本文共 6000 字,大约阅读时间需要 20 分钟。
在开始配置权限验证之前,我们需要先构建一个完整的项目依赖关系。以下是基于Spring Boot和Spring Cloud Hoxton.RC1版本的完整依赖管理配置:
4.0.0 com.shaojie.authority authority 1.0-SNAPSHOT org.springframework.boot spring-boot-starter-parent 2.2.0.RELEASE 1.8 ${java.version} ${java.version} UTF-8 UTF-8 Hoxton.RC1 org.springframework.cloud spring-cloud-dependencies Hoxton.RC1 pom import org.project.lombok lombok org.springframework.boot spring-boot-starter-web org.springframework.boot spring-boot-starter-test org.springframework.boot spring-boot-starter-thymeleaf org.springframework.boot spring-boot-starter-security org.springframework.boot spring-boot-starter-data-jpa mysql mysql-connector-java com.alibaba druid 1.1.21 org.springframework.boot spring-boot-maven-plugin
接下来,我们来看Spring Security的核心配置。权限验证是Spring Security的关键部分,我们需要在项目中添加必要的Bean配置和权限规则。
package com.shaojie.authority.security;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;@Configuration@EnableWebSecuritypublic class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .passwordEncoder(passwordEncoder()) .withUser("shaojie") .password(passwordEncoder().encode("123456")) .authorities("PRODUCT_ADD", "PRODUCT_LIST"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/product/add").hasAnyAuthority("PRODUCT_ADD") .antMatchers("/product/update").hasAnyAuthority("PRODUCT_UPDATE") .antMatchers("/product/list").hasAnyAuthority("PRODUCT_LIST") .antMatchers("/product/delete").hasAnyAuthority("PRODUCT_DELETE") .antMatchers("/login").permitAll() .antMatchers("/**") .fullyAuthenticated() .and() .formLogin() .loginPage("/login") .and() .rememberMe() .and() .logout() .and() .csrf().disable(); }} 为了让用户在权限不足时有友好的提示页面,我们可以配置403错误页面。
package com.shaojie.authority.security;import org.springframework.boot.web.server.ConfigurableWebServerFactory;import org.springframework.boot.web.server.ErrorPage;import org.springframework.boot.web.server.WebServerFactoryCustomizer;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.http.HttpStatus;@Configurationpublic class ErrorPageConfig { @Bean public WebServerFactoryCustomizer webServerFactoryCustomizer() { return new WebServerFactoryCustomizer () { @Override public void customize(ConfigurableWebServerFactory factory) { factory.addErrorPages(new ErrorPage(HttpStatus.FORBIDDEN, "/403")); } }; }} login.html)Login Page Login Page
add.html)Add Product Add Product
delete.html)Delete Product Delete Product
list.html)Query Products Query Products
update.html)Update Product Update Product
hasAnyAuthority方法来设置权限,支持多个权限的结合。通过以上配置,我们已经完成了Spring Security的基本权限验证配置。从依赖管理到权限验证、错误页面配置等各个方面都做了相应的设置。如果需要更详细的配置或功能扩展,可以参考Spring Security的官方文档或相关示例。
转载地址:http://xkvo.baihongyu.com/