您的位置:首页 > 编程语言 > Java开发

spring boot 加入 spring-security配置 角色前缀 静态资源访问

2017-09-16 18:15 926 查看
对于spring-boot开发应用,基于起步依赖很容易将spring-security集成进去,下面分享一下自己的基础配置

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)//开启基于方法的声明式权限控制
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private ReaderRepository readerRepository;
@Override
protected void configure(HttpSecurity http) throws Exception {
readerRepository.save(new Reader("admin", "admin"));//为了做测试,默认数据库中建立admin用户
http.csrf().disable()//禁用spring的csrf处理,不然需要在所有请求上加入csrf,具体可参考http://blog.csdn.net/starrrr2/article/details/50074445
.authorizeRequests()
.anyRequest().hasRole("USER")//认证用户的所有请求必须具有USER角色,注意这里是去掉前缀ROLE_的,源码可看到是spring检测到前缀会抛出异常,会报错
.and()
.formLogin().permitAll()//登录页面开放
.loginPage("/login")//指定登录url
.failureUrl("/login?error=true")//登录失败url
.successForwardUrl("/reader")//登录成功url
.and()
.logout()
.permitAll();//logout url开放
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth .userDetailsService(username -> readerRepository.findOne(username));//提供一个根据用户名获取用户信息UserDetails(包含权限)的实现
}

@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().mvcMatchers("/static/**");//权限控制需要忽略所有静态资源,不然登录页面未登录状态无法加载css等静态资源
}
}
基于方法的声明式验证用法

@RequestMapping(value="/reader", method={RequestMethod.POST, RequestMethod.GET})
@PreAuthorize("hasRole('USER')")//这里的前缀可有可无均可,源码可看到spring自己处理了这两种情况,这种控制力度可细化到方法级别
public String readersBooks(String reader,
Model model) {
List<Book> readingList =
readingListRepository.findByReader(reader);
if (readingList != null) {
model.addAttribute("books", readingList);
}
model.addAttribute("reader", reader);
return "readingList";
}

UserDetails实现部分说明

public class LocalUser implements UserDetails {
private static final long serialVersionUID = 1L;
@Id
private String username;
private String fullname;
private String password;

public LocalUser() {
}

public LocalUser (String username, String password) {
this.username = username;
this.password = password;
}

public String getUsername() {
return username;
}

public void setUsername(String username) {
this.username = username;
}
public String getFullname() {
return fullname;
}

public void setFullname(String fullname) {
this.fullname = fullname;
}

public String getPassword() {
return password;
}

public void setPassword(String password) {
this.password = password;
}
// UserDetails methods
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {//注意这里的角色名必须带前缀,不然权限无法匹配,spring security 默认前缀ROLE_
return Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"), new SimpleGrantedAuthority("ROLE_READER"), new SimpleGrantedAuthority("ROLE_USER"));
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}

}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  spring security spring-boot role 权限 角色
相关文章推荐
新的分享
章节导航