https://ng-tech.icu/books/spring-notes/03.spring-security/1.%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B/1.快速开始Wowchemy (https://wowchemy.com)zhhttps://ng-tech.icu/media/sharing.pnghttps://ng-tech.icu/books/spring-notes/03.spring-security/1.%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B/https://ng-tech.icu/books/spring-notes/03.spring-security/1.%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B/%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B/Mon, 01 Jan 0001 00:00:00 +0000https://ng-tech.icu/books/spring-notes/03.spring-security/1.%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B/%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B/<h1 id="快速开始">快速开始</h1> <p>在 Spring Boot 项目中引入 Spring Security 同样是简单的引入 starter 封装：</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-java" data-lang="java"><span class="line"><span class="cl"><span class="c1">// gradle </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="n">compile</span><span class="o">(</span><span class="s">&#34;org.springframework.boot:spring-boot-starter-security&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// maven </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">&lt;</span><span class="n">dependencies</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;</span><span class="n">dependency</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;</span><span class="n">groupId</span><span class="o">&gt;</span><span class="n">org</span><span class="o">.</span><span class="na">springframework</span><span class="o">.</span><span class="na">boot</span><span class="o">&lt;/</span><span class="n">groupId</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;</span><span class="n">artifactId</span><span class="o">&gt;</span><span class="n">spring</span><span class="o">-</span><span class="n">boot</span><span class="o">-</span><span class="n">starter</span><span class="o">-</span><span class="n">security</span><span class="o">&lt;/</span><span class="n">artifactId</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="o">&lt;/</span><span class="n">dependency</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;/</span><span class="n">dependencies</span><span class="o">&gt;</span> </span></span></code></pre></div><p>然后声明 Web Security 相关的配置：</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-java" data-lang="java"><span class="line"><span class="cl"><span class="nd">@Configuration</span> </span></span><span class="line"><span class="cl"><span class="nd">@EnableWebSecurity</span> </span></span><span class="line"><span class="cl"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfig</span> <span class="kd">extends</span> <span class="n">WebSecurityConfigurerAdapter</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nd">@Override</span> </span></span><span class="line"><span class="cl"> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="n">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">Exception</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><h1 id="userinfo--userinfoservice">UserInfo &amp; UserInfoService</h1> <p>UserInfo 对应数据库表中的基本用户信息，如下：</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-java" data-lang="java"><span class="line"><span class="cl"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserInfo</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/** </span></span></span><span class="line"><span class="cl"><span class="cm"> * 用户名 </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="kd">private</span> <span class="n">String</span> <span class="n">username</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/** </span></span></span><span class="line"><span class="cl"><span class="cm"> * 密码 </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="kd">private</span> <span class="n">String</span> <span class="n">password</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/** </span></span></span><span class="line"><span class="cl"><span class="cm"> * 角色列表 </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="kd">private</span> <span class="n">List</span><span class="o">&lt;</span><span class="n">String</span><span class="o">&gt;</span> <span class="n">roles</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">//Getter &amp; Settter </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="o">}</span> </span></span></code></pre></div><p>UserInfoService 模拟数据库查询，这里做了简化。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-java" data-lang="java"><span class="line"><span class="cl"><span class="nd">@Service</span> </span></span><span class="line"><span class="cl"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserInfoService</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/** </span></span></span><span class="line"><span class="cl"><span class="cm"> * 查询用户信息 </span></span></span><span class="line"><span class="cl"><span class="cm"> * 1. 移除数据库交互，简单实现。 </span></span></span><span class="line"><span class="cl"><span class="cm"> * @param username 用户名称 </span></span></span><span class="line"><span class="cl"><span class="cm"> * @return 结果 </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="kd">public</span> <span class="n">UserInfo</span> <span class="nf">queryUserInfo</span><span class="o">(</span><span class="kd">final</span> <span class="n">String</span> <span class="n">username</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">UserInfo</span> <span class="n">userInfo</span> <span class="o">=</span> <span class="k">new</span> <span class="n">UserInfo</span><span class="o">();</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span><span class="o">(</span><span class="s">&#34;user&#34;</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">username</span><span class="o">)</span> <span class="o">||</span> <span class="s">&#34;admin&#34;</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">username</span><span class="o">))</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">userInfo</span><span class="o">.</span><span class="na">setUsername</span><span class="o">(</span><span class="n">username</span><span class="o">);</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 密码可以在入库的时候就进行加密 </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="n">userInfo</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="s">&#34;123456&#34;</span><span class="o">);</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 角色需要以 ROLE_ 开头 </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="n">userInfo</span><span class="o">.</span><span class="na">setRoles</span><span class="o">(</span><span class="n">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="s">&#34;ROLE_&#34;</span> <span class="o">+</span> <span class="n">username</span><span class="o">));</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">userInfo</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">throw</span> <span class="k">new</span> <span class="n">UsernameNotFoundException</span><span class="o">(</span><span class="n">username</span><span class="o">+</span><span class="s">&#34;对应信息不存在&#34;</span><span class="o">);</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><p><code>ROLE_</code> 这个前缀主要是为了后面使用角色注解授权的时候需要，默认的前缀就是这个。</p> <h1 id="websecurityconfig-核心配置类">WebSecurityConfig 核心配置类</h1> <p>@EnableWebSecurity 启用 web 安全，@EnableGlobalMethodSecurity(prePostEnabled = true) 启用方法级别的安全校验。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-java" data-lang="java"><span class="line"><span class="cl"><span class="nd">@EnableWebSecurity</span> </span></span><span class="line"><span class="cl"><span class="nd">@EnableGlobalMethodSecurity</span><span class="o">(</span><span class="n">prePostEnabled</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span> <span class="c1">// 开启方法级安全验证 </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfig</span> <span class="kd">extends</span> <span class="n">WebSecurityConfigurerAdapter</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nd">@Autowired</span> </span></span><span class="line"><span class="cl"> <span class="kd">private</span> <span class="n">MyUserDetailsService</span> <span class="n">myUserDetailsService</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nd">@Autowired</span> </span></span><span class="line"><span class="cl"> <span class="kd">private</span> <span class="n">MyPasswordEncoder</span> <span class="n">myPasswordEncoder</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nd">@Override</span> </span></span><span class="line"><span class="cl"> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="n">AuthenticationManagerBuilder</span> <span class="n">auth</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">Exception</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">auth</span><span class="o">.</span><span class="na">userDetailsService</span><span class="o">(</span><span class="n">myUserDetailsService</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="o">.</span><span class="na">passwordEncoder</span><span class="o">(</span><span class="n">myPasswordEncoder</span><span class="o">);</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nd">@Override</span> </span></span><span class="line"><span class="cl"> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="n">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">Exception</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">http</span><span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> </span></span><span class="line"><span class="cl"> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="c1">// 所有请求都需要验证 </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> </span></span><span class="line"><span class="cl"> <span class="o">.</span><span class="na">formLogin</span><span class="o">().</span><span class="na">permitAll</span><span class="o">()</span> <span class="c1">// 使用默认的登录页面，登录页面允许所有用户访问 </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> </span></span><span class="line"><span class="cl"> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">();</span><span class="c1">// post请求要关闭csrf验证,不然访问报错；实际开发中开启，需要前端配合传递其他参数 </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><p>一般情况下，MyUserDetailsService 和 MyPasswordEncoder 这两个类都是需要我们自定义的。</p> <h2 id="myuserdetailsservice-用户信息查询">MyUserDetailsService 用户信息查询</h2> <p>我们只需要实现 UserDetailsService 接口，就可以实现对应的查询实现。这里的授权信息，直接使用 SimpleGrantedAuthority 类。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-java" data-lang="java"><span class="line"><span class="cl"><span class="nd">@Service</span> </span></span><span class="line"><span class="cl"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyUserDetailsService</span> <span class="kd">implements</span> <span class="n">UserDetailsService</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nd">@Autowired</span> </span></span><span class="line"><span class="cl"> <span class="kd">private</span> <span class="n">UserInfoService</span> <span class="n">userInfoService</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nd">@Override</span> </span></span><span class="line"><span class="cl"> <span class="kd">public</span> <span class="n">UserDetails</span> <span class="nf">loadUserByUsername</span><span class="o">(</span><span class="n">String</span> <span class="n">username</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">UsernameNotFoundException</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">UserInfo</span> <span class="n">userInfo</span> <span class="o">=</span> <span class="n">userInfoService</span><span class="o">.</span><span class="na">queryUserInfo</span><span class="o">(</span><span class="n">username</span><span class="o">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 授权信息构建 </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="n">List</span><span class="o">&lt;</span><span class="n">GrantedAuthority</span><span class="o">&gt;</span> <span class="n">authorities</span> <span class="o">=</span> <span class="k">new</span> <span class="n">ArrayList</span><span class="o">&lt;&gt;();</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="o">(</span><span class="n">String</span> <span class="n">role</span> <span class="o">:</span> <span class="n">userInfo</span><span class="o">.</span><span class="na">getRoles</span><span class="o">())</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="n">authorities</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="k">new</span> <span class="n">SimpleGrantedAuthority</span><span class="o">(</span><span class="n">role</span><span class="o">));</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="k">new</span> <span class="n">User</span><span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="n">userInfo</span><span class="o">.</span><span class="na">getUsername</span><span class="o">(),</span> </span></span><span class="line"><span class="cl"> <span class="n">userInfo</span><span class="o">.</span><span class="na">getPassword</span><span class="o">(),</span> </span></span><span class="line"><span class="cl"> <span class="n">authorities</span> </span></span><span class="line"><span class="cl"> <span class="o">);</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><h2 id="mypasswordencoder-密码加密策略">MyPasswordEncoder 密码加密策略</h2> <p>Spring Security 有很多内置的加密策略，这里为了演示，我自定义了最简单的 plainText 的策略，就是不做任何加密：</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-java" data-lang="java"><span class="line"><span class="cl"><span class="nd">@Service</span> </span></span><span class="line"><span class="cl"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyPasswordEncoder</span> <span class="kd">implements</span> <span class="n">PasswordEncoder</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nd">@Override</span> </span></span><span class="line"><span class="cl"> <span class="kd">public</span> <span class="n">String</span> <span class="nf">encode</span><span class="o">(</span><span class="n">CharSequence</span> <span class="n">rawPassword</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="o">(</span><span class="n">String</span><span class="o">)</span> <span class="n">rawPassword</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nd">@Override</span> </span></span><span class="line"><span class="cl"> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">matches</span><span class="o">(</span><span class="n">CharSequence</span> <span class="n">rawPassword</span><span class="o">,</span> <span class="n">String</span> <span class="n">encodedPassword</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">rawPassword</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">encodedPassword</span><span class="o">);</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><h1 id="authcontroller-控制器">AuthController 控制器</h1> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-java" data-lang="java"><span class="line"><span class="cl"><span class="nd">@RestController</span> </span></span><span class="line"><span class="cl"><span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthController</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/** </span></span></span><span class="line"><span class="cl"><span class="cm"> * 查看登录用户信息 </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">&#34;/auth&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="kd">public</span> <span class="n">Authentication</span> <span class="nf">auth</span><span class="o">(){</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">SecurityContextHolder</span><span class="o">.</span><span class="na">getContext</span><span class="o">().</span><span class="na">getAuthentication</span><span class="o">();</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/** </span></span></span><span class="line"><span class="cl"><span class="cm"> * 只能 user 角色才能访问该方法 </span></span></span><span class="line"><span class="cl"><span class="cm"> * @return 结果 </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">&#34;hasAnyRole(&#39;user&#39;)&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">&#34;/user&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="kd">public</span> <span class="n">String</span> <span class="nf">user</span><span class="o">(){</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="s">&#34;user角色访问&#34;</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/** </span></span></span><span class="line"><span class="cl"><span class="cm"> * 只能 admin 角色才能访问该方法 </span></span></span><span class="line"><span class="cl"><span class="cm"> * @return 结果 </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">&#34;hasAnyRole(&#39;admin&#39;)&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">&#34;/admin&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="kd">public</span> <span class="n">String</span> <span class="nf">admin</span><span class="o">(){</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="s">&#34;admin角色访问&#34;</span><span class="o">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><p>这里我们定义了 3 个方法，第一个方法是获取当前用户的登录信息。后面两个方法都是通过 @PreAuthorize 指定访问需要的角色信息。</p>