Spring Security介紹

Spring Security是一個能夠?yàn)榛赟pring的企業(yè)應(yīng)用系統(tǒng)提供聲明式的安全訪問控制解決方案的安全框架。

由于它是Spring生態(tài)系統(tǒng)中的一員，因此它伴隨著整個Spring生態(tài)系統(tǒng)不斷修正、升級，

在spring boot項(xiàng)目中加入spring security更是十分簡單，

使用Spring Security 減少了為企業(yè)系統(tǒng)安全控制編寫大量重復(fù)代碼的工作。

---

---

創(chuàng)建工程

創(chuàng)建maven工程
創(chuàng)建maven工程 security-spring-security，工程結(jié)構(gòu)如下：

---

---

Spring容器配置

package com.dym.security.springmvc.config;import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller;@Configuration //相當(dāng)于applicationContext.xml @ComponentScan(basePackages = "com.dym.security.springmvc",excludeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class ApplicationConfig {//在此配置除了Controller的其它bean，比如：數(shù)據(jù)庫鏈接池、事務(wù)管理器、業(yè)務(wù)bean等。}

---

---

Servlet Context配置

package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.view.InternalResourceViewResolver;@Configuration//就相當(dāng)于springmvc.xml文件 @EnableWebMvc @ComponentScan(basePackages = "com.dym.security.springmvc",includeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class WebConfig implements WebMvcConfigurer {//視圖解析器@Beanpublic InternalResourceViewResolver viewResolver(){InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();viewResolver.setPrefix("/WEB-INF/view/");viewResolver.setSuffix(".jsp");return viewResolver;}@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}}

---

---

加載 Spring容器

在init包下定義Spring容器初始化類SpringApplicationInitializer，

此類實(shí)現(xiàn)WebApplicationInitializer接口，
Spring容器啟動時加載WebApplicationInitializer接口的所有實(shí)現(xiàn)類。

package com.dym.security.springmvc.init;import com.dym.security.springmvc.config.ApplicationConfig; import com.dym.security.springmvc.config.WebConfig; import com.dym.security.springmvc.config.WebSecurityConfig; import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;public class SpringApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {//spring容器，相當(dāng)于加載 applicationContext.xml@Overrideprotected Class<?>[] getRootConfigClasses() {return new Class[]{ApplicationConfig.class, WebSecurityConfig.class};}//servletContext，相當(dāng)于加載springmvc.xml@Overrideprotected Class<?>[] getServletConfigClasses() {return new Class[]{WebConfig.class};}//url-mapping@Overrideprotected String[] getServletMappings() {return new String[]{"/"};} }

---

---

認(rèn)證 —— 認(rèn)證頁面
springSecurity默認(rèn)提供認(rèn)證頁面，不需要額外開發(fā)

---

---

安全配置

spring security提供了用戶名密碼登錄、退出、會話管理等認(rèn)證功能，只需要配置即可使用。
1) 在config包下定義WebSecurityConfig，安全配置的內(nèi)容包括：用戶信息、密碼編碼器、安全攔截機(jī)制

package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager;@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {//定義用戶信息服務(wù)（查詢用戶信息）@Beanpublic UserDetailsService userDetailsService(){InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());return manager;}//密碼編碼器@Beanpublic PasswordEncoder passwordEncoder(){return NoOpPasswordEncoder.getInstance();}//安全攔截機(jī)制（最重要）@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/r1").hasAuthority("p1").antMatchers("/r/r2").hasAuthority("p2").antMatchers("/r/**").authenticated()//所有/r/**的請求必須認(rèn)證通過.anyRequest().permitAll()//除了/r/**，其它的請求可以訪問.and().formLogin()//允許表單登錄.successForwardUrl("/login-success");//自定義登錄成功的頁面地址} }

在userDetailsService()方法中，

返回了一個UserDetailsService類型的對象給spring容器，

Spring Security會使用它來獲取用戶信息。

暫時使用 InMemoryUserDetailsManager實(shí)現(xiàn)類，

并在其中分別創(chuàng)建了zhangsan、lisi兩個用戶，并設(shè)置密碼和權(quán)限。

而在configure()中，我們通過HttpSecurity設(shè)置了安全攔截規(guī)則，其中包含了以下內(nèi)容：
（1）url匹配/r/**的資源，經(jīng)過認(rèn)證后才能訪問。
（2）其他url完全開放。
（3）支持form表單認(rèn)證，認(rèn)證成功后轉(zhuǎn)向/login-success。
?

---

2) 加載 WebSecurityConfig
修改SpringApplicationInitializer的getRootConfigClasses()方法，添加WebSecurityConfig.class：

//spring容器，相當(dāng)于加載 applicationContext.xml@Overrideprotected Class<?>[] getRootConfigClasses() {return new Class[]{ApplicationConfig.class, WebSecurityConfig.class};}

---

---

Spring Security初始化

Spring Security初始化，這里有兩種情況
1. 若當(dāng)前環(huán)境沒有使用Spring或Spring MVC，

??? 則需要將 WebSecurityConfig(Spring Security配置類) 傳入超類，以確保獲取配置，并創(chuàng)建spring context。

??? 在init包下定義SpringSecurityApplicationInitializer：

package com.dym.security.springmvc.init;import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;public class SpringSecurityApplicationInitializerextends AbstractSecurityWebApplicationInitializer {public SpringSecurityApplicationInitializer() {super(WebSecurityConfig.class);} }

2. 若當(dāng)前環(huán)境已經(jīng)使用spring，

??? 我們應(yīng)該在現(xiàn)有的springContext中注冊Spring Security(上一步已經(jīng)做將WebSecurityConfig加載至rootcontext)，此方法可以什么都不做。
??

package com.dym.security.springmvc.init;import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;public class SpringSecurityApplicationInitializerextends AbstractSecurityWebApplicationInitializer {public SpringSecurityApplicationInitializer() {//super(WebSecurityConfig.class);} }

---

---

默認(rèn)根路徑請求

在WebConfig.java中添加默認(rèn)請求根路徑跳轉(zhuǎn)到/login，此url為spring security提供：

@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}

spring security默認(rèn)提供的登錄頁面。

---

---

認(rèn)證成功頁面

在安全配置中，認(rèn)證成功將跳轉(zhuǎn)到/login-success，代碼如下：

//安全攔截機(jī)制（最重要）@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/r1").hasAuthority("p1").antMatchers("/r/r2").hasAuthority("p2").antMatchers("/r/**").authenticated()//所有/r/**的請求必須認(rèn)證通過.anyRequest().permitAll()//除了/r/**，其它的請求可以訪問.and().formLogin()//允許表單登錄.successForwardUrl("/login-success");//自定義登錄成功的頁面地址}

spring security支持form表單認(rèn)證，認(rèn)證成功后轉(zhuǎn)向/login-success。
在LoginController中定義/login-success:

@RequestMapping(value = "/login-success",produces = {"text/plain;charset=UTF-8"})public String loginSuccess(){return " 登錄成功";}

---

---

測試
（1）啟動項(xiàng)目，訪問 http://localhost:8080/security-spring-security/ 路徑地址

頁面會根據(jù)WebConfig中addViewControllers配置規(guī)則，跳轉(zhuǎn)至/login，/login是pring Security提供的登錄頁面。
（2）登錄
1、輸入錯誤的用戶名、密碼

2、輸入正確的用戶名、密碼，登錄成功

（3）退出
1、請求/logout退出

2、退出 后再訪問資源自動跳轉(zhuǎn)到登錄頁面

---

---

授權(quán)

實(shí)現(xiàn)授權(quán)需要對用戶的訪問進(jìn)行攔截校驗(yàn)，校驗(yàn)用戶的權(quán)限是否可以操作指定的資源，

Spring Security默認(rèn)提供授權(quán)實(shí)現(xiàn)方法。
在LoginController添加/r/r1或/r/r2

/*** 測試資源1* @return*/@GetMapping(value = "/r/r1",produces = {"text/plain;charset=UTF-8"})public String r1(){return " 訪問資源1";}/*** 測試資源2* @return*/@GetMapping(value = "/r/r2",produces = {"text/plain;charset=UTF-8"})public String r2(){return " 訪問資源2";}

在安全配置類WebSecurityConfig.java中配置授權(quán)規(guī)則：

---

測試：

1、登錄成功
2、訪問/r/r1和/r/r2，有權(quán)限時則正常訪問，否則返回403（拒絕訪問）

---

---

ApplicationConfig.java

package com.dym.security.springmvc.config;import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller;@Configuration //相當(dāng)于applicationContext.xml @ComponentScan(basePackages = "com.dym.security.springmvc",excludeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class ApplicationConfig {//在此配置除了Controller的其它bean，比如：數(shù)據(jù)庫鏈接池、事務(wù)管理器、業(yè)務(wù)bean等。}

WebConfig.java

package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.FilterType; import org.springframework.stereotype.Controller; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.view.InternalResourceViewResolver;@Configuration//就相當(dāng)于springmvc.xml文件 @EnableWebMvc @ComponentScan(basePackages = "com.dym.security.springmvc",includeFilters = {@ComponentScan.Filter(type = FilterType.ANNOTATION,value = Controller.class)}) public class WebConfig implements WebMvcConfigurer {//視圖解析器@Beanpublic InternalResourceViewResolver viewResolver(){InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();viewResolver.setPrefix("/WEB-INF/view/");viewResolver.setSuffix(".jsp");return viewResolver;}@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/").setViewName("redirect:/login");}}

WebSecurityConfig.java

package com.dym.security.springmvc.config;import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager;@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {//定義用戶信息服務(wù)（查詢用戶信息）@Beanpublic UserDetailsService userDetailsService(){InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();manager.createUser(User.withUsername("zhangsan").password("123").authorities("p1").build());manager.createUser(User.withUsername("lisi").password("456").authorities("p2").build());return manager;}//密碼編碼器@Beanpublic PasswordEncoder passwordEncoder(){return NoOpPasswordEncoder.getInstance();}//安全攔截機(jī)制（最重要）@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/r/r1").hasAuthority("p1").antMatchers("/r/r2").hasAuthority("p2").antMatchers("/r/**").authenticated()//所有/r/**的請求必須認(rèn)證通過.anyRequest().permitAll()//除了/r/**，其它的請求可以訪問.and().formLogin()//允許表單登錄.successForwardUrl("/login-success");//自定義登錄成功的頁面地址} }

SpringApplicationInitializer.java

package com.dym.security.springmvc.init;import com.dym.security.springmvc.config.ApplicationConfig; import com.dym.security.springmvc.config.WebConfig; import com.dym.security.springmvc.config.WebSecurityConfig; import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;public class SpringApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {//spring容器，相當(dāng)于加載 applicationContext.xml@Overrideprotected Class<?>[] getRootConfigClasses() {return new Class[]{ApplicationConfig.class, WebSecurityConfig.class};}//servletContext，相當(dāng)于加載springmvc.xml@Overrideprotected Class<?>[] getServletConfigClasses() {return new Class[]{WebConfig.class};}//url-mapping@Overrideprotected String[] getServletMappings() {return new String[]{"/"};} }

SpringSecurityApplicationInitializer.java

package com.dym.security.springmvc.init;import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;public class SpringSecurityApplicationInitializerextends AbstractSecurityWebApplicationInitializer {public SpringSecurityApplicationInitializer() {//super(WebSecurityConfig.class);} }

LoginController.java

package com.dym.security.springmvc.controller;import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController;@RestController public class LoginController {@RequestMapping(value = "/login-success",produces = {"text/plain;charset=UTF-8"})public String loginSuccess(){return " 登錄成功";}/*** 測試資源1* @return*/@GetMapping(value = "/r/r1",produces = {"text/plain;charset=UTF-8"})public String r1(){return " 訪問資源1";}/*** 測試資源2* @return*/@GetMapping(value = "/r/r2",produces = {"text/plain;charset=UTF-8"})public String r2(){return " 訪問資源2";} }

?

?

總結(jié)

以上是生活随笔為你收集整理的Spring Security快速上手的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。