srcmini除了身份验证之外, spring security还检查已登录用户的授权。登录后, 将根据用户的ROLE完成授权用户访问资源的操作。
在WebSecurityConfig类中创建用户时, 我们还可以指定用户的ROLE。
在方法上应用的安全性仅限于未授权用户, 并且仅允许真实用户。
让我们来看一个例子。首先通过提供详细信息创建一个Maven项目。
该项目最初看起来像这样:
Spring安全配置
现在, 配置应用程序以防止未经授权和未经身份验证的用户。它需要下面给出的四个Java文件, 创建一个包com.srcmini并将所有这些文件放在其中。
// AppConfig.java
此类用于在视图解析器的帮助下设置视图后缀和前缀。
package com.srcmini;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;
@EnableWebMvc
@Configuration
@ComponentScan({ "com.srcmini.controller.*" })
public class AppConfig {
@Bean
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver viewResolver
= new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/WEB-INF/views/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
}// MvcWebApplicationInitializer.java.java
package com.srcmini;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
public class MvcWebApplicationInitializer extends
AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { WebSecurityConfig.class };
}
@Override
protected Class<?>[] getServletConfigClasses() {
// TODO Auto-generated method stub
return null;
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
}// SecurityWebApplicationInitializer.java
package com.srcmini;
import org.springframework.security.web.context.*;
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
}// WebSecurityConfig.java
此类用于创建用户并设置其身份验证。当用户要访问应用程序时, 每次都需要登录。
package com.srcmini;
import org.springframework.context.annotation.*;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.*;
import org.springframework.security.core.userdetails.*;
import org.springframework.security.core.userdetails.User.UserBuilder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
@ComponentScan("com.srcmini")
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UserDetailsService userDetailsService() {
// ensure the passwords are encoded properly
UserBuilder users = User.withDefaultPasswordEncoder();
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(users.username("irfan").password("user123").roles("USER").build());
manager.createUser(users.username("admin").password("admin123").roles("ADMIN").build());
return manager;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().
antMatchers("/index", "/").permitAll()
.antMatchers("/admin", "/user").authenticated()
.and()
.formLogin()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
}
}控制者
创建一个控制器HomeController并将其放入com.srcmini.controller包中。
// HomeController.java
package com.srcmini.controller;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class HomeController {
@RequestMapping(value="/", method=RequestMethod.GET)
public String index() {
return "index";
}
@RequestMapping(value="/user", method=RequestMethod.GET)
public String user() {
return "admin";
}
@RequestMapping(value="/admin", method=RequestMethod.GET)
public String admin() {
return "admin";
}
// Only, a person having ADMIN role can access this method.
@RequestMapping(value="/update", method=RequestMethod.GET)
@ResponseBody
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String update() {
return "record updated ";
}
}视图
创建以下视图(JSP页面)以为用户生成输出。将所有视图放入WEB-INF / views文件夹。
// index.jsp
<html>
<head>
<title>Home Page</title>
</head>
<body>
Welcome to srcmini! <br> <br>
Login as:
<a href="admin">Admin</a> <a href="user">User</a>
</body>
</html>// admin.jsp
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Home Page</title>
</head>
<body>
<span style="color: green">Login Successful!</span> ? <a href="logout" style="text-decoration: none;">logout</a> <br> <br>
<a href="update" style="text-decoration: none;">Update Record</a>
</body>
</html>包依赖
以下是创建此项目所需的依赖项。
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.srcmini</groupId>
<artifactId>springmethod</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.0.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.0.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>5.0.4.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.0.4.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework/spring-beans -->
<!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework/spring-framework-bom -->
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.6</version>
<configuration>
<failOnMissingWebXml>false</failOnMissingWebXml>
</configuration>
</plugin>
</plugins>
</build>
</project>项目结构
添加以上所有文件后, 我们的项目如下所示:
运行服务器
输出
首次以ADMIN身份登录
登录后,
单击更新记录, 然后看到记录已更新, 因为用户的角色是ADMIN。
用户登录
现在, 以用户身份登录。
现在, 单击更新记录, 查看服务器由于用户角色为USER而拒绝访问。
评论前必须登录!
注册