spring security流程(spring security原理和机制)

3.1.1 第一种方式：通过配置文件

3.1.2 第二种方式：通过配置类

        1.新建SecurityConfig 配置类，继承  WebSecurityConfigurerAdapter 

        2.重写  configure(AuthenticationManagerBuilder auth)方法

package com.cn.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); // 引入 BCryptPasswordEncoder 对象
        String password = passwordEncoder.encode("123456"); // 对密码进行加密
        //设置username 和 password , role
        auth.inMemoryAuthentication().withUser("lucky").password(password).roles("admin");



    }
@Bean
    PasswordEncoder password(){

        return new BCryptPasswordEncoder();
    }

}

3.1.3 第三种方式：自定义编写实现类

        1. 创建配置类，设置使用哪个userDetailService实现类；

package com.cn.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class SecurityConfigTest extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.userDetailsService(userDetailsService).passwordEncoder(password());

    }

    @Bean
    PasswordEncoder password(){

        return new BCryptPasswordEncoder();
    }

}

        2.编写实现类，返回user对象，User对象有用户名和密码和操作权限；

package com.cn.service;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;

import java.util.List;

@Service("userDetailService")
public class MyUserDetailServiceImpl implements UserDetailsService {


    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        //权限集合
        List auths = AuthorityUtils.commaSeparatedStringToAuthorityList("role");

        //返回user 对象
        return new User("mary",new BCryptPasswordEncoder().encode("123456"),auths);
    }
}

1.整合Mybatis-Plus;

2.引入依赖;

3.创建user实体类；

4. 创建UserMapper 接口 继承 baseMapper ;

5. 在UserDetailService 调用mapper 里面的方法查询数据库;

package com.cn.service;

import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.cn.mapper.UserMapper;
import com.cn.pojo.Users;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Service;

import java.util.List;

@Service("userDetailService")
public class MyUserDetailServiceImpl implements UserDetailsService {

    @Autowired
    private UserMapper userMapper;


    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        //调用userMapper,根据用户名 方法查询数据库
        QueryWrapper queryWrapper = new QueryWrapper();
        queryWrapper.eq("username",username);
        Users user  = userMapper.selectOne(queryWrapper);
        //判断
        if(user == null ){
            throw new UsernameNotFoundException("数据库没找到用户名");
        }


        //权限集合
        List auths = AuthorityUtils.commaSeparatedStringToAuthorityList("role");

        //返回user 对象
        return new User(username,new BCryptPasswordEncoder().encode(user.getPassword()),auths);
    }
}

6.在启动类加上注解@MapperScan（"com.cn.mapper"）；

1.在配置类中重新方法 configure(HttpSecurity http)

package com.cn.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class SecurityConfigTest extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.userDetailsService(userDetailsService).passwordEncoder(password());

    }

    @Bean
    PasswordEncoder password(){

        return new BCryptPasswordEncoder();
    }

    // 自定义登录页面配置
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.formLogin() //自定义自己编写的登录页面
                .loginPage("/login.html") //登录页面设置
                .loginProcessingUrl("/user/login") //登录访问路径
                .defaultSuccessUrl("/test/index").permitAll() //登录成功后，跳转路径
                .and().authorizeRequests()
                // 设置哪些路径可以直接访问，不需要认证
                .antMatchers("/","/test/hello","user/login").permitAll()
                .anyRequest().authenticated()
                .and().csrf().disable(); //关闭csrf防护
    }
}

2. 创建 html 页面

在resource 目录下创建static文件夹 ，创建login.html登录页面

    
    



    
    用户名：

    密码：

    

action访问路径要与配置文件中访问路径一致

        1.在配置类设置当前访问路径，哪些权限可以访问

         2.在UserDetailService,把返回User对象设置权限

 3.测试，没有访问权限 403