02 - spring security基于配置文件及内存的账号密码

spring security基于配置的账号密码

文档

1. 00 - spring security框架使用
2. 01 - spring security自定义登录页面

yml文件中配置账号密码

spring:
  security:
    user:
      name: admin
      password: 123456

• yml文件中配置账号密码后，控制台将不再输出临时密码

基于内存的账号密码

调整配置类WebSecurityConfig.java

package xin.yangshuai.springsecurity03.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
// @EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public UserDetailsService userDetailsService() {
        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        // 此时配置文件中的用户名和密码将不可用
        manager.createUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build());
        return manager;
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        // 开启授权保护
        http.authorizeRequests(new Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry>() {
            @Override
            public void customize(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) {

                expressionInterceptUrlRegistry
                        // 对所有请求开启授权保护
                        .anyRequest()
                        // 已经认证的请求会被自动授权
                        .authenticated();
            }
        });

        // 自定义登录页面
        http.formLogin(new Customizer<FormLoginConfigurer<HttpSecurity>>() {
            @Override
            public void customize(FormLoginConfigurer<HttpSecurity> httpSecurityFormLoginConfigurer) {
                // 自定义登录页，并且设置无需授权允许访问
                httpSecurityFormLoginConfigurer.loginPage("/login").permitAll();
                // 配置自定义表单的用户名参数，默认值：username
                httpSecurityFormLoginConfigurer.usernameParameter("myusername");
                // 配置自定义表单的密码参数，默认值：password
                httpSecurityFormLoginConfigurer.passwordParameter("mypassword");
                // 校验失败时跳转的地址，默认值：/login?error
                httpSecurityFormLoginConfigurer.failureUrl("/login?error");
            }
        });

        return http.build();
    }
}

• 创建一个类型为UserDetailsService的Bean，实现类InMemoryUserDetailsManager可直接配置账号密码
• 此时yml配置文件中的用户名和密码将不可用
• 基于数据库的账号密码，也是在自定义的UserDetailsService实现类中，实现登录认证