1. 介绍
Spring Security 是一个安全管理框架,核心功能有两个:认证、授权
- 认证:判断 访问者 是不是系统里的用户,可以简单的认为能否登陆
- 比如:手机刷脸解锁
- 授权:判断 访问者 是否有权限做某个操作
- 比如:去京东买东西,上面的价格只能看,不能改,只有商家才能改
官网地址:Spring Security
2. 快速入门
创建一个普通的maven项目
1. pom.xml
org.springframework.boot
spring-boot-starter-parent
2.5.13
org.springframework.boot
spring-boot-starter-web
2. Application
@SpringBootApplication
public class Application {
public static void main(String[] args){
SpringApplication.run(Application.class,args);
}
}
3. Controller
@RestController
public class SecController {
@GetMapping("/sec")
public String sec(){
return "spring-secutiry";
}
}
@SpringBootApplication
public class Application {
public static void main(String[] args){
SpringApplication.run(Application.class,args);
}
}
3. Controller
@RestController
public class SecController {
@GetMapping("/sec")
public String sec(){
return "spring-secutiry";
}
}
访问结果:
4. 引入 Security
修改 pom.xml 增加 Spring Security 依赖
org.springframework.boot spring-boot-starter-security
然后重启项目,再次访问:localhsot:8080/sec,就需要登录了
默认的用户名:user,
密码:
注意,每次重启,密码都变
退出登陆,访问:http://localhost:8080/logout
3. 从数据库查询用户
上面的用户名、密码是框架自带的,正常情况下,我们的用户都是存储在数据库中
下面,从数据库中获取用户,完成登陆
1. pom.xml
增加 Mybatis Plus 和 mysql 依赖
com.baomidou mybatis-plus-boot-starter3.5.1 mysql mysql-connector-java5.1.46
2. properties
#数据库
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.datasource.url=jdbc:mysql://localhost:3306/test?useSSL=false
spring.datasource.username=
spring.datasource.password=
3. 数据库
CREATE TABLE `user` (
`id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
`username` VARCHAr(45) NULL,
`password` VARCHAr(45) NULL,
PRIMARY KEY (`id`));
INSERT INTO `test`.`user` (`id`, `username`, `password`) VALUES ('1', 'fengxiansheng', '{noop}123456');
4.代码
User 实体类
@TableName("user")
public class User {
@TableId
private Integer id;
//用户名
private String username;
//密码
private String password;
get、set 省略
}
CREATE TABLE `user` (
`id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
`username` VARCHAr(45) NULL,
`password` VARCHAr(45) NULL,
PRIMARY KEY (`id`));
INSERT INTO `test`.`user` (`id`, `username`, `password`) VALUES ('1', 'fengxiansheng', '{noop}123456');
4.代码
User 实体类
@TableName("user")
public class User {
@TableId
private Integer id;
//用户名
private String username;
//密码
private String password;
get、set 省略
}
UserMapper 接口
public interface UserMapper extends BaseMapper{ }
Application
@SpringBootApplication
@MapperScan("com.feng.security.mapper")
public class Application {
public static void main(String[] args){
SpringApplication.run(Application.class,args);
}
}
UserService
@Service
public class UserService {
@Autowired
private UserMapper userMapper;
public User getByUserName(String username){
Map map = new HashMap();
map.put("username", username);
List users = userMapper.selectByMap(map);
if(CollectionUtils.isEmpty(users)){
return null;
}
return users.get(0);
}
}
下面是重点
新建 LoginUserService,实现 UserDetailsService 接口,这样就可以从数据库查询用户
@Component
public class LoginUserService implements UserDetailsService {
@Autowired
private UserService userService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// 从数据库查询用户
User user = userService.getByUserName(username);
if(user == null){
throw new UsernameNotFoundException("没有这个用户");
}
// 把用户信息封装到一个 UserDetails 对象中,UserDetails是一个接口,LoginUser实现了这个接口
LoginUser loginUser = new LoginUser();
loginUser.setUser(user);
return loginUser;
}
}
新建 LoginUser 类,实现 UserDetails 接口,用来封装 User 信息
public class LoginUser implements UserDetails {
private User user;
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
@Override
public Collection getAuthorities() {
return null;
}
public User getUser() {
return user;
}
public void setUser(User user) {
this.user = user;
}
}
重启项目,然后故意输入错误的用户密码
再输入正确的,结果正常跳转
