Spring Security 整合Spring Boot(2)
2018-07-18 本文已影响352人
蓝色_fea0
1 spring boot 默认的登录
1.1 启用spring security
application.properties配置如下
#数据库的连接
spring.datasource.driver-class-name = com.mysql.jdbc.Driver
spring.datasource.url= jdbc:mysql://111.230.151.11:3306/test?useUnicode=yes&characterEncoding=UTF-8&useSSL=false
spring.datasource.username = root
spring.datasource.password = root
#关闭thymeleaf的浏览器缓存
spring.thymeleaf.cache=false
#security.basic.enabled=false
server.port= 8086
1.2 编写 spring security的浏览器请求的配置类BrowserSecurityConfig
package com.wuhongyu.security.browser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* spring security 配置类
*/
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
/**
* spring security 配置方法
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin() //设置表单登录
.and()
.authorizeRequests() //认证的请求有如下
.anyRequest().authenticated()//认证所有请求
.and()
.csrf().disable() //暂时关闭CSRF 远程防护系统
;
}
}
1.3 启动 wuhongyu-security-demo项目
控制台会报出密码
image.png
在浏览器端输入http://localhost:8086/user
浏览器自动跳转到login页面
image.png
默认的用户名是user 密码是控制台报出的密码
然后我们进行登录
成功跳转到登录页面
image.png
2 自定义登录认证逻辑
修改BrowserSecurityConfig配置类, 加入bcry密码加密工具
/**
* 注册一个密码加密工具
* bcry密码加密 每次加密后的结果都不一样
* 具有更高的安全性
*
* 栗子:
* 登录密码为:$2a$10$0bphznMI3E9diRvA5f.wPu1HHfRU1dAwh/hSbGMIPIDWGOos8XNWW
* @return
*/
@Bean
public PasswordEncoder getPasswordEncoder(){
return new BCryptPasswordEncoder();
}
编写自定义用户登录认证逻辑的实现类MyUserDetailService
只要实现UserDetailsService接口 然后用@Component注解加载到spring容器中即可
重写的方法loadUserByUsername()的返回值可以是任何实现了UserDetails接口的实体类
这里使用的是spring security自带的User类org.springframework.security.core.userdetails.User;
User类的详情请看代码里的注释
package com.wuhongyu.security.browser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;
import java.util.List;
/**
*自定义用户认证逻辑的实现类
*/
@Component
public class MyUserDetailService implements UserDetailsService {
/**
* 日志类
*/
private Logger logger = LoggerFactory.getLogger(getClass());
/**
* 注入密码加入工具类
*/
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
logger.info("登录用户名:"+username);
//用户的密码
String password ="123456";
//对密码进行加密
password = passwordEncoder.encode(password);
logger.info("登录密码为:"+password);
//用户的权限中间可以用','隔开
String roles = "admin";
List<GrantedAuthority> authorities = AuthorityUtils.commaSeparatedStringToAuthorityList(roles);
//将用户名和密码还有用户的权限给User类 User 实现了 userDetails
/* isAccountNonExpired(); 用户账户是否过期
isAccountNonLocked(); 用户账户是否锁定
isCredentialsNonExpired(); 用户密码是否过期
isEnabled(); 该用户是否可用
*/
/**
*
* 构造方法2
* User(String username, String password, boolean enabled,
* boolean accountNonExpired, boolean credentialsNonExpired,
* boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities)
*
* */
//UserDetails userDetails = new User(username,password,true,true,true,true,authorities);
UserDetails userDetails = new User(username,password,authorities);
return userDetails;
}
}
下面启动demo项目进行测试
发现启动后控制台不再报出密码
image.png
在浏览器中输入http://localhost:8086/user
跳转到login页面
用户名和密码都定义在了MyUserDetailService中
用户名可以任意输入 密码为123456
登录成功
image.png
查看控制台
显示了本次登录的用户名 和加密之后的密码
image.png
