Spring Security系列之入门

Spring Security 快速入门引入依赖如果使用Maven在pom.xml文件中添加Spring Security依赖。对于Spring Boot项目dependencygroupIdorg.springframework.boot/groupIdartifactIdspring - boot - starter - security/artifactId/dependency如果是普通Spring项目还需要添加Spring Security相关的核心依赖和Web相关依赖等。简单配置创建一个配置类继承WebSecurityConfigurerAdapter用于配置Spring Security。importorg.springframework.context.annotation.Bean;importorg.springframework.context.annotation.Configuration;importorg.springframework.security.config.annotation.web.builders.HttpSecurity;importorg.springframework.security.config.annotation.web.configuration.EnableWebSecurity;importorg.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;importorg.springframework.security.core.userdetails.User;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.core.userdetails.UserDetailsService;importorg.springframework.security.provisioning.InMemoryUserDetailsManager;ConfigurationEnableWebSecuritypublicclassSecurityConfigextendsWebSecurityConfigurerAdapter{Overrideprotectedvoidconfigure(HttpSecurityhttp)throwsException{http.authorizeRequests().antMatchers(/,/home).permitAll().anyRequest().authenticated().and().formLogin().loginPage(/login).permitAll().and().logout().permitAll();}BeanOverridepublicUserDetailsServiceuserDetailsService(){UserDetailsuserUser.withDefaultPasswordEncoder().username(user).password(password).roles(USER).build();UserDetailsadminUser.withDefaultPasswordEncoder().username(admin).password(admin).roles(ADMIN).build();returnnewInMemoryUserDetailsManager(user,admin);}}在上述配置中configure(HttpSecurity http)方法定义了访问规则。/和/home路径允许所有用户访问其他路径需要认证。formLogin()配置了基于表单的登录loginPage(/login)指定了登录页面路径并且允许所有用户访问登录页面。logout()配置了注销功能允许所有用户访问注销路径。userDetailsService()方法在内存中创建了两个用户user和admin并为其分配了角色。创建登录和页面创建一个简单的login.html作为登录页面!DOCTYPEhtmlhtmllangzh - CNheadmetacharsetUTF - 8title登录/title/headbodyformaction/loginmethodpostlabelforusername用户名:/labelinputtypetextidusernamenameusernamerequiredbrlabelforpassword密码:/labelinputtypepasswordidpasswordnamepasswordrequiredbrinputtypesubmitvalue登录/form/body/html创建一个home.html作为登录成功后的页面!DOCTYPEhtmlhtmllangzh - CNheadmetacharsetUTF - 8title首页/title/headbodyh1欢迎登录/h1/body/html启动应用启动Spring Boot应用如果是Spring Boot项目或部署到应用服务器如Tomcat等。访问应用未登录时会被重定向到登录页面输入正确的用户名和密码后可访问受保护的资源。Spring Security 高级应用自定义认证逻辑实现UserDetailsService接口从数据库或其他数据源加载用户信息。importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.core.userdetails.UserDetailsService;importorg.springframework.security.core.userdetails.UsernameNotFoundException;importorg.springframework.stereotype.Service;ServicepublicclassCustomUserDetailsServiceimplementsUserDetailsService{AutowiredprivateUserRepositoryuserRepository;OverridepublicUserDetailsloadUserByUsername(Stringusername)throwsUsernameNotFoundException{// 从数据库中查询用户信息UseruseruserRepository.findByUsername(username);if(usernull){thrownewUsernameNotFoundException(用户不存在);}// 将用户信息转换为Spring Security的UserDetailsreturnorg.springframework.security.core.userdetails.User.withDefaultPasswordEncoder().username(user.getUsername()).password(user.getPassword()).roles(user.getRole()).build();}}在配置类中使用自定义的UserDetailsServiceConfigurationEnableWebSecuritypublicclassSecurityConfigextendsWebSecurityConfigurerAdapter{AutowiredprivateCustomUserDetailsServicecustomUserDetailsService;Overrideprotectedvoidconfigure(HttpSecurityhttp)throwsException{// 配置其他安全规则}OverrideBeanpublicUserDetailsServiceuserDetailsService(){returncustomUserDetailsService;}}基于角色和权限的授权在配置类的configure(HttpSecurity http)方法中细化授权规则。例如只有具有ADMIN角色的用户才能访问特定的管理页面http.authorizeRequests().antMatchers(/admin/**).hasRole(ADMIN).antMatchers(/user/**).hasAnyRole(USER,ADMIN).anyRequest().authenticated();也可以基于权限进行授权在数据库中为用户分配具体的权限然后在配置中使用hasAuthority方法进行判断。OAuth2集成引入OAuth2相关依赖dependencygroupIdorg.springframework.boot/groupIdartifactIdspring - boot - starter - oauth2 - client/artifactId/dependencydependencygroupIdorg.springframework.boot/groupIdartifactIdspring - boot - starter - oauth2 - resource - server/artifactId/dependency配置OAuth2客户端例如配置GitHub登录spring:security:oauth2:client:registration:github:client - id:your-github-client-idclient - secret:your-github-client-secretscope:read:user,user:emailauthorization - grant - type:authorization_coderedirect - uri:{baseUrl}/login/oauth2/code/{registrationId}client - name:GitHub配置资源服务器保护受OAuth2保护的资源ConfigurationEnableResourceServerpublicclassResourceServerConfigextendsResourceServerConfigurerAdapter{Overridepublicvoidconfigure(HttpSecurityhttp)throwsException{http.authorizeRequests().antMatchers(/api/**).authenticated();}}安全事件监听和审计实现ApplicationListener接口监听Spring Security相关事件如登录成功、失败事件等。importorg.springframework.context.ApplicationListener;importorg.springframework.security.authentication.event.AuthenticationSuccessEvent;importorg.springframework.stereotype.Component;ComponentpublicclassLoginSuccessListenerimplementsApplicationListenerAuthenticationSuccessEvent{OverridepublicvoidonApplicationEvent(AuthenticationSuccessEventevent){// 记录登录成功日志或进行其他审计操作System.out.println(用户 event.getAuthentication().getName() 登录成功);}}类似地可以监听AuthenticationFailureBadCredentialsEvent等事件来记录登录失败信息实现审计功能。