Spring Boot对Spring Security的支持
Spring Boot针对Spring Security的自动配置在org.springframework.boot.autoconfigure.security包中。
主要通过SecurityAutoConfiguration和SecurityProperties来完成配置。
SecurityAutoConfiguration导入了SpringBootWebSecurityConfiguration中的配置。
在SpringBootWebSecuriyConfiguration配置中,我们获得如下自动配置。
Spring Boot为我们做了如此多的配置,当我们需要自己扩展的配置时,只需配置类继承WebSecurityConfigurerAdapter类即可,无须使用@EnableWebSecurity注解,例如:
下面我们来具体看看代码:
1.0spring 4.0 对servlet3.0专门添加了一个类(WebApplicationInitializer),来替代web.xml中对于spring mvc的配置,这是工程目录结构:
config包下主要两个配置一个是整合spring mvc,一个是整合spring security;
通过继承WebMvcConfigurerAdapter,来修改对spring mvc的默认配置,spring boot也可直接在application.properties配置。
@Configuration
public class WebMvcConfig extends WebMvcConfigurerAdapter{
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("/login");
}
}
下面是对Spring Security的配置
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
UserDetailsService SysuserService() {
return new SysUserServiceImpl();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(SysuserService());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated().and().formLogin()
.loginPage("/login").failureUrl("/login?error").permitAll().and().logout().permitAll();
}
}
代码解释:
Spring Security配置类
1)首先继承WebSecurityConfigurerAdapter
* 2)注册SysuserService的Bean
* 3)添加我们自定义的user detail service 认证
* 4)所有请求需要认证即登录才能访问
* 5)定制登录行为,登录页面可任意访问
* 6)定制注销行为,注销请求可任意访问
接着我们看看用户实体类:
public class SysUser implements UserDetails
{
private Integer usersId;
private String username;
private String password;
private List roles;
@Override
public Collection getAuthorities()
{
List auths = new ArrayList<>();
Listroles2 = this.getRoles();
for (SysRole sysRole : roles2) {
auths.add(new SimpleGrantedAuthority(sysRole.getRoleName()));
}
return auths;
}
@Override
public boolean isAccountNonExpired() {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean isAccountNonLocked() {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean isCredentialsNonExpired() {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean isEnabled() {
// TODO Auto-generated method stub
return true;
}
}
让我们的用户实体实现UserDetails接口,我们的用户实体即为Spring Security所使用的用户重写getAuthorities方法,将用户的角色作为权限
角色类:(get set方法没写)
public class SysRole{
private Integer roleId;
private String roleName;
}
多对多的一个映射类
public class SysUserRolesKey {
private Integer sysUserId;
private Integer rolesId;
}
接下来我们看看service,dao层自己实现(orm框架自己选择)
public class SysUserServiceImpl implements SysUserService,UserDetailsService {
@Autowired
private SysUserMapper sysUserMapper;
@Override
public SysUser findByUsers(String name) {
// TODO Auto-generated method stub
SysUser sysUser = sysUserMapper.findByUserName(name);
return sysUser;
}
@Override
public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {
SysUser sysUser = sysUserMapper.findByUserName(name);
return sysUser;
}
}
代码解释:
自定义需实现UserDetailsService接口
重写loadUserByUsername方法获取用户
我们当前用户实现了UserDetails接口,可直接返回给Spring Security使用
看看控制器类:
@Controller
public class HomeController {
@RequestMapping("/")
public String index(Model model){
Msg msg = new Msg("测试","测试内容", "额外信息,只对管理员显示");
model.addAttribute("msg", msg);
return "home";
}
}
每次访问controller时,会调用service层的loadUserByUsername方法获取权限。
前台我用的thymeleaf,它集成了Spring Security标签
程序运行截图:
使用wisely普通用户登录:
使用wyf管理员登录:
参考书籍:JavaEE开发的颠覆者 Spring Boot实战