# SpringSecurity
- 仅引入
- 目前前后端分离是主流,不要用内置的springsecurity做page了
- jwt见后文
# 依赖
<!--Spring security相关-->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
# 配置Config
package com.yiki.blog.SecurityLearn;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
//1配置类
@Configuration
@EnableWebSecurity//2启动security过滤器链
//3继承这个配置类
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//4.重写这两个方法
//7.在登录页用封装好的userdetail
@Autowired
private YikiUserDetailService userDetailService;
/**
* 5-1代替xml配置的AuthenticationManager(认证管理器)
* 认证的信息获取
*/
@Override//
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
/*6.2.A
* 写死的配置---~硬编码
* There is no PasswordEncoder mapped for the id “null”
* 时过境迁,psw报错id为null是因为security默认会对密码解密方式需要定义,也就是{id},若没有则为null,则会报错
* 记得在设置密码给个加密方式 *
auth.inMemoryAuthentication()
.passwordEncoder(new BCryptPasswordEncoder())
.withUser("Admin")
.password(new BCryptPasswordEncoder().encode("123456"))
.authorities("Auth");//可以用,追加权限
*/
/*
* 6.2 B自定义service类
* */
auth.userDetailsService(userDetailService)
.passwordEncoder(new BCryptPasswordEncoder());;
}
/**
* 5-2.代替之前<http>标签配置
* 需要拦截资源/角色权限/登录方式:httpBasic,FormLogin)
* spring拦截到的http会转发到这里
* 其他:/**全部路径,/*一级路径
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
/*6-1拦截表达式A.httpBasic
http.authorizeRequests()
.antMatchers("/**")
.fullyAuthenticated()
.and()
.httpBasic();
@isAuthenticated()
Returns true if the user is not anonymous
@isFullyAuthenticated()
Returns true if the user is not an anonymous or a remember-me user
@anonymous()
只有匿名用户可以访问资源,登录后不允许访问
* */
/*B.formLogin
* */
http.cors().disable();
http.authorizeRequests()
.antMatchers("/security/*").hasAnyAuthority("ROLE_SEARCH,ROLE_DELETE")
.and().csrf().disable()//禁止自带跨域
.formLogin();
}
}