fail");
out.flush();
}
})
.permitAll()//和表单登录相关的接口统统都直接通过
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new LogoutSuccessHandler() {
@Override
public void onLogoutSuccess(HttpServletRequest req, HttpServletResponse resp, Authentication authentication) throws IOException, ServletException {
resp.setContentType("application/json;charset=utf-8");
PrintWriter out = resp.getWriter();
out.write("logout success");
out.flush();
}
})
.permitAll()
.and()
.httpBasic()
.and()
.csrf().disable();
}
// 忽略拦截
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/vercode");
}
}
Bcrypt 密码验证测试
package com.example.demo;
import org.junit.jupiter.api.Test;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
class SecurityDemoApplicationTests {
@Test
void contextLoads() {
String rawPassword = "123456";
// 加密
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String password = encoder.encode(rawPassword);
System.out.println(password);
// 比对
String encodePassword = "$2a$10$7yOhpFTiwfkZaLRaArPJDu.Si4oWwQKmPIcnzPOOgBwstxoEh4gaK";
boolean ret = encoder.matches(rawPassword, encodePassword);
System.out.println(ret);
}
}
常用配置
// 定制请求的授权规则
http.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/vip1/**").hasRole("VIP1")
.antMatchers("/vip2/**").hasRole("VIP2")
.antMatchers("/vip3/**").hasRole("VIP3");
// 开启登录功能 /login GET 去登录页,POST 提交登录数据
http.formLogin()
// 自定义登录页
http.formLogin().loginPage("/user-login");
// 自定义登录请求参数
http.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/user-login");
// 开启注销功能
http.logout().logoutSuccessUrl("/")
// 记住我,将用户信息保存在cookie中
http.remenberMe();
