spring security is a library for authentication and resource authorization management. Just record it simply, the process of integrating spring security into the spring boot project.
WebSecurityConfiguration#
It is mainly a WebSecurityConfiguration
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(getUserDetailsService())
.passwordEncoder(new PasswordEncoder() {
@Override
public String encode(CharSequence rawPassword) {
return rawPassword.toString();
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return rawPassword.toString().equals(encodedPassword);
}
});
}
- Inherit
WebSecurityConfigurerAdapter
and then override theconfigure
method,
you can set the source of the user: userDetailsService(UserDetailsService uds)
, UserDetailsService
determines how the user comes.
For example: query from the database by username
@Bean
public UserDetailsService getUserDetailsService(){
return username -> {
SysUser user = userRepository.getSysUserByUsername(username);
if (user != null){
return user;
}else {
throw new UsernameNotFoundException("no such user name.");
}
};
}
- You can set the password verification mechanism
.passwordEncoder(new PasswordEncoder() {
@Override
public String encode(CharSequence rawPassword) {
return rawPassword.toString();
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return rawPassword.toString().equals(encodedPassword);
}
});
You can set the encryption and matching method of the password
Control access to requests#
Provide functions such as csrf, etc.,
- csrf
- antMatchers
- formLogin
- logout
And so on, these can be further set
- disable() such as csrf
- permitAll() no permission required
- authenticated() permission required
And so on.
Example:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.and()
.authorizeRequests()
.antMatchers("/api/*")
.authenticated()
.antMatchers("/")
.authenticated()
.and()
.formLogin()
.loginPage("/login/page")
.defaultSuccessUrl("/out")
.loginProcessingUrl("/login")
.failureUrl("/e")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/out")
.permitAll();
CsrfFilter csrfFilter = new CsrfFilter();
http.addFilterAfter(csrfFilter,CsrfFilter.class);
}