SpringBoot中使用Spring Security實現許可權控制
Spring Security,這是一個專門針對基於Spring的專案的安全框架,它主要是利用了AOP來實現的。以前在Spring框架中使用Spring Security需要我們進行大量的XML配置,但是,Spring Boot針對Spring Security也提供了自動配置的功能,這些預設的自動配置極大的簡化了我們的開發工作,我們今天就來看看這個吧。
建立Project並新增相關依賴
資料庫使用MySQL,所以新增mysql驅動,
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.wangh</groupId>
<artifactId>springboot_security</artifactId>
<version >0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>springboot_security</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId> spring-boot-starter-parent</artifactId>
<version>1.5.4.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.40</version>
</dependency>
<!-- thymeleaf-extras-springsecurity4 -->
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
<dependency>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.6</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
配置application.properties
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.datasource.url=jdbc:mysql://localhost:3306/girl?useUnicode=true&characterEncoding=utf-8
spring.datasource.username=system
spring.datasource.password=mysql
logging.level.org.springframework.security=info
spring.thymeleaf.cache=false
spring.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=true
定義使用者和角色
我們這裡使用JPA來定義使用者和角色,使用者和角色都儲存在資料庫中,我們直接通過在資料庫中查詢然後來使用。
定義角色
package com.wangh.springboot_security.model;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.Id;
/**
* 角色
* @author WangZhen
*/
@Entity
public class SysRole {
@Id
@GeneratedValue
private Integer id;
private String name;
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
}
定義使用者
我們在定義使用者的時候需要實現UserDetails介面,這樣我們的使用者實體即為Spring Security所使用的使用者,定義好使用者之後,我們還要配置使用者和角色之間的多對多關係,正常情況下,角色和許可權是兩回事,所以我們還需要重寫getAuthorities方法,將使用者的角色和許可權關聯起來
package com.wangh.springboot_security.model;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.persistence.CascadeType;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.GeneratedValue;
import javax.persistence.Id;
import javax.persistence.ManyToMany;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
/**
* 使用JPA定義使用者。實現UserDetails介面,使用者實體即為springSecurity所使用的使用者。
* @author WangZhen
*/
@Entity
public class SysUser implements UserDetails {
private static final long serialVersionUID = 1L;
@Id
@GeneratedValue
private Long id;
private String username;
private String password;
//FetchType.EAGER:急載入。在載入一個實體的時候,其中定義是急載入的的屬性(property)和欄位(field)會立即從資料庫中載入
//CascadeType:級聯更新
@ManyToMany(cascade = {CascadeType.REFRESH}, fetch = FetchType.EAGER)
private List<SysRole> roles;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
//將使用者角色作為許可權
List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
List<SysRole> roles = this.getRoles();
for(SysRole role : roles){
auths.add(new SimpleGrantedAuthority(role.getName()));
}
return auths;
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public List<SysRole> getRoles() {
return roles;
}
public void setRoles(List<SysRole> roles) {
this.roles = roles;
}
public void setUsername(String username) {
this.username = username;
}
public void setPassword(String password) {
this.password = password;
}
}
預設測試資料
在src/main/resources下新建data.sql.
insert into SYS_USER (id,username,password) values(1,'wanghao','wanghao');
insert into SYS_USER (id,username,password) values(2,'wangtuo','wangtuo');
insert into SYS_ROLE (id,name) values(1,'ROLE_ADMIN');
insert into SYS_ROLE (id,name) values(2,'ROLE_USER');
insert into SYS_USER_ROLES (SYS_USER_ID, ROLES_ID) values(1,1);
insert into SYS_USER_ROLES (SYS_USER_ID, ROLES_ID) values(2,2);
經過上面步驟之後我們的使用者就和角色關聯起來了,這個時候執行Project就會在資料庫中自動幫我們生成三張表,使用者表、角色表和兩者的關聯表,並有初始資料。
建立傳值物件
資料建立成功之後,在客戶端請求網頁的時候我們需要有一個實體類用來向客戶端傳遞訊息,那我們建立一個Msg物件:
package com.wangh.springboot_security.model;
public class Msg {
private String title;
private String content;
private String extraInfo;
public Msg(String title, String content, String extraInfo) {
super();
this.title = title;
this.content = content;
this.extraInfo = extraInfo;
}
public String getTitle() {
return title;
}
public void setTitle(String title) {
this.title = title;
}
public String getContent() {
return content;
}
public void setContent(String content) {
this.content = content;
}
public String getExtraInfo() {
return extraInfo;
}
public void setExtraInfo(String extraInfo) {
this.extraInfo = extraInfo;
}
}
建立資料訪問介面
package com.wangh.springboot_security.repository;
import org.springframework.data.jpa.repository.JpaRepository;
import com.wangh.springboot_security.model.SysUser;
public interface SysUserRepository extends JpaRepository<SysUser, Long> {
/**
* 根據使用者名稱查使用者
* @param username
* @return
*/
SysUser findByUsername(String username);
}
自定義UserDetailsService
首先這裡我們需要重寫UserDetailsService介面,然後實現該介面中的loadUserByUsername方法,通過該方法查詢到對應的使用者,這裡之所以要實現UserDetailsService介面,是因為在Spring Security中我們配置相關引數需要UserDetailsService型別的資料。
package com.wangh.springboot_security.service;
import javax.annotation.Resource;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import com.wangh.springboot_security.model.SysUser;
import com.wangh.springboot_security.repository.SysUserRepository;
/**
* 自定義UserService需實現UserDetailsService介面。可直接返回給springSecurity使用。
* @author WangZhen
*
*/
public class CustomUserService implements UserDetailsService {
@Resource
private SysUserRepository sysUserRepository;
//重寫獲得使用者
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
SysUser user = sysUserRepository.findByUsername(username);
if(user == null){
throw new UsernameNotFoundException("使用者不存在");
}
return user;
}
}
SpringMVC配置
package com.wangh.springboot_security.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
/**
* springMVC配置
* @author WangZhen
*/
@Configuration
public class WebMvcConfig extends WebMvcConfigurerAdapter{
/**
* 註冊訪問登入轉向login.html頁面
*/
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
}
}
當用戶訪問login時跳轉到login.html頁面。
配置Spring Security
package com.wangh.springboot_security.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* Spring Security配置
* @author WangZhen
*/
import org.springframework.security.core.userdetails.UserDetailsService;
import com.wangh.springboot_security.service.CustomUserService;
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {//擴充套件SpringSecurity配置需要繼承此類
@Bean
UserDetailsService customUserService(){//註冊UserDetailsService的bean
return new CustomUserService();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserService());//新增自定義的userDetailsService認證
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()//所有的請求需要認證即登陸後才能訪問
.and()
.formLogin().loginPage("/login")
.failureUrl("/login?error")
.permitAll() //登入頁面可任意訪問
.and()
.logout().permitAll();//登出請求可任意訪問
}
}
1.首先當我們要自定義Spring Security的時候我們需要繼承自WebSecurityConfigurerAdapter來完成,相關配置重寫對應 方法即可。
2.我們在這裡註冊CustomUserService的Bean,然後通過重寫configure方法新增我們自定義的認證方式。
3.在configure(HttpSecurity http)方法中,我們設定了登入頁面,而且登入頁面任何人都可以訪問,然後設定了登入失敗地址,也設定了登出請求,登出請求也是任何人都可以訪問的。
4.permitAll表示該請求任何人都可以訪問,.anyRequest().authenticated(),表示其他的請求都必須要有許可權認證。
5.這裡我們可以通過匹配器來匹配路徑,比如antMatchers方法,假設我要管理員才可以訪問admin資料夾下的內容,我可以這樣來寫:.antMatchers(“/admin/”).hasRole(“ROLE_ADMIN”),也可以設定admin資料夾下的檔案可以有多個角色來訪問,寫法如下:.antMatchers(“/admin**/**”).hasAnyRole(“ROLE_ADMIN”,”ROLE_USER”)
6.可以通過hasIpAddress來指定某一個ip可以訪問該資源,假設只允許訪問ip為210.210.210.210的請求獲取admin下的資源,寫法如下.antMatchers(“/admin/**”).hasIpAddress(“210.210.210.210”)
7.更多的許可權控制方式參看下表:
8.這裡我們還可以做更多的配置,參考如下程式碼:
http.authorizeRequests()
.anyRequest().authenticated()
.and().formLogin().loginPage("/login")
//設定預設登入成功跳轉頁面
.defaultSuccessUrl("/index").failureUrl("/login?error").permitAll()
.and()
//開啟cookie儲存使用者資料
.rememberMe()
//設定cookie有效期
.tokenValiditySeconds(60 * 60 * 24 * 7)
//設定cookie的私鑰
.key("")
.and()
.logout()
//預設登出行為為logout,可以通過下面的方式來修改
.logoutUrl("/logout")
//設定登出成功後跳轉頁面,預設是跳轉到登入頁面
.logoutSuccessUrl("")
.permitAll();
建立登入頁面
在template資料夾中建立login.html頁面,內容如下:
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8"/>
<title>登入</title>
<link rel="stylesheet" th:href="@{css/bootstrap.min.css}"/>
<style type="text/css">
body {
padding-top: 50px;
}
.starter-template {
padding: 40px 15px;
text-align: center;
}
</style>
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" href="#">Spring Security演示</a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li><a th:href="@{/}">首頁</a></li>
<li><a th:href="@{http://www.baidu.com}">百度</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="starter-template">
<p th:if="${param.logout}" class="bg-warning">已登出</p>
<p th:if="${param.error}" class="bg-danger">有錯誤,請重試</p>
<h2>使用賬號密碼登入</h2>
<form class="form-signin" role="form" name="form" th:action="@{/login}" action="/login" method="post">
<div class="form-group">
<label for="username">賬號</label>
<input type="text" class="form-control" name="username" value="" placeholder="賬號"/>
</div>
<div class="form-group">
<label for="password">密碼</label>
<input type="password" class="form-control" name="password" placeholder="密碼"/>
</div>
<input type="submit" id="login" value="Login" class="btn btn-primary"/>
</form>
</div>
</div>
</body>
</html>
建立登入成功後跳轉頁面
index.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<head>
<meta charset="UTF-8"/>
<title sec:authentication="name"></title>
<link rel="stylesheet" th:href="@{css/bootstrap.min.css}"/>
<style type="text/css">
body {
padding-top: 50px;
}
.starter-template {
padding: 40px 15px;
text-align: center;
}
</style>
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" href="#">Spring Security演示</a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li><a th:href="@{/}">首頁</a></li>
<li><a th:href="@{http://www.baidu.com}">百度</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="starter-template">
<h1 th:text="${msg.title}"></h1>
<p class="bg-primary" th:text="${msg.content}"></p>
<div sec:authorize="hasRole('ROLE_ADMIN')">
<p class="bg-info" th:text="${msg.extraInfo}"></p>
</div>
<div sec:authorize="hasRole('ROLE_USER')">
<p class="bg-info">無更多顯示資訊</p>
</div>
<form th:action="@{/logout}" method="post">
<input type="submit" class="btn btn-primary" value="登出"/>
</form>
</div>
</div>
</body>
</html>
這裡有如下幾個問題需要說明:
1.在html標籤中我們引入的Spring Security
2.通過sec:authentication=”name”我們可以獲取當前使用者名稱
3.sec:authorize="hasRole('ROLE_ADMIN')表示當前使用者角色為ROLE_ADMIN的話顯示裡邊的內容
4.sec:authorize="hasRole('ROLE_USER')表示當前使用者角色為ROLE_USER的話顯示該DIV裡邊的內容
新增控制器
package com.wangh.springboot_security.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import com.wangh.springboot_security.model.Msg;
@Controller
public class HomeController {
@RequestMapping("/")
public String index(Model model) {
Msg msg = new Msg("標題", "內容", "額外資訊,只對管理員顯示");
model.addAttribute("msg", msg);
return "index";
}
}