對於沒有訪問權限的用戶需要轉到登錄表單頁面。要實現訪問控制的方法多種多樣,可以通過Aop、攔截器實現,也可以通過框架實現(如:Apache Shiro、Spring Security)。
pom.xml添加依賴
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
創建SpringSecurity配置類
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("admin").password("123456").roles("USER"); } }
通過@EnableWebSecurity注解開啟Spring Security的功能
繼承WebSecurityConfigurerAdapter,並重寫它的方法來設置一些web安全的細節
configure(HttpSecurity http)方法,通過authorizeRequests()定義哪些URL需要被保護、哪些不需要被保護。例如以上代碼指定了/和/home不需要任何認證就可以訪問,其他的路徑都必須通過身份驗證。
通過formLogin()定義當需要用戶登錄時候,轉到的登錄頁面。
configureGlobal(AuthenticationManagerBuilder auth)方法,在內存中創建了一個用戶,該用戶的名稱為admin,密碼為123456,用戶角色為USER。
控制器:
@Controller public class HelloController { @RequestMapping("/") public String index() { return "index"; } @RequestMapping("/hello") public String hello() { return "hello"; } @RequestMapping(value = "/login", method = RequestMethod.GET) public String login() { return "login"; } }
index.html
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3"> <head> <title>Spring Security入門</title> </head> <body> <h1>歡迎使用Spring Security!</h1> <p>點擊 <a th:href="@{/hello}">這里</a> 打個招呼吧</p> </body> </html>
hello.html
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3"> <head> <title>Hello World!</title> </head> <body> <h1 th:inline="text">Hello [[${#httpServletRequest.remoteUser}]]!</h1> <form th:action="@{/logout}" method="post"> <input type="submit" value="注銷"/> </form> </body> </html>
login.html
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3"> <head> <title>Spring Security Example </title> </head> <body> <div th:if="${param.error}"> 用戶名或密碼錯 </div> <div th:if="${param.logout}"> 您已注銷成功 </div> <form th:action="@{/login}" method="post"> <div><label> 用戶名 : <input type="text" name="username"/> </label></div> <div><label> 密 碼 : <input type="password" name="password"/> </label></div> <div><input type="submit" value="登錄"/></div> </form> </body> </html>
運行:
打開index.html,點擊這里,如果沒有登錄進入登錄頁,已登錄跳轉到hello.html