Shulou(Shulou.com)06/02 Report--

This article mainly explains "how to use Springboot to integrate SpringSecurity to realize account password and mobile phone Captcha login function," the explanation content in this article is simple and clear, easy to learn and understand, please follow the idea of small editor slowly, together to study and learn "how to use Springboot to integrate SpringSecurity to realize account password and mobile phone Captcha login function" bar!

SpringSecurity is Spring's security management framework. The core content includes authentication, authorization and attack protection. SpringSecurity has actually been around for years, but integrating SpringSecurity in SSM/SSH is a lot more cumbersome than Shiro, so the security management framework has always been Shiro's world.

Since SpringBoot, SpringSecurity's perfect compatibility has made its value fully realized. Spring Security can be used with basic zero configuration in SpringBoot.

example shows

A lot of online tutorials, a little knowledge leads to a lot of mistakes, mistakes and search, more and more knowledge points, into a vicious circle.

Here is a full Demo, not necessarily a complete understanding of Spring Security, but an understanding of how it works.

Two authentication methods are provided in the example: account password and mobile phone Captcha. Please customize them as needed.

version

SpringBoot 2.3.3

JDK 1.8

Mybatis 2.1.3

Mysql 5.7+

example installation

Download Demo

GitHub : https://github.com/liuqi0725/springboot-useful/tree/master/springboot-security

Gitee : https://gitee.com/alexliu0725/springboot-useful/tree/master/springboot-security

Modify application.yaml port, database and other configurations

Access http://localhost:8080 on different client machines after startup (access according to port configured by yourself)

Two login methods were used for testing: user password, mobile phone Captcha

Check if different user menus are different (test authorization)

Access non-existent routing addresses and view return values

To avoid migration script conflicts, if you do not create multiple database scripts, please empty the database first.

Spring-security Introduction

Spring Security official description

Spring Security official documentation

Spring Security Reference Manual-Chinese

Why not shiro?

SSM/SSH has always been Shiro. Later, after slowly transitioning to SpringBoot, I switched to SpringSecurity. then there was no then. Spring is really easy to use, and the tutorials are complete. Besides, medium-sized projects will involve clusters or microservices in the follow-up, security, cloud packaging with a set of incense.

Spring-Security does user authentication and authorization

Here is my superficial understanding of both. Excludes SSO, OAuth, etc. This will be covered in other articles.

The code is divided into two blocks: access and authentication.

Access passes the whitelist and authenticates requests that are not whitelisted, based on the source of authentication (permissions, roles...), If not, return to 403.

authenticaton When a user accesses a URL that requires authorization, user authentication will be performed. After authentication, access will be used to determine whether access is possible **(authorization)**

CSRF Cross-Site Request Forgery Protection

CSRF is not enabled in Demo. You can open it if you want.

After opening, get the code below

Or put it in the head. iframe embedding

SpringSecurity is disabled by default for frame embedding and can be enabled.

Refer to setFrameAllow(http) method in Demo code SecurityWebConfig

private void setFrameAllow(HttpSecurity http) throws Exception { /* * iframe allows the way it is displayed

* SAMEORIGIN allows only frame pages to be displayed under the current domain name

* * FROMURI allows frame pages to be displayed under specified domain names

* For example: * * http://www.baidu.com allows this domain name to nest within my frame * http://www.taobao.com allows this domain name to nest within my frame * */ //Please configure the formal environment in the configuration file. convenient management String xframe = "SAMEORIGIN"; //if FROMURI allows nesting of external domain names whitelist String[] frameAllowWhiteDomain = new String[]{"https://example.cn","https://example.com"}; if(xframe.equals("SAMEORIGIN")){ //Only this domain name is allowed http.headers().frameOptions().sameOrigin(); }else if(xframe.equals("FROMURI")){ //disable default policy. This sentence cannot be omitted. http.headers().frameOptions().disable(); //Add a new policy. http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter( new WhiteListedAllowFromStrategy(Arrays.asList(frameAllowWhiteDomain)) )); }else{ throw new Exception("Unknown XFrameOptions. SAMEORIGIN , FROMURI") only; } } Improve user and coding experience

exception handling

There is no global unified exception handling in Demo. In formal projects, global exception handling can be used to improve the user experience after errors. View access returns error view, json access returns error json

//handle spring `/error` @Controller @RequestMapping({"${server.error.path:${error.path:/error}}"}) public class SpringErrorProcessController extends AbstractErrorController { ... } //Handle Controller layer errors @ControllerAdvice public class ControllerExceptionHandler{ }

Custom configuration SpringSecurity still has a lot of parameters, such as whitelist, open csrf, iframe can be configured to achieve, so that a project does not have to change the code and a pile. Spring configuration can be implemented via @ConfigurationProperties and read when spring loads.

Flexible design SpringSecurity only provides tools, and the specific implementation is still implemented in the project (which can be understood as a third party), such as CustomerSecurityAuthenticationProcessService,CustomerPasswordService, etc. in Demo. These are all things that need to be injected into SpringSecurity at startup, how to get these classes to entities at startup, or let SpringSecurity implement other logic based on what is obtained.

Thank you for reading, the above is "how to use Springboot integration SpringSecurity to achieve account password and mobile phone Captcha login function" content, after the study of this article, I believe we have a deeper understanding of how to use Springboot integration SpringSecurity to achieve account password and mobile phone Captcha login function, the specific use of the situation still needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.