Shulou(Shulou.com)06/01 Report--

How to add Spring-Security support, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Add maven dependencies:

Add configuration:

New package config: class SecurityConfig inherits from WebSecurityConfigurerAdapter.

Configure (HttpSecurity http) method: configure the web path and the corresponding permissions within this method

Http.authorizeRequests () .antMatchers (...): configure the web path

PermitAll (), .hasRole (), .hasAnyRole, etc.: configure permissions corresponding to the web path.

For example: .antMatch ("/ manage/**") .hasRole ("ADMIN")

Represents all addresses and resources under the path / manage, which can only be accessed by users with the ROLE_ADMIN role.

.formLogin () .loginPage ("/ login") / / specifies the login page

.roomForwardUrl ("/ sign_in") .failureUrl ("/ sign_in")

Specify the path (GET) for callback after the completion of spring-security authentication (success / failure). This path is usually our own controller method, in which login feedback can be defined. For more information, please see the project code.

.logout () .logoutRequestMatcher (new AntPathRequestMatcher ("/ logout")) .logout ("/") .permitAll (): defines the path to logout, and the method is accessible to all users.

Configure (AuthenticationManagerBuilder auth): configure a custom security authentication class within this method

Auth.authenticationProvider (securityEncrypt): custom authentication

Auth.userDetailsService (customUserService): custom authenticated user information service

At this point, the path already has security features. Login authentication and user role resource management are described below

Login authentication process:

SecurityConfig.configure: find the user authentication provider-> SecurityEncrypt

SecurityEncrypt.authenticate: authenticate user credentials

CustomUserService.loadUserByUsername: loading user database user information

Password match:

Failed: an authentication exception was thrown

Success: return authenticated user information

The password in the actual project is encrypted, so you need to customize the authentication scheme. This project uses BCrypt encryption. The specific code can be found in the EncryptUtil tool class.

Create class: SecurityEncrypt, custom authentication

Authenticate (Authentication authentication): this method matches the user input information

Authentication.getName (): user name entered by the user

Authentication.getCredentials (): password entered by the user

UserDetails user = userService.loadUserByUsername (username): load database user information by user name

After authentication is completed (success / failure) callback / sign_in.

Create a class: CustomUserService, custom load database user information, while loading the user's role and role access information to the resource.

Configure the actions after the authentication is completed:

Principal: authenticated object. Null indicates authentication failed.

SPRING_SECURITY_SAVED_REQUEST: spring-security saves the properties in session and saves the page before authentication. If the attribute is not null, it can be passed to the page for js to jump, that is, to jump to the page before authentication after authentication.

Configure access to a method:

@ PreAuthorize: check whether the user has the corresponding permissions before the method is executed. Available values:

Configure permissions in the Thymeleaf page: hello.html

Xmlns:sec= "http://www.thymeleaf.org/extras/spring-security": imports security tags

Sec:authorize= "hasRole ('USER')": this permission is required to display this object

In the github project, I defined two user roles and two resource access permissions

Roles (Roles): note: do not add the default prefix for user roles in spring-security when it is configured after ROLE_,.

ROLE_USER: indicates that the user is logged in. This role is automatically assigned to the user when he registers.

ROLE_ADMIN: the highest authority role in the current project

Role permissions (Privilege)

User:* indicates that the user has registered access to resources, corresponding to ROLE_USER

Global:* represents the highest privilege, and this type of user can access all resources, corresponding to ROLE_ADMIN

The relevant permissions are initialized automatically when the project is started.

A brief background management has been added to this project to save the article information of the official account.

After reading the above, do you know how to add Spring-Security support? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.