Shulou(Shulou.com)06/02 Report--

Summary of Spring-Security Framework Learning

Premise: before giving the demonstration, let's create the project and import it into IDE

Test whether the project runs successfully, and start learning after success

One. Case 1: as long as you can log in

Goal: when we visit the project, we can access index directly without blocking. Login verification is required to access other paths, and login users are allowed to log out and use the form to log in, without intercepting files such as front-end js,css,image. We have set up an admin user in memory to log in.

Go directly to the code (there will be comments in the code):

SecuDemoApplication:

Package com.dhtt.security.SecuDemo;import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.EnableAutoConfiguration;import org.springframework.boot.autoconfigure.SpringBootApplication;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RestController;@SpringBootApplication@RestController@EnableAutoConfigurationpublic class SecuDemoApplication {public static void main (String [] args) {SpringApplication.run (SecuDemoApplication.class, args) @ RequestMapping ("/ index") public String hello () {return "hello Spring boot....";} @ RequestMapping ("/ home") public String home () {return "this my home....";}}

SpringSecruityConfig:

Package com.dhtt.security.SecuDemo;import org.springframework.context.annotation.Configuration;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.builders.WebSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter @ Configuration@EnableWebSecuritypublic class SpringSecruityConfig extends WebSecurityConfigurerAdapter {/ * HTTP request interception processing * / @ Override protected void configure (HttpSecurity http) throws Exception {http.authorizeRequests () .antMatch ("/ index") .permitAll () / / main path direct request .anyRequest () .logout () / ask him to verify .and () .logout () .permitAll () / allow logout .and () .formLogin () / / allow the form to log in to http.csrf (). Disable (); / / close the authentication of csrf} / * to process front-end files, block and ignore * / @ Override public void configure (WebSecurity web) throws Exception {web.ignoring () .antMatchers ("/ js/**", "/ css/**", "/ image/**") } / * set user admin * / @ Override protected void configure (AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication (). WithUser ("admin"). Password ("123456"). Roles ("ADMIN");}}

Then we start the project and access the path at the front desk

(1) access to http://localhost:8080/index is successful

(2) visit http://localhost:8080/home:

We found that the front desk would jump to the login interface for us, and then we did login verification. We found that the login interface did not jump, which proved that the login failed. At this time, we observed the background.

Found that the background reported an error.

(3) solve the error problem: because of the version of spring boot and Spring Security, we need to provide an instance of PasswordEncorder.

MyPasswordEncoder:

Package com.dhtt.security.SecuDemo;import org.springframework.security.crypto.password.PasswordEncoder;public class MyPasswordEncoder implements PasswordEncoder {@ Override public String encode (CharSequence rawPassword) {return rawPassword.toString ();} @ Override public boolean matches (CharSequence rawPassword, String encodedPassword) {return encodedPassword.equals (rawPassword);}}

The modified part of SpringSecruityConfig:

/ * set user admin * / @ Override protected void configure (AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication () .passwordEncoder (new MyPasswordEncoder ()) .withUser ("admin") .password ("123456") .roles ("ADMIN");}

Now run Project access / home again, and we find that the login is successful and the page is visited successfully.

Case2: there are specified roles, and each role has specified permissions

(1) Target: we add a USER that allows access to all addresses for ADMIN permissions, but user permissions stipulate that it cannot access / roleAuth, code:

The modified part of SpringSecruityConfig:

/ * set user admin * / @ Override protected void configure (AuthenticationManagerBuilder auth) throws Exception {auth.inMemoryAuthentication () .passwordEncoder (new MyPasswordEncoder ()) .withUser ("admin") .password ("1996") .roles ("ADMIN"); auth.inMemoryAuthentication () .passwordEncoder (new MyPasswordEncoder ()) .withUser ("zhangsan") .password ("123456") .roles ("ADMIN") Auth.inMemoryAuthentication () .passwordEncoder (new MyPasswordEncoder ()) .withUser ("username1") .password ("password") .roles ("USER");}

SecuDemoApplication: here we have added a new comment

Package com.dhtt.security.SecuDemo;import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.EnableAutoConfiguration;import org.springframework.boot.autoconfigure.SpringBootApplication;import org.springframework.security.access.prepost.PreAuthorize;import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RestController SpringBootApplication@RestController@EnableAutoConfiguration@EnableGlobalMethodSecurity (prePostEnabled=true) public class SecuDemoApplication {public static void main (String [] args) {SpringApplication.run (SecuDemoApplication.class, args);} @ RequestMapping ("/ index") public String hello () {return "hello Spring boot....";} @ RequestMapping ("/ home") public String home () {return "this my home...." } @ RequestMapping ("/ roleAuth") @ PreAuthorize ("hasRole ('ROLE_ADMIN')") public String role () {return "HELLO SPRING SECURITY....";}}

The result of the test is the same as we expected. We use admin to log in, and the address is accessible. When we log in using user, we find that the access to / roleAuth path fails and there is no permission.

To be continued.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.