这种功能是为了:
enables users to easily configuration spring security without the use of XML.
我们在Java spring 中配置用到了 @Configuration
在maven project 的pom.xml加入dependency:
org.springframework.security spring-security-core 5.3.3.RELEASE
代码部分 需要考虑的有以下几个地方:
webSecurity passwordEncoder
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("user")
.password(passwordEncoder().encode("password")).roles("USER");
}
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
http security
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic();
}
form login
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and().formLogin()
.loginPage("/login").permitAll();
}
authorization with roles.
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/home").access("hasRole('USER')")
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
// some more method calls
.formLogin();
}
logout
protected void configure(HttpSecurity http) throws Exception {
http.logout();
}
protected void configure(HttpSecurity http) throws Exception {
http.logout().logoutUrl("/my/logout")
.logoutSuccessUrl("/my/index")
.logoutSuccessHandler(logoutSuccessHandler)
.invalidateHttpSession(true)
.addLogoutHandler(logoutHandler)
.deletecookies(cookieNamesToClear)
.and()
// some other method calls
}
Authentication
in memory authentication/JDBC authentication
Introduction to Java Config for Spring Security
