Shulou(Shulou.com)06/03 Report--

In this issue, the editor will bring you about the simple introduction to SpringBoot+Spring Security. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. Basic introduction of Spring Security

Spring Security will not be introduced too much here, but you can refer to the official documentation for details.

I'll just talk about the core functions of SpringSecurity:

Certification (who are you)

Authorization (what can you do)

Attack protection (to prevent forgery of identity)

Second, the construction of basic environment

Here we take SpringBoot as the basic framework of the project, and I use maven to manage the package here, so here we first give the way to integrate Spring Security.

Jeecg-boot-cloud-study com.jeecg.cloud 1.0.0 4.0.0 jeecg-boot-security org.springframework.boot spring-boot-starter-web org.springframework.boot spring-boot-starter-security

Then set up a Web layer request interface

@ RestController @ RequestMapping ("/ user") public class UserController {@ GetMapping public String getUsers () {return "Hello Jeecg Spring Security";}}

Then you can run the project directly and call the interface to see the effect.

Third, through the call of the web page

We first call the interface through the browser and directly access the http://localhost:8080/user. If the interface can be accessed normally, then "Hello Jeecg Spring Security" should be displayed.

But we can't access it properly. The authentication input box in the following figure appears.

This is because in SpringBoot, the introduced Spring Security dependency and permission control automatically take effect, and all the interfaces are protected, so we need to pass verification before we can access them properly. Spring Security provides a default user, the user name is user, and the password is automatically generated when you start the project.

When we look at the log of the project startup, we will find the following Log

Using default security password: 62ccf9ca-9fbe-4993-8566-8468cc33c28c

Of course, the password you see is definitely different from mine. We log in directly with the user and the password in the startup log.

After the login is successful, it jumps to the page normally called by the API.

If you don't want to enable Spring Security in the first place, you can do the following in the configuration file:

# security enable security.basic.enabled = false

The login box you just saw is that SpringSecurity is provided by the framework itself and is called httpBasicLogin. Show that it is not what we want on the product, our front end is generally through the form submission for user login authentication, so we need to customize our own authentication logic.

Custom user authentication logic

Each system must have its own set of user system, so we need to customize our own authentication logic and login interface. Here, we need to configure SpringSecurity first.

Package org.jeecg.auth.config; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @ Configuration public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {@ Override protected void configure (HttpSecurity http) throws Exception {http.formLogin () / / defines the login page to go to when the user is required to log in. .loginProcessingUrl ("/ user/login") / / Custom login interface .and () .authorizeRequests () / / defines which URL needs to be protected and which does not need to be protected. AnyRequest () / / any request can be accessed after login. Authenticated ();}}

Custom password encryption and decryption

Package org.jeecg.auth.config; import org.springframework.context.annotation.Bean; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.stereotype.Component; @ Component public class MyPasswordEncoder implements PasswordEncoder {@ Override public String encode (CharSequence charSequence) {return charSequence.toString ();} @ Override public boolean matches (CharSequence charSequence, String s) {return s.equals (charSequence.toString ());}}

Then configure the user authentication logic, because we have our own user system.

Package org.jeecg.auth.config; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.password.PasswordEncoder Import org.springframework.stereotype.Component; @ Component public class MyUserDetailsService implements UserDetailsService {private Logger logger = LoggerFactory.getLogger (getClass ()); @ Autowired private PasswordEncoder passwordEncoder; @ Override public UserDetails loadUserByUsername (String username) throws UsernameNotFoundException {logger.info ("user's user name: {}", username); / / TODO finds the corresponding password based on the user name, encapsulates the user information with permission / /, and returns. The parameters are: user name, password, user permission User user = new User (username, passwordEncoder.encode ("123456"), AuthorityUtils.commaSeparatedStringToAuthorityList ("admin")); return user;}}

Here we do not do too much verification, the user name can be filled in at will, but the password must be "123456" in order to log in successfully.

At the same time, you can see that the third parameter of the User object, which represents the permissions of the current user, is set to "admin".

We randomly fill in a user here, and then Password writes an incorrect (non-123456) one. A verification error is prompted:

At the same time, in the console, you will print out the user you just filled in when you logged in.

Now let's try to log in with the correct password, and we can find that it will pass the verification and jump to the correct interface call page.

VI. UserDetails

Just now when we were writing MyUserDetailsService, we implemented a method and returned a UserDetails. This UserDetails is an object that encapsulates user information and contains seven methods.

Public interface UserDetails extends Serializable {/ / encapsulates permission information Collection

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.