Spring-Security權限管理框架（1）——根據角色權限登陸

時間 2021-04-08

標籤 css 前端 web spring app 框架 ide post 學習測試欄目 Spring 简体版

原文原文鏈接

Spring-Security框架學習總結
前提：在作演示以前，咱們先建立項目，並將項目導入IDE

測試項目是否運行成功,成功後進行正式開始學習
一.Case1:只要能登陸便可
目標：咱們在訪問項目是訪問index能夠直接進入，不須要攔截，訪問其餘路徑是須要進行登陸驗證，而且容許登陸用戶註銷和使用表單進行登陸，不攔截前臺js,css,image等文件，咱們在內存中設置了一個admin用戶，能夠進行登陸
直接上代碼（代碼中會有註釋）：
SecuDemoApplication：css

package com.dhtt.security.SecuDemo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@SpringBootApplication
@RestController
@EnableAutoConfiguration
public class SecuDemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(SecuDemoApplication.class, args);
    }

    @RequestMapping("/index")
    public String hello() {
        return "hello Spring boot....";

    }

    @RequestMapping("/home")
    public String home() {
        return "this my home....";

    }
}

SpringSecruityConfig：前端

package com.dhtt.security.SecuDemo;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SpringSecruityConfig extends WebSecurityConfigurerAdapter{

    /**
     * HTTP請求攔截處理
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
        .antMatchers("/index").permitAll()  //主路徑直接請求
        .anyRequest().authenticated()    //請他請求都要驗證
        .and()
        .logout().permitAll()   //容許註銷
        .and()
        .formLogin();  //容許表單登陸
        http.csrf().disable();  //關閉csrf的認證
    }

    /**
     * 處理前端文件，攔截忽略
     */
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/js/**","/css/**","/image/**");
    }

    /**
     * 設置內存中的用戶admin
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");
    }
}

而後咱們啓動項目，在前臺訪問路徑
（1）訪問http://localhost:8080/index成功
web

（2）訪問http://localhost:8080/home：
咱們發現前臺會爲咱們跳轉到登陸界面，接下來咱們進行登陸驗證,咱們發現登陸界面沒有跳轉，證實登陸失敗，此時咱們觀察後臺
spring

發現後臺報錯
（3）報錯問題解決：緣由是spring boot的版本和Spring Security的版本問題，咱們須要提供一個PasswordEncorder實例
MyPasswordEncoder：app

package com.dhtt.security.SecuDemo;

import org.springframework.security.crypto.password.PasswordEncoder;

public class MyPasswordEncoder implements PasswordEncoder{

    @Override
    public String encode(CharSequence rawPassword) {
        return rawPassword.toString();
    }

    @Override
    public boolean matches(CharSequence rawPassword, String encodedPassword) {
        return encodedPassword.equals(rawPassword);
    }

}

SpringSecruityConfig中修改部分：框架

/**
     * 設置內存中的用戶admin
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder())
        .withUser("admin").password("123456").roles("ADMIN");
    }

如今再次運行項目訪問/home,咱們發現登陸成功，頁面成功訪問

Case2:有指定的角色，每一個角色都有指定的權限
（1）目標：咱們新增一個USER,對於ADMIN權限能夠訪問全部地址，可是user的權限規定其不能訪問/roleAuth，代碼：
SpringSecruityConfig中修改部分：ide

/**
     * 設置內存中的用戶admin
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder())
        .withUser("admin").password("haha1996").roles("ADMIN");
        auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder())
        .withUser("zhangsan").password("123456").roles("ADMIN");
        auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder())
        .withUser("username1").password("password").roles("USER");
    }

SecuDemoApplication:這裏咱們添加了新的註解post

package com.dhtt.security.SecuDemo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@SpringBootApplication
@RestController
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecuDemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(SecuDemoApplication.class, args);
    }

    @RequestMapping("/index")
    public String hello() {
        return "hello Spring boot....";

    }

    @RequestMapping("/home")
    public String home() {
        return "this my home....";

    }

    @RequestMapping("/roleAuth")
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public String role() {
        return "HELLO SPRING SECURITY....";

    }
}

經測試運行結果與咱們的預期相同，咱們使用admin進行登陸，地址都可訪問，當咱們使用user進行登陸時，咱們發現/roleAuth路徑訪問失敗，沒有權限
學習