SpringBoot+SpringSecurity实现访问权限控制案例

本项目使用IDEA创建，Eclipse用户可以参考

一、项目目录

二、项目依赖

<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.example</groupId><artifactId>demo</artifactId><version>0.0.1-SNAPSHOT</version><packaging>jar</packaging><name>demo</name><description>Demo project for Spring Boot</description><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>1.5.7.RELEASE</version><relativePath/> <!-- lookup parent from repository --></parent><properties><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding><java.version>1.8</java.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-aop</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-thymeleaf</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-test</artifactId><scope>test</scope></dependency><!--提供security相关标签,可选可不选--><dependency><groupId>org.thymeleaf.extras</groupId><artifactId>thymeleaf-extras-springsecurity4</artifactId></dependency><!--bootstrap组件,可选可不选--><dependency><groupId>org.webjars</groupId><artifactId>bootstrap</artifactId><version>3.3.7</version></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project>

三、SpringSecurity配置

在example下建立config包，新建SpringSecurityConfig类

SpringSecurityConfig.java

package com.example.config;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.context.annotation.Configuration;import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;import org.springframework.security.web.access.AccessDeniedHandler;@Configurationpublic class SpringSecurityConfig extends WebSecurityConfigurerAdapter{    @Autowired    private AccessDeniedHandler accessDeniedHandler;//    管理员允许登陆//    普通用户允许登陆//    403错误处理    @Override    protected void configure(HttpSecurity http) throws Exception {        http.csrf().disable()                .authorizeRequests()                .antMatchers("/","home","/about").permitAll()                .antMatchers("/admin/**").hasAnyRole("ADMIN")                .antMatchers("/user/**").hasAnyRole("USER")                .anyRequest().authenticated()                .and()                .formLogin()                .loginPage("/login")                .permitAll()                .and()                .exceptionHandling()                .accessDeniedHandler(accessDeniedHandler);    }    //创建两个本地用户,管理员和普通用户,要从数据库取的话自行修改    @Autowired    public void configureGlobal(AuthenticationManagerBuilder authenticationManagerBuilder)throws Exception{        authenticationManagerBuilder.inMemoryAuthentication()                .withUser("user").password("password").roles("USER")                .and()                .withUser("admin").password("password").roles("ADMIN");    }}

新建error包，新建MyAccessDeniedHandler类，这个类的作用是处理错误

package com.example.error;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.security.access.AccessDeniedException;import org.springframework.security.core.Authentication;import org.springframework.security.core.context.SecurityContextHolder;import org.springframework.security.web.access.AccessDeniedHandler;import org.springframework.stereotype.Component;import javax.servlet.ServletException;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;@Componentpublic class MyAccessDeniedHandler implements AccessDeniedHandler {    private static Logger logger = LoggerFactory.getLogger(MyAccessDeniedHandler.class);    @Override    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {        Authentication auth = SecurityContextHolder.getContext().getAuthentication();        if (auth != null) {            logger.info("User '" + auth.getName()                    + "' attempted to access the protected URL: "                    + httpServletRequest.getRequestURI());        }        httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/403");    }}

四、SpringBoot相关

新建controller包，新建DefaultController类

(这里的GetMapping就是RequestMapping和method = RequestMethod.GET的缩写)

DefaultController.java

package com.example.controller;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.GetMapping;@Controllerpublic class DefaultController {    @GetMapping("/")    public String home1(){        return "/home";    }    @GetMapping("/home")    public String home() {        return "/home";    }    @GetMapping("/admin")    public String admin() {        return "/admin";    }    @GetMapping("/user")    public String user() {        return "/user";    }    @GetMapping("/about")    public String about() {        return "/about";    }    @GetMapping("/login")    public String login() {        return "/login";    }    @GetMapping("/403")    public String error403() {        return "/error/403";    }}

项目自动创建的DemoApplication

package com.example.demo;import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.SpringBootApplication;import org.springframework.context.annotation.ComponentScan;@SpringBootApplication@ComponentScan("com.example")public class DemoApplication {public static void main(String[] args) {SpringApplication.run(DemoApplication.class, args);}}

至此后台就写完了

五、静态页面

注意页面都是放在templates下的

templates/login.htm

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"><head>    <title>Spring Security Example </title>    <div th:replace="fragments/header :: header-css"/></head><body><div th:replace="fragments/header :: header"/><div class="container">    <div class="row" style="margin-top:20px">        <div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">            <form th:action="@{/login}" method="post">                <fieldset>                    <h1>请登录</h1>                    <div th:if="${param.error}">                        <div class="alert alert-danger">                            无效的用户名和密码                        </div>                    </div>                    <div th:if="${param.logout}">                        <div class="alert alert-info">                            您已注销                        </div>                    </div>                    <div class="form-group">                        <input type="text" name="username" id="username" class="form-control input-lg"                               placeholder="UserName" required="true" autofocus="true"/>                    </div>                    <div class="form-group">                        <input type="password" name="password" id="password" class="form-control input-lg"                               placeholder="Password" required="true"/>                    </div>                    <div class="row">                        <div class="col-xs-6 col-sm-6 col-md-6">                            <input type="submit" class="btn btn-lg btn-primary btn-block" value="Sign In"/>                        </div>                        <div class="col-xs-6 col-sm-6 col-md-6">                        </div>                    </div>                </fieldset>            </form>        </div>    </div></div><div th:replace="fragments/footer :: footer"/></body></html>

templates/home.html

<!DOCTYPE HTML><html xmlns:th="http://www.thymeleaf.org"><head>    <title>Spring Boot Thymeleaf + Spring Security</title>    <div th:replace="fragments/header :: header-css"/></head><body><div th:replace="fragments/header :: header"/><div class="container">    <div class="starter-template">        <h1>SpringSecurity案例演示</h1>        <h2>1. 访问 <a th:href="@{/admin}">管理员页面 (受到SpringSecurity保护，需要管理员权限)</a></h2>        <h2>2. 访问 <a th:href="@{/user}">普通用户页面 (受到SpringSecurity保护，需要会员权限)</a></h2>        <h2>3. 访问 <a th:href="@{/about}">普通页面</a></h2>    </div></div><!-- /.container --><div th:replace="fragments/footer :: footer"/></body></html>

templates/admin.html

<!DOCTYPE HTML><html xmlns:th="http://www.thymeleaf.org"><head>    <div th:replace="fragments/header :: header-css"/></head><body><div th:replace="fragments/header :: header"/><div class="container">    <div class="starter-template">        <h1>管理员页面 (受到SpringSecurity保护)</h1>        <h1 th:inline="text">你好 [[${#httpServletRequest.remoteUser}]]!</h1>        <form th:action="@{/logout}" method="post">            <input type="submit" value="注销"/>        </form>    </div></div><!-- /.container --><div th:replace="fragments/footer :: footer"/></body></html>

templates/user.html

<!DOCTYPE HTML><html xmlns:th="http://www.thymeleaf.org"><head>    <div th:replace="fragments/header :: header-css"/></head><body><div th:replace="fragments/header :: header"/><div class="container">    <div class="starter-template">        <h1>普通用户界面 (受到SpringSecurity保护)</h1>        <h1 th:inline="text">Hello [[${#httpServletRequest.remoteUser}]]!</h1>        <form th:action="@{/logout}" method="post">            <input type="submit" value="注销"/>        </form>    </div></div><!-- /.container --><div th:replace="fragments/footer :: footer"/></body></html>

templates/about.html

<!DOCTYPE HTML><html xmlns:th="http://www.thymeleaf.org"><head>    <div th:replace="fragments/header :: header-css"/></head><body><div th:replace="fragments/header :: header"/><div class="container">    <div class="starter-template">        <h1>普通页面 (无需登陆)</h1>    </div></div><!-- /.container --><div th:replace="fragments/footer :: footer"/></body></html>

templates/error/403.html

<!DOCTYPE HTML><html xmlns:th="http://www.thymeleaf.org"><head>    <div th:replace="fragments/header :: header-css"/></head><body><div th:replace="fragments/header :: header"/><div class="container">    <div class="starter-template">        <h1>403 - 访问拒绝</h1>        <div th:inline="text">你好 '[[${#httpServletRequest.remoteUser}]]',            您没有访问此页面的权限.</div>    </div></div><!-- /.container --><div th:replace="fragments/footer :: footer"/></body></html>

templates/fragments/footer.html

<html xmlns="http://www.w3.org/1999/xhtml"      xmlns:th="http://www.thymeleaf.org"      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4"><head></head><body><div th:fragment="footer">    <div class="container">        <footer>            <!-- this is footer -->            © 2017/10/11            <span sec:authorize="isAuthenticated()">                | 登陆用户: <span sec:authentication="name"></span> |                权限: <span sec:authentication="principal.authorities"></span> |                <a th:href="@{/logout}">注销</a>            </span>            <script type="text/javascript"                    src="webjars/bootstrap/3.3.7/js/bootstrap.min.js"></script>        </footer>    </div></div></body></html>

templates/fragments/header.html

<html xmlns:th="http://www.thymeleaf.org"><head>    <div th:fragment="header-css">        <!-- this is header-css -->        <link rel="stylesheet" type="text/css"              href="webjars/bootstrap/3.3.7/css/bootstrap.min.css" />        <link rel="stylesheet" th:href="@{/css/main.css}"              href="../../css/main.css" />    </div></head><body><div th:fragment="header">    <!-- this is header -->    <nav class="navbar navbar-inverse">        <div class="container">            <div class="navbar-header">                <a class="navbar-brand" th:href="@{/}">SpringSecurity</a>            </div>            <div id="navbar" class="collapse navbar-collapse">                <ul class="nav navbar-nav">                    <li class="active"><a th:href="@{/}">主页</a></li>                </ul>            </div>        </div>    </nav></div></body></html>

CSS样式文件

static/css/main.css

h1{    color:#0000FF;}h2{    color:#FF0000;}footer{    margin-top:60px;}

接下来就可以运行了，在地址栏输入http://localhost:8080/

点击管理员页面，跳转进入登陆页面,输入管理员账号密码，admin       password,点击登陆

点击注销退出到登陆页面，再次进入home页面，点击访问普通用户页面，输入普通用户账号密码，user  password

如果用普通用户账号去访问管理员页面的话，则会跳转到403页面

再次注销并回到主页，点击访问普通页面，这个页面是无需任何权限的

项目参考地址

点击打开链接

完整项目下载地址：点击打开链接