Spring Security，这是一个专门针对基于Spring的项目的安全框架，它主要是利用了AOP来实现的。以前在Spring框架中使用Spring Security需要我们进行大量的XML配置，但是，Spring Boot针对Spring Security也提供了自动配置的功能，这些默认的自动配置极大的简化了我们的开发工作，我们今天就来看看这个吧。

创建Project并添加相关依赖

数据库使用MySQL，所以添加mysql驱动，
pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.wangh</groupId><artifactId>springboot_security</artifactId><version>0.0.1-SNAPSHOT</version><packaging>jar</packaging><name>springboot_security</name><description>Demo project for Spring Boot</description><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>1.5.4.RELEASE</version><relativePath/> <!-- lookup parent from repository --></parent><properties><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding><java.version>1.8</java.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-jpa</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-thymeleaf</artifactId></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.40</version></dependency><!-- thymeleaf-extras-springsecurity4 --><dependency><groupId>org.thymeleaf.extras</groupId><artifactId>thymeleaf-extras-springsecurity4</artifactId></dependency><dependency><groupId>org.apache.maven.plugins</groupId><artifactId>maven-resources-plugin</artifactId><version>2.6</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-test</artifactId><scope>test</scope></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build>
</project>

配置application.properties

spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.datasource.url=jdbc:mysql://localhost:3306/girl?useUnicode=true&characterEncoding=utf-8
spring.datasource.username=system
spring.datasource.password=mysql
logging.level.org.springframework.security=info
spring.thymeleaf.cache=false
spring.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=true

定义用户和角色

我们这里使用JPA来定义用户和角色，用户和角色都存储在数据库中，我们直接通过在数据库中查询然后来使用。

定义角色

package com.wangh.springboot_security.model;import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.Id;
/*** 角色* @author WangZhen*/
@Entity
public class SysRole {@Id@GeneratedValueprivate Integer id;private String name;public Integer getId() {return id;}public void setId(Integer id) {this.id = id;}public String getName() {return name;}public void setName(String name) {this.name = name;}}

定义用户

我们在定义用户的时候需要实现UserDetails接口，这样我们的用户实体即为Spring Security所使用的用户，定义好用户之后，我们还要配置用户和角色之间的多对多关系，正常情况下，角色和权限是两回事，所以我们还需要重写getAuthorities方法，将用户的角色和权限关联起来

package com.wangh.springboot_security.model;import java.util.ArrayList;
import java.util.Collection;
import java.util.List;import javax.persistence.CascadeType;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.GeneratedValue;
import javax.persistence.Id;
import javax.persistence.ManyToMany;import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
/*** 使用JPA定义用户。实现UserDetails接口，用户实体即为springSecurity所使用的用户。* @author WangZhen*/
@Entity
public class SysUser implements UserDetails {private static final long serialVersionUID = 1L;@Id@GeneratedValueprivate Long id;private String username;private String password;//FetchType.EAGER：急加载。在加载一个实体的时候，其中定义是急加载的的属性(property)和字段(field)会立即从数据库中加载 //CascadeType:级联更新@ManyToMany(cascade = {CascadeType.REFRESH}, fetch = FetchType.EAGER)private List<SysRole> roles;@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {//将用户角色作为权限List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();List<SysRole> roles = this.getRoles();for(SysRole role : roles){auths.add(new SimpleGrantedAuthority(role.getName()));}return auths;}@Overridepublic String getPassword() {return password;}@Overridepublic String getUsername() {return username;}@Overridepublic boolean isAccountNonExpired() {return true;}@Overridepublic boolean isAccountNonLocked() {return true;}@Overridepublic boolean isCredentialsNonExpired() {return true;}@Overridepublic boolean isEnabled() {return true;}public Long getId() {return id;}public void setId(Long id) {this.id = id;}public List<SysRole> getRoles() {return roles;}public void setRoles(List<SysRole> roles) {this.roles = roles;}public void setUsername(String username) {this.username = username;}public void setPassword(String password) {this.password = password;}
}

预设测试数据

在src/main/resources下新建data.sql.

insert into SYS_USER (id,username,password) values(1,'wanghao','wanghao');
insert into SYS_USER (id,username,password) values(2,'wangtuo','wangtuo');insert into SYS_ROLE (id,name) values(1,'ROLE_ADMIN');
insert into SYS_ROLE (id,name) values(2,'ROLE_USER');insert into SYS_USER_ROLES (SYS_USER_ID, ROLES_ID) values(1,1);
insert into SYS_USER_ROLES (SYS_USER_ID, ROLES_ID) values(2,2);

经过上面步骤之后我们的用户就和角色关联起来了，这个时候运行Project就会在数据库中自动帮我们生成三张表，用户表、角色表和两者的关联表，并有初始数据。

创建传值对象

数据创建成功之后，在客户端请求网页的时候我们需要有一个实体类用来向客户端传递消息，那我们创建一个Msg对象：

package com.wangh.springboot_security.model;public class Msg {private String title;private String content;private String extraInfo;public Msg(String title, String content, String extraInfo) {super();this.title = title;this.content = content;this.extraInfo = extraInfo;}public String getTitle() {return title;}public void setTitle(String title) {this.title = title;}public String getContent() {return content;}public void setContent(String content) {this.content = content;}public String getExtraInfo() {return extraInfo;}public void setExtraInfo(String extraInfo) {this.extraInfo = extraInfo;}
}

创建数据访问接口

package com.wangh.springboot_security.repository;import org.springframework.data.jpa.repository.JpaRepository;import com.wangh.springboot_security.model.SysUser;public interface SysUserRepository extends JpaRepository<SysUser, Long> {/*** 根据用户名查用户* @param username* @return*/SysUser findByUsername(String username);
}

自定义UserDetailsService

首先这里我们需要重写UserDetailsService接口，然后实现该接口中的loadUserByUsername方法，通过该方法查询到对应的用户，这里之所以要实现UserDetailsService接口，是因为在Spring Security中我们配置相关参数需要UserDetailsService类型的数据。

package com.wangh.springboot_security.service;import javax.annotation.Resource;import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;import com.wangh.springboot_security.model.SysUser;
import com.wangh.springboot_security.repository.SysUserRepository;
/*** 自定义UserService需实现UserDetailsService接口。可直接返回给springSecurity使用。* @author WangZhen**/
public class CustomUserService implements UserDetailsService {@Resourceprivate SysUserRepository sysUserRepository;//重写获得用户@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {SysUser user = sysUserRepository.findByUsername(username);if(user == null){throw new UsernameNotFoundException("用户不存在");}return user;}}

SpringMVC配置

package com.wangh.springboot_security.config;import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;/*** springMVC配置* @author WangZhen*/
@Configuration
public class WebMvcConfig extends WebMvcConfigurerAdapter{/*** 注册访问登录转向login.html页面*/@Overridepublic void addViewControllers(ViewControllerRegistry registry) {registry.addViewController("/login").setViewName("login");}
}

当用户访问login时跳转到login.html页面。

配置Spring Security

package com.wangh.springboot_security.config;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/*** Spring Security配置* @author WangZhen*/
import org.springframework.security.core.userdetails.UserDetailsService;import com.wangh.springboot_security.service.CustomUserService;
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {//扩展SpringSecurity配置需要继承此类@BeanUserDetailsService customUserService(){//注册UserDetailsService的beanreturn new CustomUserService();}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(customUserService());//添加自定义的userDetailsService认证}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().anyRequest().authenticated()//所有的请求需要认证即登陆后才能访问.and().formLogin().loginPage("/login").failureUrl("/login?error").permitAll() //登录页面可任意访问.and().logout().permitAll();//注销请求可任意访问}
}

1.首先当我们要自定义Spring Security的时候我们需要继承自WebSecurityConfigurerAdapter来完成，相关配置重写对应 方法即可。
2.我们在这里注册CustomUserService的Bean，然后通过重写configure方法添加我们自定义的认证方式。
3.在configure(HttpSecurity http)方法中，我们设置了登录页面，而且登录页面任何人都可以访问，然后设置了登录失败地址，也设置了注销请求，注销请求也是任何人都可以访问的。
4.permitAll表示该请求任何人都可以访问，.anyRequest().authenticated(),表示其他的请求都必须要有权限认证。
5.这里我们可以通过匹配器来匹配路径，比如antMatchers方法，假设我要管理员才可以访问admin文件夹下的内容，我可以这样来写：.antMatchers(“/admin/”).hasRole(“ROLE_ADMIN”)，也可以设置admin文件夹下的文件可以有多个角色来访问，写法如下：.antMatchers(“/admin**/**”).hasAnyRole(“ROLE_ADMIN”,”ROLE_USER”)
6.可以通过hasIpAddress来指定某一个ip可以访问该资源,假设只允许访问ip为210.210.210.210的请求获取admin下的资源，写法如下.antMatchers(“/admin/**”).hasIpAddress(“210.210.210.210”)
7.更多的权限控制方式参看下表：

8.这里我们还可以做更多的配置，参考如下代码：

http.authorizeRequests().anyRequest().authenticated().and().formLogin().loginPage("/login")//设置默认登录成功跳转页面.defaultSuccessUrl("/index").failureUrl("/login?error").permitAll().and()//开启cookie保存用户数据.rememberMe()//设置cookie有效期.tokenValiditySeconds(60 * 60 * 24 * 7)//设置cookie的私钥.key("").and().logout()//默认注销行为为logout，可以通过下面的方式来修改.logoutUrl("/logout")//设置注销成功后跳转页面，默认是跳转到登录页面.logoutSuccessUrl("").permitAll();

创建登录页面

在template文件夹中创建login.html页面，内容如下：

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head><meta charset="UTF-8"/><title>登录</title><link rel="stylesheet" th:href="@{css/bootstrap.min.css}"/><style type="text/css">body {padding-top: 50px;}.starter-template {padding: 40px 15px;text-align: center;}</style>
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top"><div class="container"><div class="navbar-header"><a class="navbar-brand" href="#">Spring Security演示</a></div><div id="navbar" class="collapse navbar-collapse"><ul class="nav navbar-nav"><li><a th:href="@{/}">首页</a></li><li><a th:href="@{http://www.baidu.com}">百度</a></li></ul></div></div>
</nav>
<div class="container"><div class="starter-template"><p th:if="${param.logout}" class="bg-warning">已注销</p><p th:if="${param.error}" class="bg-danger">有错误，请重试</p><h2>使用账号密码登录</h2><form class="form-signin" role="form" name="form" th:action="@{/login}" action="/login" method="post"><div class="form-group"><label for="username">账号</label><input type="text" class="form-control" name="username" value="" placeholder="账号"/></div><div class="form-group"><label for="password">密码</label><input type="password" class="form-control" name="password" placeholder="密码"/></div><input type="submit" id="login" value="Login" class="btn btn-primary"/></form></div>
</div>
</body>
</html>

创建登录成功后跳转页面

index.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<head><meta charset="UTF-8"/><title sec:authentication="name"></title><link rel="stylesheet" th:href="@{css/bootstrap.min.css}"/><style type="text/css">body {padding-top: 50px;}.starter-template {padding: 40px 15px;text-align: center;}</style>
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top"><div class="container"><div class="navbar-header"><a class="navbar-brand" href="#">Spring Security演示</a></div><div id="navbar" class="collapse navbar-collapse"><ul class="nav navbar-nav"><li><a th:href="@{/}">首页</a></li><li><a th:href="@{http://www.baidu.com}">百度</a></li></ul></div></div>
</nav>
<div class="container"><div class="starter-template"><h1 th:text="${msg.title}"></h1><p class="bg-primary" th:text="${msg.content}"></p><div sec:authorize="hasRole('ROLE_ADMIN')"><p class="bg-info" th:text="${msg.extraInfo}"></p></div><div sec:authorize="hasRole('ROLE_USER')"><p class="bg-info">无更多显示信息</p></div><form th:action="@{/logout}" method="post"><input type="submit" class="btn btn-primary" value="注销"/></form></div>
</div>
</body>
</html>

这里有如下几个问题需要说明：

1.在html标签中我们引入的Spring Security
2.通过sec:authentication=”name”我们可以获取当前用户名
3.sec:authorize="hasRole('ROLE_ADMIN')表示当前用户角色为ROLE_ADMIN的话显示里边的内容
4.sec:authorize="hasRole('ROLE_USER')表示当前用户角色为ROLE_USER的话显示该DIV里边的内容

添加控制器

package com.wangh.springboot_security.controller;import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;import com.wangh.springboot_security.model.Msg;@Controller
public class HomeController {@RequestMapping("/")public String index(Model model) {Msg msg = new Msg("标题", "内容", "额外信息，只对管理员显示");model.addAttribute("msg", msg);return "index";}
}

测试

访问http://localhost:8080/自动跳转到http://localhost:8080/login

使用正确用户和错误用户分别登陆，可以看出正常运行。