---

title: Spring Security
date: 2019-08-05 16:40:27
categories:

• 后端
  tags:
• 后端
• 权限管理

---

Spring Security

• Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架（简单说是对访问权限进行控制嘛）。它提供了一组可以在Spring应用上下文中配置的Bean，充分利用了Spring IoC，DI（控制反转Inversion of Control ,DI:Dependency Injection 依赖注入）和AOP（面向切面编程）功能，为应用系统提供声明式的安全访问控制功能，减少了为企业系统安全控制编写大量重复代码的工作。
• 核心：认证和授权
• RBAC基于角色的访问控制
• 安全配置类，集成WebSecurityConfigurerAdapter

package com.waylau.spring.boot.blog.config;import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;/*** Spring Security 配置类.* * @since 1.0.0 2017年3月8日* @author <a href="https://waylau.com">Way Lau</a>*/
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) // 启用方法安全设置
public class SecurityConfig extends WebSecurityConfigurerAdapter {private static final String KEY = "waylau.com";@Autowiredprivate UserDetailsService userDetailsService;@Autowiredprivate PasswordEncoder passwordEncoder;@Bean  public PasswordEncoder passwordEncoder() {  return new BCryptPasswordEncoder();   // 使用 BCrypt 加密}  @Bean  public AuthenticationProvider authenticationProvider() {  DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();authenticationProvider.setUserDetailsService(userDetailsService);authenticationProvider.setPasswordEncoder(passwordEncoder); // 设置密码加密方式return authenticationProvider;  }  /*** 自定义配置，设置访问路径，并且静止h2控制台的csrf防护*/@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/css/**", "/js/**", "/fonts/**", "/index").permitAll() // 都可以访问.antMatchers("/h2-console/**").permitAll() // 都可以访问.antMatchers("/admins/**").hasRole("ADMIN") // 需要相应的角色才能访问.and().formLogin()   //基于 Form 表单登录验证.loginPage("/login").failureUrl("/login-error") // 自定义登录界面.and().rememberMe().key(KEY) // 启用 remember me.and().exceptionHandling().accessDeniedPage("/403");  // 处理异常，拒绝访问就重定向到 403 页面http.csrf().ignoringAntMatchers("/h2-console/**"); // 禁用 H2 控制台的 CSRF 防护http.headers().frameOptions().sameOrigin(); // 允许来自同一来源的H2 控制台的请求}/*** 认证信息管理* @param auth* @throws Exception*/@Autowiredpublic void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService);auth.authenticationProvider(authenticationProvider());}
}

• html代码示例

  <!DOCTYPE html>
  <html xmlns="http://www.w3.org/1999/xhtml"xmlns:th="http://www.thymeleaf.org"xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
  <head>
  </head>
  <body><div sec:authorize="isAuthenticated()">这里就是判断是否认证的样子<p>已登录</p><p>登录名：<span sec:authentication="name"></span></p><p>Password：<span sec:authentication="principal.password"></span></p><div sec:authentication="principal.authorities"></div> <!-- works fine --><p>Email ：<span sec:authentication="principal.email"></span></p><p>Name：<span sec:authentication="principal.username"></span></p><p>Status：<span sec:authentication="principal.status"></span></p><p>拥有的角色：<span sec:authorize="hasRole('ROLE_ADMIN')">管理员</span><span sec:authorize="hasRole('ROLE_USER')">用户</span></p></div><div sec:authorize="isAnonymous"><p>未登录</p></div>
  </body>
  </html>

• 有一个问题需要注意，如果你是ADMIN，在数据库里面必须储存ROLE_ADMIN,其他云云。

• 同时，在security中，角色和权限共用GrantedAuthorty接口，唯一不同就是角色有个前缀ROLE_,

  package org.springframework.security.core.authority;import org.springframework.security.core.GrantedAuthority;
  import org.springframework.util.Assert;public final class SimpleGrantedAuthority implements GrantedAuthority {private static final long serialVersionUID = 500L;private final String role;public SimpleGrantedAuthority(String role) {Assert.hasText(role, "A granted authority textual representation is required");this.role = role;}public String getAuthority() {return this.role;}public boolean equals(Object obj) {if (this == obj) {return true;} else {return obj instanceof SimpleGrantedAuthority ? this.role.equals(((SimpleGrantedAuthority)obj).role) : false;}}public int hashCode() {return this.role.hashCode();}public String toString() {return this.role;}
  }
  

• 实例操作，假如用户和权限分开

  package com.waylau.spring.boot.blog.domain;import javax.persistence.Column;
  import javax.persistence.Entity;
  import javax.persistence.GeneratedValue;
  import javax.persistence.GenerationType;
  import javax.persistence.Id;import org.springframework.security.core.GrantedAuthority;/*** 权限.*/
  @Entity // 实体
  public class Authority implements GrantedAuthority {private static final long serialVersionUID = 1L;@Id // 主键@GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略private Long id; // 用户的唯一标识@Column(nullable = false) // 映射为字段，值不能为空private String name;public Long getId() {return id;}public void setId(Long id) {this.id = id;}/** (non-Javadoc)* * @see org.springframework.security.core.GrantedAuthority#getAuthority()*/@Overridepublic String getAuthority() {return name;}public void setName(String name) {this.name = name;}
  }
  package com.waylau.spring.boot.blog.domain;import java.io.Serializable;
  import java.util.ArrayList;
  import java.util.Collection;
  import java.util.List;import javax.persistence.CascadeType;
  import javax.persistence.Column;
  import javax.persistence.Entity;
  import javax.persistence.FetchType;
  import javax.persistence.GeneratedValue;
  import javax.persistence.GenerationType;
  import javax.persistence.Id;
  import javax.persistence.JoinColumn;
  import javax.persistence.JoinTable;
  import javax.persistence.ManyToMany;
  import javax.validation.constraints.Size;import org.hibernate.validator.constraints.Email;
  import org.hibernate.validator.constraints.NotEmpty;
  import org.springframework.security.core.GrantedAuthority;
  import org.springframework.security.core.authority.SimpleGrantedAuthority;
  import org.springframework.security.core.userdetails.UserDetails;
  import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  import org.springframework.security.crypto.password.PasswordEncoder;/*** User 实体* * @since 1.0.0 2017年3月5日* @author <a href="https://waylau.com">Way Lau</a>*/
  @Entity // 实体
  public class User implements UserDetails, Serializable {
  //springsecurity要求的实现方法private static final long serialVersionUID = 1L;@Id // 主键@GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略private Long id; // 用户的唯一标识@NotEmpty(message = "姓名不能为空")@Size(min=2, max=20)@Column(nullable = false, length = 20) // 映射为字段，值不能为空private String name;@NotEmpty(message = "邮箱不能为空")@Size(max=50)@Email(message= "邮箱格式不对" ) @Column(nullable = false, length = 50, unique = true)private String email;@NotEmpty(message = "账号不能为空")@Size(min=3, max=20)@Column(nullable = false, length = 20, unique = true)private String username; // 用户账号，用户登录时的唯一标识@NotEmpty(message = "密码不能为空")@Size(max=100)@Column(length = 100)private String password; // 登录时密码@Column(length = 200)private String avatar; // 头像图片地址
  //用户和权限的关系，必须把他们连接在一起@ManyToMany(cascade = CascadeType.DETACH, fetch = FetchType.EAGER)@JoinTable(name = "user_authority", joinColumns = @JoinColumn(name = "user_id", referencedColumnName = "id"), inverseJoinColumns = @JoinColumn(name = "authority_id", referencedColumnName = "id"))private List<Authority> authorities;protected User() { // JPA 的规范要求无参构造函数；设为 protected 防止直接使用}public User(String name, String email,String username,String password) {this.name = name;this.email = email;this.username = username;this.password = password;}public Long getId() {return id;}public void setId(Long id) {this.id = id;}public String getName() {return name;}public void setName(String name) {this.name = name;}public String getEmail() {return email;}public void setEmail(String email) {this.email = email;}//用户权限实现信息public Collection<? extends GrantedAuthority> getAuthorities() {//  需将 List<Authority> 转成 List<SimpleGrantedAuthority>，否则前端拿不到角色列表名称List<SimpleGrantedAuthority> simpleAuthorities = new ArrayList<>();for(GrantedAuthority authority : this.authorities){simpleAuthorities.add(new SimpleGrantedAuthority(authority.getAuthority()));}return simpleAuthorities;}public void setAuthorities(List<Authority> authorities) {this.authorities = authorities;}@Overridepublic String getUsername() {return username;}public void setUsername(String username) {this.username = username;}@Overridepublic String getPassword() {return password;}public void setPassword(String password) {this.password = password;}public void setEncodePassword(String password) {PasswordEncoder  encoder = new BCryptPasswordEncoder();String encodePasswd = encoder.encode(password);this.password = encodePasswd;}public String getAvatar() {return avatar;}public void setAvatar(String avatar) {this.avatar = avatar;}
  //改成true方法，@Overridepublic boolean isAccountNonExpired() {return true;}@Overridepublic boolean isAccountNonLocked() {return true;}@Overridepublic boolean isCredentialsNonExpired() {return true;}@Overridepublic boolean isEnabled() {return true;}@Overridepublic String toString() {return String.format("User[id=%d, username='%s', name='%s', email='%s', password='%s']", id, username, name, email,password);}
  }
  请看User实现了UserDetail方法里面有很多方法，有获得用户名和密码的方法，还有权限方法，所以推测UserDetails的实现类就是验证对的方式

• 详细原理

• 主要类，用来验证密码的类

  public void configure(AuthenticationManagerBuilder auth) throws Exception {if (auth.isConfigured()) {return;}UserDetailsService userDetailsService = getBeanOrNull(UserDetailsService.class);if (userDetailsService == null) {return;}PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class);DaoAuthenticationProvider provider = new DaoAuthenticationProvider();provider.setUserDetailsService(userDetailsService);if (passwordEncoder != null) {provider.setPasswordEncoder(passwordEncoder);}auth.authenticationProvider(provider);}

• config类示例

  package com.waylau.spring.boot.blog.config;import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.context.annotation.Bean;
  import org.springframework.security.authentication.AuthenticationProvider;
  import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
  import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  import org.springframework.security.core.userdetails.UserDetailsService;
  import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  import org.springframework.security.crypto.password.PasswordEncoder;/*** Spring Security 配置类.* * @since 1.0.0 2017年3月8日* @author <a href="https://waylau.com">Way Lau</a>*/
  @EnableWebSecurity
  @EnableGlobalMethodSecurity(prePostEnabled = true) // 启用方法安全设置
  public class SecurityConfig extends WebSecurityConfigurerAdapter {private static final String KEY = "waylau.com";@Autowiredprivate UserDetailsService userDetailsService;@Autowiredprivate PasswordEncoder passwordEncoder;@Bean  public PasswordEncoder passwordEncoder() {  return new BCryptPasswordEncoder();   // 使用 BCrypt 加密}  @Bean  public AuthenticationProvider authenticationProvider() {  DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();authenticationProvider.setUserDetailsService(userDetailsService);authenticationProvider.setPasswordEncoder(passwordEncoder); // 设置密码加密方式return authenticationProvider;  }  /*** 自定义配置*///实际上的登录表单提交按钮，最终提交的是在这个地方@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/css/**", "/js/**", "/fonts/**", "/index").permitAll() // 都可以访问.antMatchers("/h2-console/**").permitAll() // 都可以访问.antMatchers("/admins/**").hasRole("ADMIN") // 需要相应的角色才能访问.and().formLogin()   //基于 Form 表单登录验证.loginPage("/login").failureUrl("/login-error") // 自定义登录界面，失败后重定向到这里.and().rememberMe().key(KEY) // 启用 remember me.and().exceptionHandling().accessDeniedPage("/403");  // 处理异常，拒绝访问就重定向到 403 页面http.csrf().ignoringAntMatchers("/h2-console/**"); // 禁用 H2 控制台的 CSRF 防护http.headers().frameOptions().sameOrigin(); // 允许来自同一来源的H2 控制台的请求}/*** 认证信息管理* @param auth* @throws Exception*/@Autowiredpublic void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService);auth.authenticationProvider(authenticationProvider());}
  }

Spring Security实现用户名密码验证的原理相关推荐

1. 如何使用Spring Security和Basic身份验证保护Jersey REST服务

   在我之前的博客文章" 检查REST API是否有效的快速方法–从清单文件中获取GET详细信息"中 ,我展示了如何开发REST资源以轻松检查开发的REST API是否可用. 在本文中 ...

2. 使用Spring Security添加RememberMe身份验证

   我在" 将社交登录添加到Jiwhiz博客"中提到,RememberMe功能不适用于Spring Social Security. 好吧,这是因为该应用程序现在不通过用户名和密码对用 ...

3. 使用Spring Security进行自动登录验证

   ** 原文来自师兄的博客 **: http://blog.csdn.net/df19900725/article/details/78085152 http://www.datalearner.com ...

4. Spring Boot+Spring Security+JWT 实现token验证

   Spring Boot+Spring Security+JWT 实现token验证 什么是JWT? JWT的工作流程 JWT的主要应用场景 JWT的结构 SpringBoot+Spring Secur ...

5. 使用Spring Security进行简单身份验证

   朋友不允许朋友写用户身份验证. 厌倦了管理自己的用户? 立即尝试Okta的API和Java SDK. 在几分钟之内即可对任何应用程序中的用户进行身份验证,管理和保护. 身份验证对于除了最基本的Web应 ...

6. hive 配置用户名_配置HiveServer2的安全策略之自定义用户名密码验证

   具体从网上看 http://doc.mapr.com/display/MapR/Using+HiveServer2#UsingHiveServer2-ConfiguringCustomAuthenti ...

7. Spring Security中的密码安全

   Spring Security中的密码安全 PasswordEncoder 接口 在 Spring Security 中,PasswordEncoder 接口代表的是一种密码编码器,其核心作用在于指定 ...

8. es带用户名密码验证并配置elasticsearch-head连接

   一.搭建es,带用户名密码验证 Elastic 安全是非常重要的.没有这个我们的数据可以被任何的人进行访问,串改,删除.Elastic Stack 的安全是由 x-pack 所提供的.在 Elasti ...

9. Open***2.4.3 基于用户名密码验证方式（实战）

   安装部署参考"Open'×××安装部署文档" 基于用户名密码验证: 1.修改server.conf: tls-auth ta.key 0 # This file is secret ...

最新文章

1. python控制手机发短信_python-在python3中使用容联云通讯发送短信验证码
2. LeedCode: 计算器专场
3. 计蒜客 时间复杂度 (模拟) 洛谷 P3952 时间复杂度
4. 从进程说起：容器到底是怎么一回事儿？
5. SQL Server 堆heap 非聚集索引 Nonclustered index 行号键查找RID loopup结合执行计划过程详解
6. GDI+有Bitmap类。
7. 最近ubuntu+gpu装机记录
8. 火眼：利用FTA 服务器0day攻击全球百家企业的是 FIN11
9. linux里netstat与ps,理解proc目录与linux进程、ps命令、netstat命令的关系
10. 用条码软件来制作证书
11. iTextSharp快速使用指南
12. python pyhook_python pyHook安装
13. 按照特定名字批量创建文件夹
14. 串口（串行接口）相关概念
15. 基于神经网络的指纹识别,指纹比对技术何时出现
16. TextView 的 StaticLayout，比你想象中复杂点！
17. LBM学习讨论群推荐
18. js 实现经纬度转 城市-区县-街道
19. Excel批量替换成强制換行
20. 6 年 Java 老兵 BAT 面试心经

热门文章

1. 关于冲正，需要知道的那点事
2. 内容权限判断帝国cms教程
3. 冰河联合猫大人又出版一本分布式事务领域的开山之作，这是要再次起飞了吗？
4. python 需求分析
5. Spring AOP 标签形式及Around增强处理
6. Swift的UIImage裁剪，缩放等代码实现
7. lottie实现动画效果
8. Linux学习记录二——文件导航
9. 使用away3d 精灵表实现材质动画
10. 【ARM】ARM体系与计算机组成——第一篇