2. 程式人生 > >SpringBoot2.0整合SpringSecurity並實現驗證碼和許可權控制

SpringBoot2.0整合SpringSecurity並實現驗證碼和許可權控制

阿新 發佈:2018-12-09

使用SpringBoot2.0 整合SpringSecurity加入kaptcha驗證碼,使用redis實現session共享,請看原始碼,附上資料庫指令碼,絕對可以跑起來,原始碼地址為

1、pom檔案

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.xueqing.demo</groupId>
    <artifactId>spring-boot-security</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <packaging>jar</packaging>

    <name>spring-boot-security</name>
    <description>Demo project for Spring Boot</description>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.3.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
        <argLine>-Dfile.encoding=UTF-8</argLine>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
        </dependency>

        <!--jdbc支援-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-jdbc</artifactId>
        </dependency>


        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>


        <!--加入springboot對mybatis的支援-->
        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>1.3.1</version>
        </dependency>

        <!--使用Spring快取-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-cache</artifactId>
        </dependency>

        <!--spring快取使用redis進行快取-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-redis</artifactId>
        </dependency>

        <!--Session使用redis快取-->
        <dependency>
            <groupId>org.springframework.session</groupId>
            <artifactId>spring-session-data-redis</artifactId>
        </dependency>

        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>8.0.11</version>
        </dependency>

        <!--引入spring security-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <!-- 引入thymeleaf的依賴包. -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>

        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>1.3.1</version>
        </dependency>


        <!--kaptcha驗證碼生成器-->
        <dependency>
            <groupId>com.github.axet</groupId>
            <artifactId>kaptcha</artifactId>
            <version>0.0.9</version>
        </dependency>

    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>


</project>

2、配置SecurityConfig

package com.xueqing.demo.springbootsecurity.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) //開啟方法許可權控制
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder  auth) throws  Exception{
        auth.userDetailsService(customUserDetailsService())
                .passwordEncoder(passwordEncoder());
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                // 所有使用者均可訪問的資源
                .antMatchers( "/favicon.ico","/css/**","/common/**","/js/**","/images/**","/captcha.jpg","/login","/userLogin","/login-error").permitAll()
                // 任何尚未匹配的URL只需要驗證使用者即可訪問
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login").successForwardUrl("/index").failureForwardUrl("/login?error=1")
                .and()
                //許可權拒絕的頁面
                .exceptionHandling().accessDeniedPage("/403");

        http.logout().logoutSuccessUrl("/login");
    }


    /**
     * 設定使用者密碼的加密方式
     * @return
     */
    @Bean
    public Md5PasswordEncoder passwordEncoder() {
        return new Md5PasswordEncoder();

    }

    /**
     * 自定義UserDetailsService,授權
     * @return
     */
    @Bean
    public CustomUserDetailsService customUserDetailsService(){
        return new CustomUserDetailsService();
    }

    /**
     * AuthenticationManager
     * @return
     * @throws Exception
     */
    @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

}

3.、自定義UserDetailsService實現使用者的認證和授權

package com.xueqing.demo.springbootsecurity.security;

import com.xueqing.demo.springbootsecurity.bean.Menu;
import com.xueqing.demo.springbootsecurity.bean.User;
import com.xueqing.demo.springbootsecurity.service.MenuService;
import com.xueqing.demo.springbootsecurity.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

/**
 * 認證和授權
 */
@Service
public class CustomUserDetailsService implements UserDetailsService {

    @Autowired
    private UserService userService;

    @Autowired
    private MenuService menuService;

    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {

        //--------------------認證賬號
        User user = userService.loadUserByUsername(s);
        if (user == null) {
            throw new UsernameNotFoundException("賬號不存在");
        }


        //-------------------開始授權
        List<Menu> menus = menuService.getMenusByUserId(user.getId());
        List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
        for (Menu menu : menus) {
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(menu.getUrl());
            //此處將許可權資訊新增到 GrantedAuthority 物件中,在後面進行全許可權驗證時會使用GrantedAuthority 物件。
            grantedAuthorities.add(grantedAuthority);
        }
        user.setAuthorities(grantedAuthorities);
        return user;
    }


}

4、自定義密碼比較器

package com.xueqing.demo.springbootsecurity.security;

import org.springframework.security.crypto.password.PasswordEncoder;

/**
 * 自定義密碼比較器 3
 * 在此 密碼我就不加密了
 */
public class Md5PasswordEncoder implements PasswordEncoder {
    @Override
    public String encode(CharSequence charSequence) {
        return charSequence.toString();
    }


    @Override
    public boolean matches(CharSequence charSequence, String s) {
        return s.equals(charSequence);
    }
}

5、自定義SpringSecurityUtils工具類

package com.xueqing.demo.springbootsecurity.security;

import com.xueqing.demo.springbootsecurity.bean.User;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.StringUtils;

import java.util.Collection;

public class SecurityUtils {

    public static Authentication getAuthentication() {
        return SecurityContextHolder.getContext().getAuthentication();
    }


    public static Collection<? extends GrantedAuthority> getAllPermission(){
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
        return authorities;
    }

    public static boolean hasPermission(String permission){
        if(StringUtils.isEmpty(permission)){
            return false;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
        boolean hasPermission = false;
        for(GrantedAuthority grantedAuthority : authorities){
            String authority = grantedAuthority.getAuthority();
            if(authority.equals(permission)){
                hasPermission =true;
            }
        }
        return hasPermission;
    }


    public static User getUser() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return (User) authentication.getPrincipal();
    }


    public static void logout(){
        SecurityContextHolder.clearContext();
    }
}

6、在登陸方法中,使用AuthenticationManager攔截登陸請求

package com.xueqing.demo.springbootsecurity.controller;

import com.google.code.kaptcha.impl.DefaultKaptcha;
import com.xueqing.demo.springbootsecurity.bean.R;
import com.xueqing.demo.springbootsecurity.bean.User;
import com.xueqing.demo.springbootsecurity.service.UserService;
import com.xueqing.demo.springbootsecurity.util.ConstantVal;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import javax.imageio.ImageIO;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.awt.image.BufferedImage;
import java.io.IOException;

@Controller
public class LoginController {

    @Autowired
    private AuthenticationManager myAuthenticationManager;

    @Autowired
    DefaultKaptcha defaultKaptcha;

    @RequestMapping(value = "/userLogin")
    public String userLogin(HttpServletRequest request) {

        User userInfo = new User();
        String username = request.getParameter("username");
        String password = request.getParameter("password");
        String kaptcha = request.getParameter("kaptcha");

        userInfo.setUsername(username);
        userInfo.setPassword(password);
        String s = request.getSession().getAttribute(ConstantVal.CHECK_CODE).toString();
        if (StringUtils.isEmpty(kaptcha) || !s.equals(kaptcha)) {
            return "redirect:login-error?error=1";
        }

        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);


        try{
            //使用SpringSecurity攔截登陸請求 進行認證和授權
            Authentication authenticate = myAuthenticationManager.authenticate(usernamePasswordAuthenticationToken);

            SecurityContextHolder.getContext().setAuthentication(authenticate);
            //使用redis session共享
            HttpSession session = request.getSession();
            session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext()); // 這個非常重要,否則驗證後將無法登陸
        }catch (Exception e){
            e.printStackTrace();
            return "redirect:login-error?error=2";
        }


        return "redirect:index";
    }


    @RequestMapping("/captcha.jpg")
    @ResponseBody
    public R applyCheckCode(HttpServletRequest request, HttpServletResponse response) throws IOException {
        R r = new R();

        response.setHeader("Cache-Control", "no-store, no-cache");
        response.setContentType("image/jpeg");

        //生成文字驗證碼
        String text = defaultKaptcha.createText();
        //生成圖片驗證碼
        BufferedImage image = defaultKaptcha.createImage(text);
        //儲存到session
        request.getSession().setAttribute(ConstantVal.CHECK_CODE, text);
        ServletOutputStream out = response.getOutputStream();
        ImageIO.write(image, "jpg", out);
        return r;
    }
}

7、我的user表中有兩個使用者一個admin,一個user,admin具有所有許可權,而user不具有操作許可權

user登陸的介面為

admin登陸的介面為

user使用者操作使用者新增、刪除、修改、都改顯示沒許可權,而admin可以

相關推薦

SpringBoot2.0整合SpringSecurity實現驗證許可權控制

使用SpringBoot2.0 整合SpringSecurity加入kaptcha驗證碼,使用redis實現session共享,請看原始碼,附上資料庫指令碼,絕對可以跑起來,原始碼地址為 1、pom檔案 <?xml version="1.0" encoding=

關於豆瓣登錄,實現驗證輸入的方法

保持 學習 gen index token 如果 抓取 with open comment 最近想把模擬登錄的知識學習下,所以就進行了豆瓣賬號的簡單登錄,以下是代碼: # -*- coding:utf-8 -*- ‘‘‘豆瓣模擬登陸,並實現發一條狀態‘‘‘ impor

Spring中整合Cage,實現驗證功能

ger 類型 body match exce sub pom esp rec 1.pom.xml中添加Cage依賴。 <dependency> <groupId>com.github.cage</groupId

SpringCloud整合zuul實現反向代理負載均衡

首先,這篇文章參考的是http://blog.didispace.com/springcloud5/這位大牛的部落格。本人是通過這篇部落格來學習zuul的,現在寫的部落格只是個人在學習時個人的一些感受和理解。 談到spring cloud,就要提及到其核心元件:zuul元件,這個元件其實功能很多

Spring Boot 整合Shiro實現登陸認證許可權控制

我在做畢設的時候,使用了Shiro作為專案中的登陸認證和許可權控制。 下面是我專案中如何實現整合shiro的學習記錄。 匯入shiro依賴包到pom.xml <!-- Shiro依賴 --> <dependency>

OAuth2.0 原理流程及其單點登入許可權控制

單點登入是多域名企業站點流行的登入方式。本文以現實生活場景輔助理解,力爭徹底理清 OAuth2.0 實現單點登入的原理流程。同時總結了許可權控制的實現方案,及其在微服務架構中的應用。 作者:王克鋒 出處:https://kefeng.wang/2018/

SpringMVC整合開源的驗證框架Kaptcha實現驗證效果

       流程:本專案是通過maven建立的,首先需要匯入Kaptcha的jar包,然後在spring中配置Kaptcha的屬性,還需要實現一個生成驗證碼的controller類,最後在前端顯示。 <dependency> <grou

Springboot 2.0.x 簡單整合Rabbit MQ 實現訊息傳送消費【Windows 環境下】

文章目錄 Springboot 2.0.x 簡單整合Rabbit MQ 並實現訊息傳送和消費【Windows 環境下】 1、rabbit mq 基礎支援,安裝 Erlang 環境 2、安裝 ra

SpringBoot2.0 整合Reids,作為資料庫或者快取。支援CRUD

Redis的優勢:             1、效能極高 – Redis能讀的速度是110000次/s,寫的速度是81000次/s 。             2、豐富的資料型別 – Redis支援二進位制案例的 Strings, Lists, Hashes, Sets 及

基於Python的Selenium自動化(3)— 實現驗證擷取識別

這些天實在忙的冒煙,一大堆的專案堆在一起,沒日沒夜的加班。加上有些懶惰,學習進度一直沒有太多進展。這篇文章主要介紹前段時間抽空實現的一個功能,希望有需要用到可以得到一點啟發。 基於UI層的自動化,有一些坑在裡面,幾乎幾個每個人都會遇到的,其中之一就是註冊或登入

SpringBoot2.0 整合 RocketMQ ,實現請求非同步處理

一、RocketMQ 1、架構圖片 2、角色分類 (1)、Broker RocketMQ 的核心,接收 Producer 發過來

Java Swing 圖形界面實現驗證驗證可動態刷新)

string ble urn repaint xtend efault event adapt 內容 import java.awt.Color;import java.awt.Font;import java.awt.Graphics;import java.awt.To

Java實現驗證(上)

ins check dom 後臺 類繼承 訪問 and text 出錯   眾所周知,現在登錄註冊各種網站賬號很多都要求輸入驗證碼。設置驗證碼,毫無疑問降低了用戶體驗,但為什麽各種網站還仍然使用驗證碼呢?   很明顯,驗證碼有其特殊的作用:驗證碼是一種區分用戶是計算機還是人

PHP實現驗證制作

php 驗證碼 captcha.php(PHP產生驗證碼並儲存Session):<?php //開啟Session session_start(); //繪制底圖 $image = imagecreatetruecolor(100, 30);//返回資源型的值 $bgcolor =

發送短信驗證郵箱驗證—Java實現

短信驗證碼 郵箱驗證碼 短信驗證碼 短信驗證碼都是調用一些接口來進行短信的發送,短信驗證碼在登錄、註冊等操作中使用的最廣泛,本文這一節演示如何使用Java制作一個簡單的短信驗證碼登錄。 我這裏演示使用的是聚合數據的短信接口(並非廣告),因為聚合數據的接口調用比較方便和簡單,所以首先得先去聚合數據裏

Python使用Timer實現驗證功能

input thread sel def AC check cache IT imp from threading import Timer import random class Code: def __init__(self): s

PHP實現驗證

channels echo img -type order pos 函數返回 個數 body (1)常見的驗證碼哪些? 圖像類型、語音類型、視頻類型、短信類型等 (2)使用驗證碼的好處在哪裏? ①防止惡意的破解密碼如一些黑客為了獲取到用戶信息,通過不同的手段向服務器

shop--6.店鋪註冊--使用kaptcha實現驗證

ssa p s request ava edi eth ring formdata input 1.引入jar包 https://mvnrepository.com/中搜索com.github.penggle 找到kaptcha,將其dependency拷貝到pom.xml

PHP JS CSS session實現驗證功能

驗證碼 ges ron oss art tex lse 個數 bcd PHP JS CSS session實現驗證碼功能 頁面<?php//校驗驗證碼if (isset($_POST["authcode"])) {session_start();

網頁登陸註冊(jsp實現)驗證

cte exp .com tran cti version height 一個 dog 這是一個登陸頁面,有登陸驗證和驗證碼的功能(1)生成驗證碼的servlet:import javax.imageio.ImageIO;import javax.servlet.Servl