SpringSecurity学习之快速上手

　　互联网项目中，安全与权限控制是不可回避的问题，为了解决这一些列问题，许多安全框架应运而生了。这些框架旨在帮我们解决公用的安全问题，让我们的程序更加健壮，从而让程序员全身心投入到业务开发当中。那么SpringSecurity出自于大名鼎鼎的Spring家族，同时能与SpringBoot，SpringCloud无缝集成，它也是业界流行的安全框架之一。

一、SpringSecurity的准备工作

注意:本示例是基于注解的springmvc构建，SpringBoot的版本对应的是2.0.3.REALEASE。Spring版本5.0.7REALEASE，SpringSecurity的版本是5.0.5

首先添加SpringSecurity的依赖：

compile('org.springframework.boot:spring-boot-starter-security')

紧接着按照如下目录规范创建

app包下主要为Root WebApplicationContext提供配置，而web包下主要是为servlet WebApplicationContext提供相关配置，这种方式更符合WebApplicationContext的层次化规范，同时也方便管理配置

二、实现app包下的配置

2.1、WebSecurityInitializer

package com.bdqn.lyrk.security.study.app.config;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

/**
 * 这个类可以在添加springSecurity核心过滤器之前或之后做一些我们需要的操作
 *
 * @author chen.nie
 * @date 2018/6/8
 **/
public class WebSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}

2.2、WebSecurityConfig

package com.bdqn.lyrk.security.study.app.config;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;

/**
 * spring-security的相关配置
 *
 * @author chen.nie
 * @date 2018/6/7
 **/
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        /*
            1.配置静态资源不进行授权验证
            2.登录地址及跳转过后的成功页不需要验证
            3.其余均进行授权验证
         */
        http.
                authorizeRequests().antMatchers("/static/**").permitAll().
                and().authorizeRequests().anyRequest().authenticated().
                and().formLogin().loginPage("/login").successForwardUrl("/toIndex").permitAll();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        /*
            在内存中创建用户
         */
        User.UserBuilder users = User.withDefaultPasswordEncoder();
        auth.inMemoryAuthentication().withUser(users.username("admin").password("123").roles("ADMIN"));
    }
}

　　该类主要是设置安全配置注意使用@EnableWebSecruity注解，我们可以在这里设置Http的安全配置和最基本的认证配置等,其中在该代码里设置静态资源 登录页 和登录成功需要跳转的页面不用认证，另外基于内存设置了用户admin

　　另外：loginPage()里的值即为跳转页面的路径又为处理登录验证的路径。当get请求时为前者而post请求时为后者

2.3、WebAppConfig

package com.bdqn.lyrk.security.study.app;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;

/**
 * 主配置类
 *
 * @author chen.nie
 * @date 2018/6/8
 **/
@Configuration
@ComponentScan
@PropertySource("classpath:application.properties")
public class WebAppConfig {


    @Bean
    public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
        return new PropertySourcesPlaceholderConfigurer();
    }
}

三、实现WebMvc的配置

3.1、初始化DispatcherServlet配置

WebStartupInitializer：

package com.bdqn.lyrk.security.study.web;

import com.bdqn.lyrk.security.study.app.WebAppConfig;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class WebStartupInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[]{WebAppConfig.class};
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return new Class[]{WebMvcConfig.class};
    }

    @Override
    protected String[] getServletMappings() {
        return new String[]{"/"};
    }
}

在这里注意配置RootConfigClass为WebAppConfig，ServletConfigClass为WebMvcConfig

3.2、创建WebMvcConfig

package com.bdqn.lyrk.security.study.web;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.ViewResolver;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;

@Configuration
@ComponentScan
@EnableWebMvc
public class WebMvcConfig implements WebMvcConfigurer {

    /**
     * 创建视图解析器
     * @return
     */
    @Bean
    public ViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setViewClass(JstlView.class);
        viewResolver.setPrefix("/WEB-INF/jsp/");
        viewResolver.setSuffix(".jsp");
        return viewResolver;
    }

    /**
     * 处理静态资源
     * @param registry
     */
    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("/static/**").addResourceLocations("classpath:/static/").setCachePeriod(60 * 2);
    }
}

3.3、创建Controller

package com.bdqn.lyrk.security.study.web.controller;

import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

@Controller
public class LoginController {


    @PostMapping("/toIndex")
    public String index(ModelMap modelMap) {
        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        modelMap.put("user", user);
        return "main/index";
    }

    @GetMapping("/login")
    public String login() {

        return "login";
    }
}

四、页面设置

4.1、登录页

login.jsp:

<%--
  Created by IntelliJ IDEA.
  User: chen.nie
  Date: 2018/6/8
  Time: 上午9:49
  To change this template use File | Settings | File Templates.
--%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<!doctype html>
<html>

<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <title>Amaze UI Admin index Examples</title>
    <meta name="description" content="这是一个 index 页面">
    <meta name="keywords" content="index">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="renderer" content="webkit">
    <meta http-equiv="Cache-Control" content="no-siteapp" />
    <link rel="icon" type="image/png" href="assets/i/favicon.png">
    <link rel="apple-touch-icon-precomposed" href="assets/i/app-icon72x72@2x.png">
    <meta name="apple-mobile-web-app-title" content="Amaze UI" />
    <link rel="stylesheet" href="${request.contextPath}/static/assets/css/amazeui.min.css" />
    <link rel="stylesheet" href="${request.contextPath}/static/assets/css/admin.css">
    <link rel="stylesheet" href="${request.contextPath}/static/assets/css/app.css">
</head>

<body data-type="login">

<div class="am-g myapp-login">
    <div class="myapp-login-logo-block  tpl-login-max">
        <div class="myapp-login-logo-text">
            <div class="myapp-login-logo-text">
                Amaze UI<span> Login</span> <i class="am-icon-skyatlas"></i>

            </div>
        </div>

        <div class="login-font">
            <i>Log In </i> or <span> Sign Up</span>
        </div>
        <div class="am-u-sm-10 login-am-center">
            <form class="am-form" action="/login" method="post">
                <fieldset>
                    <div class="am-form-group">
                        <input name="username" type="text" class="" id="doc-ipt-email-1" placeholder="输入登录名">
                    </div>
                    <div class="am-form-group">
                        <input name="password" type="password" class="" id="doc-ipt-pwd-1" placeholder="设置个密码吧">
                    </div>
                    <p><button type="submit" class="am-btn am-btn-default">登录</button></p>

                </fieldset>
                <input type="hidden" name="_csrf" value="${_csrf.token}" />
            </form>
        </div>
    </div>
</div>

<script src="${request.contextPath}/static/assets/js/jquery.min.js"></script>
<script src="${request.contextPath}/static/assets/js/amazeui.min.js"></script>
<script src="${request.contextPath}/static/assets/js/app.js"></script>
</body>

注意：1）表单属性action为httpSecurity的loginPage()配置地址

　　　2）表单为post方式提交

　　　3）input的name属性分别为username,password代表用户名，密码

　　　4）必须设置隐藏表单_csrf 如果不设置请http.csrf().ignoringAntMatchers()方法进行排除

4.2、 登录成功页

<%--
  Created by IntelliJ IDEA.
  User: chen.nie
  Date: 2018/6/8
  Time: 上午9:56
  To change this template use File | Settings | File Templates.
--%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>Title</title>
</head>
<body>
欢迎:${user.username}
</body>
</html>

　　在成功页时打印出认证成功的用户.

随即当我们访问http://localhost:8080/toIndex时跳转至登录页：

登录成功时：

在实际应用中登录页可能要复杂的多，可能包括验证码或者其他业务。另外用户不可能都存在内存当中，关于更详细的验证问题，我们会在下篇讨论。