• Spring Boot确保Web应用安全(登陆认证)


    Spring Boot官方提供了一个登陆认证的清晰易懂的 例子
    我们在次以此例展开演示Spring Boot是如何实现登陆认证的。

    首先我们去 https://start.spring.io/ 下载一个样例工程 spring-test。

    我们这个例子中包含三个页面,放在src/main/resources/templates/目录下:

    • 登陆页面:login.html
    • 主页:home.html
    • 欢迎页面:hello.html

    包含三个类:

    • 主类:SpringTestApplication.java
    • MVC映射关系类:MvcConfig.java
    • 安全控制类:WebSecurityConfig.java

    相关的maven依赖:

    pom.xml

        <dependencies>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-thymeleaf</artifactId>
            </dependency>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-web</artifactId>
            </dependency>
            <!-- tag::security[] -->
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-security</artifactId>
            </dependency>
            <!-- end::security[] -->
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-test</artifactId>
                <scope>test</scope>
            </dependency>
            <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-test</artifactId>
                <scope>test</scope>
            </dependency>
        </dependencies>
    

    MvcConfig.java

    package com.zifeiy.springtest.config;
    
    import org.springframework.context.annotation.Configuration;
    import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
    import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
    
    @Configuration
    public class MvcConfig implements WebMvcConfigurer {
    
        public void addViewControllers(ViewControllerRegistry registry) {
            registry.addViewController("/home").setViewName("home");
            registry.addViewController("/").setViewName("home");
            registry.addViewController("/hello").setViewName("hello");
            registry.addViewController("/login").setViewName("login");
        }
    
    }
    

    这个类主要用于配置url和view的对应关系。

    WebSecurityConfig.java

    package com.zifeiy.springtest.config;
    
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.core.userdetails.User;
    import org.springframework.security.core.userdetails.UserDetails;
    import org.springframework.security.core.userdetails.UserDetailsService;
    import org.springframework.security.provisioning.InMemoryUserDetailsManager;
    
    @Configuration
    @EnableWebSecurity
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers("/", "/home").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
                    .and()
                .logout()
                    .permitAll();
        }
    
        @Bean
        @Override
        public UserDetailsService userDetailsService() {
            UserDetails user =
                 User.withDefaultPasswordEncoder()
                    .username("user")
                    .password("password")
                    .roles("USER")
                    .build();
    
            return new InMemoryUserDetailsManager(user);
        }
    }
    

    其中:

            http
                .authorizeRequests()
                    .antMatchers("/", "/home").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
                    .and()
                .logout()
                    .permitAll();
    

    表示的意思是:
    允许所有用户可以访问"/"和"/home";
    通过form上传表单的形式登陆,form对应的url为"/login";
    允许所有用户登出(logout)。
    但是除此之外的所有的url都不能直接访问,除非登陆了,比如这里的"/hello"链接,就不能直接登陆。

    这里的 UserDetails 用于设置登陆的用户名为user,密码为password的时候才能正确登陆。

    login.html

    <!DOCTYPE html>
    <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
          xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
        <head>
            <title>Spring Security Example </title>
        </head>
        <body>
            <div th:if="${param.error}">
                Invalid username and password.
            </div>
            <div th:if="${param.logout}">
                You have been logged out.
            </div>
            <form th:action="@{/login}" method="post">
                <div><label> User Name : <input type="text" name="username"/> </label></div>
                <div><label> Password: <input type="password" name="password"/> </label></div>
                <div><input type="submit" value="Sign In"/></div>
            </form>
        </body>
    </html>
    

    home.html

    <!DOCTYPE html>
    <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
        <head>
            <title>Spring Security Example</title>
        </head>
        <body>
            <h1>Welcome!</h1>
            
            <p>Click <a th:href="@{/hello}">here</a> to see a greeting.</p>
        </body>
    </html>
    

    hello.html

    <!DOCTYPE html>
    <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
          xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
        <head>
            <title>Hello World!</title>
        </head>
        <body>
            <h1 th:inline="text">Hello [[${#httpServletRequest.remoteUser}]]!</h1>
            <form th:action="@{/logout}" method="post">
                <input type="submit" value="Sign Out"/>
            </form>
        </body>
    </html>
    
  • 相关阅读:
    错误需要理由吗?(SQL Server 不存在或访问被拒绝)
    关于权限设计的轻量级实现
    ppc通过数据线与共享电脑上网
    解读.Net中的命名空间和程序集
    .Net XML 树
    软件开发教父与国内高手论道实录全文
    企业信息化, 该怎么规划?
    ASP.NET Portal Starter Kit中的角色验证
    用js实现类似分享到显示效果
    用js实现同一个页面多个渐变效果
  • 原文地址:https://www.cnblogs.com/zifeiy/p/9405583.html
Copyright © 2020-2023  润新知