部分引自 www.javaboy.org
在 SecurityConfig 上添加注解
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true,securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("yzn").password("$2a$10$WuUO9k/3LfTGzMEAKxNtAenttd9ulTq7wTj17ojqbU44Q5rwN/mWu").roles("admin")
.and()
.withUser("test").password("$2a$10$WuUO9k/3LfTGzMEAKxNtAenttd9ulTq7wTj17ojqbU44Q5rwN/mWu").roles("user");
}
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").hasRole("admin")
.antMatchers("/user/**").hasAnyRole("admin", "user")
.anyRequest().authenticated()
.and()
.formLogin()
// 登錄處理接口
.loginProcessingUrl("/doLogin")
// 定義登錄頁面汁果,未登錄時谓传,訪問一個需要登錄之后才能訪問的接口,會自動跳轉(zhuǎn)到該頁面
.loginPage("/login")
//定義登錄時凡人,用戶名的 key滓玖,默認為 username
.usernameParameter("uname")
//定義登錄時坪哄,用戶密碼的 key,默認為 password
.passwordParameter("passwd")
//登錄成功的處理器
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest req, HttpServletResponse res, Authentication authentication) throws IOException, ServletException {
res.setContentType("application/json;charset=utf-8");
PrintWriter out = res.getWriter();
Map<String,Object> map = new HashMap();
map.put("status", 200);
// authentication.getPrincipal() 可以把登錄者信息取出來
map.put("msg", authentication.getPrincipal());
out.write(new ObjectMapper().writeValueAsString(map));
out.flush();
}
})
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest req, HttpServletResponse res, AuthenticationException e) throws IOException, ServletException {
res.setContentType("application/json;charset=utf-8");
PrintWriter out = res.getWriter();
Map<String,Object> map = new HashMap();
map.put("status", 200);
map.put("msg", "failed");
out.write(new ObjectMapper().writeValueAsString(map));
out.flush();
}
})
//和表單登錄相關(guān)的接口統(tǒng)統(tǒng)都直接通過
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new LogoutSuccessHandler() {
@Override
public void onLogoutSuccess(HttpServletRequest req, HttpServletResponse res, Authentication authentication) throws IOException, ServletException {
res.setContentType("application/json;charset=utf-8");
PrintWriter out = res.getWriter();
Map<String,Object> map = new HashMap();
map.put("status", 200);
map.put("msg", "注銷登錄成功");
out.write(new ObjectMapper().writeValueAsString(map));
out.flush();
}
})
.and()
.csrf().disable();
}
}
添加Service
package org.javaboy.security.service;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Service;
@Service
public class MethodService {
@PreAuthorize("hasRole('admin')")
public String admin() {
return "hello admin";
}
@Secured("ROLE_user")
public String user() {
return "hello user";
}
@PreAuthorize("hasAnyRole('admin','user')")
public String hello() {
return "hello hello";
}
}
Controller
@RestController
public class HelloController {
@Autowired
MethodService methodService;
@GetMapping("/hello")
public String hello() {
return "hello";
}
@GetMapping("/admin/hello")
public String admin() {
return "hello admin";
}
@GetMapping("/user/hello")
public String user() {
return "hello user";
}
@GetMapping("/login")
public String login() {
return "please login!!!";
}
@GetMapping("/hello1")
public String hello1() {
return methodService.admin();
}
@GetMapping("/hello2")
public String hello2() {
return methodService.user();
}
@GetMapping("/hello3")
public String hello3() {
return methodService.hello();
}
}
測試hello1,hello2,hello3接口呢撞,發(fā)現(xiàn)方法已經(jīng)保護起來了
