Enterprise distribution Micro-service cloud Springcloud springboot MyBatis (vi) Spring security for secure control with spring boot

Preparatory work

First, build a simple Web project that you can use to add security controls later, or use the Chapter3-1-2 as a foundation project. If you are building a web app using spring boot, you can first read the article "Spring Boot Development web App".

Web tier Implementation Request mapping

@Controllerpublic class Hellocontroller {    @RequestMapping ("/") public    String Index () {        return "index";    }    @RequestMapping ("/hello") public    String Hello () {        return "Hello";    }}

　　

• /: Map to Index.html
• /hello: Map to Hello.html

Implementing a mapped page

• Src/main/resources/templates/index.html

  <! DOCTYPE html>
  　　
  

• Src/main/resources/templates/hello.html

  <! DOCTYPE html>
  　　
  You can see the links provided in the index.html /hello , obviously there is no security control here, so click on the link to jump directly to the hello.html page.
  Integrate Spring Security
  In this section, we will /hello control permissions on the page, which must be accessible to authorized users. When a user with no permissions accesses, jump to the login page.
  Add dependency
  Add the following configuration to the Pom.xml to introduce dependency on spring security.
  <dependencies> ...        <dependency>            <groupId>org.springframework.boot</groupId>            <artifactId> spring-boot-starter-security</artifactid>        </dependency>    ...</dependencies>
  　　
  Spring Security Configuration
  Create a configuration class for spring security WebSecurityConfig , as follows:
  @Configuration @enablewebsecuritypublic class Websecurityconfig extends Websecurityconfigureradapter {    @Override    protected void Configure (Httpsecurity http) throws Exception {        http            . authorizerequests ()                . Antmatchers ("/", "Home"). Permitall ()                . Anyrequest (). authenticated (). and                ().            formlogin ()                . LoginPage ("/login")                . Permitall (). and                ().            logout ()                . Permitall ();    @Autowired public    void Configureglobal (Authenticationmanagerbuilder auth) throws Exception {        auth            . Inmemoryauthentication ().                withuser ("user"). Password ("password"). Roles ("User");}    }
  　　
  

• Using @EnableWebSecurity annotations to turn on the functionality of spring security
• Inherit WebSecurityConfigurerAdapter , and override its methods to set some Web security details
• configure(HttpSecurity http)Method
  • By authorizeRequests() defining which URLs need to be protected and which do not need to be protected. For example, the above code specifies / and /home does not require any authentication to be accessible, and the other paths must be authenticated.
  • By formLogin() defining the login page to go to when a user is required to log in.
• configureGlobal(AuthenticationManagerBuilder auth)method, a user is created in memory with the name user, the password is password, and the user role is users.
• New Login Request and page

  After the spring security configuration has been completed, we also lack the relevant content for the login.

  New requests in Hellocontroller /login map tologin.html

@Controllerpublic class Hellocontroller {    //omit the previous content    ... @RequestMapping ("/login") Public    String login () {        return ' login ';    }}

　　

New Login page:src/main/resources/templates/login.html

<! DOCTYPE html>
　　
As you can see, a simple way to sign in with a user name and password is implemented /login .
Based on the configuration, Spring Security provides a filter to intercept requests and authenticate users. If the user authentication fails, the page is redirected to /login?error , and the page displays the appropriate error message. If the user wants to log out of the login, the /login?logout page will display the corresponding success message by accessing the request and completing the logout.
Here, we enable the app and access it http://localhost:8080/ , which can be accessed normally. But http://localhost:8080/hello when the visit was redirected to the http://localhost:8080/login page, because there is no login, the user does not have access rights, by entering the username user and password password login, jump to the Hello World page, and then through the access http://localhost:8080/login?logout , you can complete the logout operation.
To make the whole process more complete, we can modify hello.html , let it output some content, and provide a "logout" link.
<! DOCTYPE html>
　　
Source Source
This article completes the security controls for Web applications with one of the simplest examples, and spring security provides much more than that, and more spring security is available in the spring security Reference.
Enterprise distribution Micro-service cloud Springcloud springboot MyBatis (vi) Spring security for secure control with spring boot