1 功能需求
springSecuriy默认的登录窗口是一个弹出窗口,而且会默认对所有的请求都进行拦截;要求更改登录页面(使用表单登录)、排除掉一些请求的拦截
2 编写一个springSecurity配置类
继承 WebSecurityConfigurerAdapter 类,并重写两个configure方法
package cn.xiangxu.spring_security_system; //import cn.xiangxu.spring_security_system.service.MyUserService; import cn.xiangxu.spring_security_system.utils.MyPasswordEncoder; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * 权限服务类 */ @Configuration // 等同于XML中的beans @EnableWebSecurity // 开启webSecurity功能 public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { // @Autowired // private MyUserService myUserService; // @Override // protected void configure(AuthenticationManagerBuilder auth) throws Exception { // // // 直接将用户信息和权限写死 //// auth.inMemoryAuthentication() //// .withUser("admin") //// .password("123456") //// .roles("ADMIN"); //// auth.inMemoryAuthentication() //// .withUser("wys") //// .password("123456") //// .roles("ADMIN"); //// auth.inMemoryAuthentication() //// .withUser("demo") //// .password("123456") //// .roles("USER"); // // auth.userDetailsService(myUserService).passwordEncoder(new MyPasswordEncoder()); // 利用自定义的UserService进行管理 // } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/").permitAll() // 主页面请求拦截排除 .anyRequest().authenticated() // 除主页面外的所有请求都会被拦截 .and() .logout().permitAll() // 注销请求拦截排除 .and() .formLogin(); // 设置使用表单登录的方式 http.csrf().disable(); // 关闭csrf验证 } @Override public void configure(WebSecurity web) throws Exception { // 拦截排除设置 web.ignoring().antMatchers("/js/**", "/css/**", "/images/**"); } }
技巧01:@Configuration 就相当于xml配置文件中的beans,@Bean就相当于XML配置文件中的bean
3 编写一些接口用于测试
注意:为了简便,我直接将测试接口写在了启动类中
package cn.xiangxu.spring_security_system; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @SpringBootApplication @RestController //@EnableGlobalMethodSecurity(prePostEnabled = true) // 开启@PreAuthorize注解 public class SpringSecuritySystemApplication { public static void main(String[] args) { SpringApplication.run(SpringSecuritySystemApplication.class, args); } @GetMapping(value = "/") public String home() { return "Welcome to study springSecurity."; } @GetMapping(value = "/hello") public String hello() { return "hello boy"; } // @PreAuthorize("hasRole('ROLE_ADMIN')") // 设定权限校验:只用ADMIN角色才能调用该接口 @GetMapping("/roleAuth") public String role() { return "admin role"; } }
3.1 访问主页面 http://127.0.0.1:8080/ 时跳过了登录验证
原因:我们在springSecurity配置类中排除了 http://127.0.0.1:8080/ 请求(即:http://127.0.0.1:8080/ 会默认不进行登录验证)
3.2 访问hello页面 http://127.0.0.1:8080/hello 时自动跳转到了登录页面
技巧01:登录名默认是user,登录密码在控制台打印出来了
