Spring Boot對(duì)Spring Security的支持
Spring Boot針對(duì)Spring Security的自動(dòng)配置在org.springframework.boot.autoconfigure.security包中惠毁。
主要通過(guò)SecurityAutoConfiguration和SecurityProperties來(lái)完成配置柒傻。
SecurityAutoConfiguration導(dǎo)入了SpringBootWebSecurityConfiguration中的配置蜂科。
在SpringBootWebSecuriyConfiguration配置中,我們獲得如下自動(dòng)配置。
? Spring Boot為我們做了如此多的配置,當(dāng)我們需要自己擴(kuò)展的配置時(shí),只需配置類繼承WebSecurityConfigurerAdapter類即可,無(wú)須使用@EnableWebSecurity注解塞关,例如:
下面我們來(lái)具體看看代碼:
1.0spring 4.0 對(duì)servlet3.0專門添加了一個(gè)類(WebApplicationInitializer),來(lái)替代web.xml中對(duì)于spring mvc的配置,這是工程目錄結(jié)構(gòu):
config包下主要兩個(gè)配置一個(gè)是整合spring mvc子巾,一個(gè)是整合spring security;
通過(guò)繼承WebMvcConfigurerAdapter,來(lái)修改對(duì)spring mvc的默認(rèn)配置帆赢,spring boot也可直接在application.properties配置。
@Configuration
public class WebMvcConfig extends WebMvcConfigurerAdapter{
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("/login");
}
}
下面是對(duì)Spring Security的配置
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
UserDetailsService SysuserService() {
return new SysUserServiceImpl();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(SysuserService());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated().and().formLogin()
.loginPage("/login").failureUrl("/login?error").permitAll().and().logout().permitAll();
}
}
代碼解釋:
?Spring Security配置類
?1)首先繼承WebSecurityConfigurerAdapter
* 2)注冊(cè)SysuserService的Bean
* 3)添加我們自定義的user detail service 認(rèn)證
* 4)所有請(qǐng)求需要認(rèn)證即登錄才能訪問(wèn)
* 5)定制登錄行為,登錄頁(yè)面可任意訪問(wèn)
* 6)定制注銷行為,注銷請(qǐng)求可任意訪問(wèn)
接著我們看看用戶實(shí)體類:
public class SysUser implements UserDetails
{?
?private Integer usersId;
?private String username;
?private String password;?
?private List roles;?
@Override
public Collection<? extends GrantedAuthority> getAuthorities()?
{
List auths = new ArrayList<>();
Listroles2 = this.getRoles();
for (SysRole sysRole : roles2) {
auths.add(new SimpleGrantedAuthority(sysRole.getRoleName()));
}
return auths;
}
@Override
public boolean isAccountNonExpired() {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean isAccountNonLocked() {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean isCredentialsNonExpired() {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean isEnabled() {
// TODO Auto-generated method stub
return true;
}
}
讓我們的用戶實(shí)體實(shí)現(xiàn)UserDetails接口,我們的用戶實(shí)體即為Spring Security所使用的用戶重寫getAuthorities方法线梗,將用戶的角色作為權(quán)限
角色類:(get set方法沒(méi)寫)
public class SysRole{
private Integer roleId;
private String roleName;
}
?多對(duì)多的一個(gè)映射類
public class SysUserRolesKey {
private Integer sysUserId;
private Integer rolesId;
}
接下來(lái)我們看看service匿醒,dao層自己實(shí)現(xiàn)(orm框架自己選擇)
public class SysUserServiceImpl implements SysUserService,UserDetailsService {
@Autowired
private SysUserMapper sysUserMapper;
@Override
public SysUser findByUsers(String name) {
// TODO Auto-generated method stub
SysUser sysUser = sysUserMapper.findByUserName(name);
return sysUser;
}
@Override
public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {
SysUser sysUser = sysUserMapper.findByUserName(name);
return sysUser;
}
}
代碼解釋:
?自定義需實(shí)現(xiàn)UserDetailsService接口
?重寫loadUserByUsername方法獲取用戶
?我們當(dāng)前用戶實(shí)現(xiàn)了UserDetails接口,可直接返回給Spring Security使用
看看控制器類:
@Controller
public class HomeController {
@RequestMapping("/")
public String index(Model model){
Msg msg? = new? Msg("測(cè)試","測(cè)試內(nèi)容", "額外信息,只對(duì)管理員顯示");
model.addAttribute("msg", msg);
return "home";
}
}
每次訪問(wèn)controller時(shí),會(huì)調(diào)用service層的loadUserByUsername方法獲取權(quán)限缠导。
前臺(tái)我用的thymeleaf,它集成了Spring Security標(biāo)簽
程序運(yùn)行截圖:
使用wisely普通用戶登錄:
使用wyf管理員登錄:
參考書(shū)籍:JavaEE開(kāi)發(fā)的顛覆者 Spring Boot實(shí)戰(zhàn)
