官网: Spring Security 中文文档 参考手册 中文版
1.SpringSecurity知识Java 领域老牌的权限管理框架当属 Shiro 了。 Shiro 有着众多的优点,例如轻量、简单、易于集成等。当然 Shiro 也有不足,例如对 OAuth2 支持不够,在 Spring Boot 面前无法充分展示自己的优势等等,特别是随着现在 Spring Boot 和 Spring Cloud 的流行,Spring Security 正在走向舞台舞台中央
对于一个权限管理框架而言,无论是 Shiro 还是 Spring Security,最最核心的功能,无非就是两方面:认证和授权
通俗点说,认证就是我们常说的登录,授权就是权限鉴别,看看请求是否具备相应的权限。
Spring Security 支持基于 URL 的请求授权(例如微人事)、支持方法访问授权以及对象访问授权。
安全这一块从来都有说不完的话题,一个简单的注册登录很好做,但是你要是考虑到各种各样的攻击,XSS、CSRF 等等,一个简单的注册登录也能做的很复杂。
幸运的是,即使你对各种攻击不太熟悉,只要你用了 Spring Security,就能自动避免掉很多攻击了,因为 Spring Security 已经自动帮我们完成很多防护了。
2.Springboot+Security+Mysql 1.这是项目界面图 2.创建数据库SET NAMES utf8mb4; SET FOREIGN_KEY_CHECKS = 0; -- ---------------------------- -- Table structure for role -- ---------------------------- DROp TABLE IF EXISTS `role`; CREATE TABLE `role` ( `id` int NOT NULL AUTO_INCREMENT, `name` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL, PRIMARY KEY (`id`) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = DYNAMIC; -- ---------------------------- -- Records of role -- ---------------------------- INSERT INTO `role` VALUES (1, 'admin'); INSERT INTO `role` VALUES (2, 'user'); -- ---------------------------- -- Table structure for user -- ---------------------------- DROP TABLE IF EXISTS `user`; CREATE TABLE `user` ( `id` int NOT NULL AUTO_INCREMENT, `username` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL, `password` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL, PRIMARY KEY (`id`) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = DYNAMIC; -- ---------------------------- -- Records of user -- ---------------------------- INSERT INTO `user` VALUES (1, 'admin', 'a$BR05R/2KEZasiHovU.5Seuq0vllT5SCRCDn5xmXEe8hF/4BO9OyrO'); INSERT INTO `user` VALUES (2, 'zhangsan', 'a$BR05R/2KEZasiHovU.5Seuq0vllT5SCRCDn5xmXEe8hF/4BO9OyrO'); INSERT INTO `user` VALUES (3, 'zhaosi', 'a$f/FUkz92i6xpHS/9sB7ZmO1gmm/0E748FzBC6FEfDqOmmHTcapMD2'); -- ---------------------------- -- Table structure for userrole -- ---------------------------- DROP TABLE IF EXISTS `userrole`; CREATE TABLE `userrole` ( `id` int NOT NULL AUTO_INCREMENT, `uid` int NULL DEFAULT NULL, `rid` int NULL DEFAULT NULL, PRIMARY KEY (`id`) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = DYNAMIC; -- ---------------------------- -- Records of userrole -- ---------------------------- INSERT INTO `userrole` VALUES (1, 1, 1); INSERT INTO `userrole` VALUES (2, 1, 2); INSERT INTO `userrole` VALUES (3, 2, 2); SET FOREIGN_KEY_CHECKS = 1;3.创建springboot项目 3.1pom.xml依赖
3.2 application.properties配置4.0.0 org.springframework.boot spring-boot-starter-parent2.6.2 com.xmx springsecurity_j9_demo10.0.1-SNAPSHOT war springsecurity_j9_demo1 Demo project for Spring Boot 1.8 org.springframework.boot spring-boot-starter-securityorg.springframework.boot spring-boot-starter-thymeleaforg.springframework.boot spring-boot-starter-weborg.thymeleaf.extras thymeleaf-extras-springsecurity5org.springframework.boot spring-boot-starter-tomcatprovided org.springframework.boot spring-boot-starter-testtest org.springframework.security spring-security-testtest org.mybatis.spring.boot mybatis-spring-boot-starter2.2.0 mysql mysql-connector-java8.0.25 runtime org.springframework.boot spring-boot-maven-plugin
#视图解析器 spring.mvc.view.prefix=/ spring.mvc.view.suffix=.html #mysql spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver spring.datasource.url=jdbc:mysql://127.0.0.1:3306/security?characterEncoding=utf-8 spring.datasource.username=root spring.datasource.password=root #dao #与文件目录一致 mybatis.type-aliases-package=com.xmx.springsecurity_j9_demo1.entity mybatis.mapper-locations=classpath:mapping @Override protected void configure(HttpSecurity http) throws Exception { http.exceptionHandling().accessDeniedPage("/error.html"); http.authorizeRequests() .antMatchers("/","/userlogin") .permitAll() //为URL添加访问权限 .antMatchers("/admin @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { System.out.println(passwordEncoder().encode("123")); //从数据库取到用户信息,并加载他的角色 auth.userDetailsService(userService).passwordEncoder(passwordEncoder()); } //指定密码的加密方式 @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } }3.6.Controller层
AdminController
package com.xmx.springsecurity_j9_demo1.controller; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller public class AdminController { @RequestMapping("admin/list") public String list(){ return "admin/adminIndex"; } }
UserController
package com.xmx.springsecurity_j9_demo1.controller; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller public class UserController { @RequestMapping("/userlogin") public String login(){ System.out.println("-------login---------"); return "login"; } @RequestMapping("/index") public String index(){ System.out.println("-------index---------"); return "index"; } @RequestMapping("/user/list") public String list(){ return "user/userIndex"; } }
RoleDao
package com.xmx.springsecurity_j9_demo1.dao; import com.xmx.springsecurity_j9_demo1.entity.Role; import org.apache.ibatis.annotations.Mapper; import java.util.List; @Mapper public interface RoleDao { public List3.7.Dao层getRoles(int uid); }
UserDao
package com.xmx.springsecurity_j9_demo1.dao; import com.xmx.springsecurity_j9_demo1.entity.User; import org.apache.ibatis.annotations.Mapper; @Mapper public interface UserDao { public User userLogin(String name); }3.8.实体类层
Role
package com.xmx.springsecurity_j9_demo1.entity; public class Role { private int id; private String name; public int getId() { return id; } public void setId(int id) { this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; } }
User
package com.xmx.springsecurity_j9_demo1.entity; import java.util.List; public class User{ private int id; private String username; private String password; //角色处理,一个用户对象中包含有多个角色对象 private List3.9.业务层role; public int getId() { return id; } public void setId(int id) { this.id = id; } public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } public List getRole() { return role; } public void setRole(List role) { this.role = role; } }
UserServiceImpl
package com.xmx.springsecurity_j9_demo1.service.impl; import com.xmx.springsecurity_j9_demo1.dao.UserDao; import com.xmx.springsecurity_j9_demo1.entity.Role; import com.xmx.springsecurity_j9_demo1.entity.User; import com.xmx.springsecurity_j9_demo1.service.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import java.util.ArrayList; import java.util.List; @Service public class UserServiceImpl implements UserService { @Autowired UserDao userDao; @Override public User userLogin(String name) { return null; } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userDao.userLogin(username); if(user == null){ throw new UsernameNotFoundException("用户名" + username + "不存在!"); } //定义权限列表. Listlist = new ArrayList<>(); // 用户可以访问的资源名称(或者说用户所拥有的权限) 注意:必须"ROLE_"开头 for(Role role : user.getRole()){ list.add(new SimpleGrantedAuthority("ROLE_"+role.getName())); } //创建一个让Security所认可的验证对象 org.springframework.security.core.userdetails.User userdetails = new org.springframework.security.core.userdetails.User(username,user.getPassword(),list); return userdetails; } }
UserService
package com.xmx.springsecurity_j9_demo1.service; import com.xmx.springsecurity_j9_demo1.entity.User; import org.springframework.security.core.userdetails.UserDetailsService; public interface UserService extends UserDetailsService { //用户登录 public User userLogin(String name); }4.运行结果: 4.1 管理员登录
点击登录,准备输入账号admin,密码123
admin登录运行结果:
点击管理员后台
点击返回,再点击用户后台
4.2用户登录点击返回后,点击安全退出,准备输入账号zhangsan,密码123
只能看到普通用户后台,看不到管理员后台。这是因为权限控制了
点击用户后台
安全退出,输入错误账号密码后登录运行结果
4.3 没有登录,强行进入用户后台,地址栏输入:http://localhost:8080/user/list。还是会跳登录界面
运行结果:
4.4 用户登录后,强行进入管理员后台,地址栏输入:http://localhost:8080/admin/list
运行结果:
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)