The preparatory work
First, build a simple Web project to add security controls later, or use the previous chapter3-1-2 as the base project. To learn how to use Spring Boot to build Web applications, read Spring Boot developing Web Applications.
The Web layer implements the request mapping
@Controller public class HelloController {
@RequestMapping("/")
public String index() {
return "index";
}
@RequestMapping("/hello")
public String hello() {
return "hello";
}
Copy the code
} / : maps to index.html /hello: maps to hello.html to implement the mapping page
src/main/resources/templates/index.html
Welcome to Spring Security!
Click here to say hello
src/main/resources/templates/hello.html
Hello world!
Integration of the Spring Security
In this section, we will apply permission control to the/Hello page, which must be accessed by an authorized user. If the user does not have permission, the login page is displayed.
Add the dependent
Add the following configuration to pom.xml to introduce a dependency on Spring Security.
Create the Spring Security configuration class WebSecurityConfig as follows:
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
Copy the code
}
Through @ EnableWebSecurity annotations open Spring Security features inherited WebSecurityConfigurerAdapter, The configure(HttpSecurity HTTP) method uses authorizeRequests() to define which urls need to be protected and which do not. For example, if the above code specifies that/and /home are accessible without any authentication, all other paths must be authenticated. FormLogin () defines the login page to go to when the user needs to log in. ConfigureGlobal (AuthenticationManagerBuilder auth) method, in memory to create a user, the user name for the user, the password for the password, the user role for the user. Added login request and page
After completing the Spring Security configuration, we are still missing logins.
Add /login request mapping to login.html in HelloController
@Controller public class HelloController {
// omit the previous content... @RequestMapping("/login") public String login() { return "login"; }Copy the code
} the new login page: SRC/main/resources/templates/login. HTML
Depending on the configuration, Spring Security provides a filter to intercept requests and authenticate users. If the user fails to authenticate, the page redirects to /login? Error, and the corresponding error information is displayed on the page. To log out, users can log out by accessing /login? Logout request, which displays a success message after the logout is complete.
At this point, we enable the application and go to http://localhost:8080/, which works fine. But the visit http://localhost:8080/hello is redirected to the http://localhost:8080/login page, because there is no login, users do not have access, through the user input user name and password the password to log in, Jump to the page Hello World, no longer by visiting http://localhost:8080/login? Logout, which completes the logout operation.
To make the whole process more complete, we can modify hello.html to output something and provide a link to “log out.”
Hello [[${#httpServletRequest.remoteUser}]]!
Source source: http://minglisoft.cn/honghu/technology.html