Spring Boot 集成 Spring Security 完整示例
Spring Boot 集成 Spring Security 完整示例
下面是一个完整的 Spring Boot 应用集成 Spring Security 的示例,包含用户认证、授权、自定义登录页面和密码加密等功能。
1. 添加依赖
首先在 pom.xml 中添加必要依赖:
<dependencies><!-- Spring Boot Starter Web --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><!-- Spring Security --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><!-- Thymeleaf (用于视图) --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-thymeleaf</artifactId></dependency><!-- 数据库相关 (使用JPA和H2作为示例) --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-jpa</artifactId></dependency><dependency><groupId>com.h2database</groupId><artifactId>h2</artifactId><scope>runtime</scope></dependency>
</dependencies>
2. 安全配置类
创建安全配置类 SecurityConfig.java:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;@Configuration
@EnableWebSecurity
public class SecurityConfig {@Beanpublic SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.authorizeHttpRequests(authorize -> authorize.requestMatchers("/", "/home", "/register", "/css/**", "/js/**").permitAll().requestMatchers("/admin/**").hasRole("ADMIN").anyRequest().authenticated()).formLogin(form -> form.loginPage("/login").defaultSuccessUrl("/dashboard").permitAll()).logout(logout -> logout.logoutUrl("/logout").logoutSuccessUrl("/login?logout").permitAll()).exceptionHandling(exception -> exception.accessDeniedPage("/access-denied"));return http.build();}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}
}
3. 用户实体和仓库
创建用户实体 User.java:
import javax.persistence.*;
import java.util.Collection;@Entity
@Table(name = "users")
public class User {@Id@GeneratedValue(strategy = GenerationType.IDENTITY)private Long id;@Column(unique = true, nullable = false)private String username;@Column(nullable = false)private String password;@ManyToMany(fetch = FetchType.EAGER)@JoinTable(name = "users_roles",joinColumns = @JoinColumn(name = "user_id"),inverseJoinColumns = @JoinColumn(name = "role_id"))private Collection<Role> roles;// 构造方法、getter和setter
}
创建角色实体 Role.java:
import javax.persistence.*;
import java.util.Collection;@Entity
@Table(name = "roles")
public class Role {@Id@GeneratedValue(strategy = GenerationType.IDENTITY)private Long id;private String name;@ManyToMany(mappedBy = "roles")private Collection<User> users;// 构造方法、getter和setter
}
创建用户仓库 UserRepository.java:
import org.springframework.data.jpa.repository.JpaRepository;public interface UserRepository extends JpaRepository<User, Long> {User findByUsername(String username);
}
4. 用户详情服务
创建自定义用户详情服务 CustomUserDetailsService.java:
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;@Service
public class CustomUserDetailsService implements UserDetailsService {private final UserRepository userRepository;public CustomUserDetailsService(UserRepository userRepository) {this.userRepository = userRepository;}@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {User user = userRepository.findByUsername(username);if (user == null) {throw new UsernameNotFoundException("User not found");}return new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(),user.getAuthorities());}
}
5. 控制器
创建控制器 MainController.java:
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;@Controller
public class MainController {@GetMapping("/")public String home() {return "home";}@GetMapping("/login")public String login() {return "login";}@GetMapping("/dashboard")public String dashboard() {return "dashboard";}@GetMapping("/admin")public String admin() {return "admin";}@GetMapping("/access-denied")public String accessDenied() {return "access-denied";}
}
6. 视图模板
创建 Thymeleaf 模板文件(位于 src/main/resources/templates/):
login.html:
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head><title>Login</title><link rel="stylesheet" th:href="@{/css/style.css}">
</head>
<body><div class="login-container"><h2>Login</h2><form th:action="@{/login}" method="post"><div class="form-group"><label for="username">Username:</label><input type="text" id="username" name="username" required></div><div class="form-group"><label for="password">Password:</label><input type="password" id="password" name="password" required></div><div th:if="${param.error}" class="error">Invalid username or password.</div><button type="submit">Login</button></form><p>Don't have an account? <a th:href="@{/register}">Register</a></p></div>
</body>
</html>
dashboard.html:
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head><title>Dashboard</title>
</head>
<body><h1>Welcome to Dashboard</h1><p>Hello, <span th:text="${#authentication.name}">User</span>!</p><a th:href="@{/logout}">Logout</a><div sec:authorize="hasRole('ADMIN')"><p><a th:href="@{/admin}">Admin Panel</a></p></div>
</body>
</html>
7. 初始化数据
创建数据初始化类 DataInitializer.java:
import org.springframework.boot.CommandLineRunner;
import org.springframework.stereotype.Component;@Component
public class DataInitializer implements CommandLineRunner {private final UserRepository userRepository;private final RoleRepository roleRepository;private final PasswordEncoder passwordEncoder;public DataInitializer(UserRepository userRepository, RoleRepository roleRepository, PasswordEncoder passwordEncoder) {this.userRepository = userRepository;this.roleRepository = roleRepository;this.passwordEncoder = passwordEncoder;}@Overridepublic void run(String... args) throws Exception {// 初始化角色Role adminRole = new Role();adminRole.setName("ROLE_ADMIN");roleRepository.save(adminRole);Role userRole = new Role();userRole.setName("ROLE_USER");roleRepository.save(userRole);// 初始化管理员用户User admin = new User();admin.setUsername("admin");admin.setPassword(passwordEncoder.encode("admin123"));admin.setRoles(Set.of(adminRole, userRole));userRepository.save(admin);// 初始化普通用户User user = new User();user.setUsername("user");user.setPassword(passwordEncoder.encode("user123"));user.setRoles(Set.of(userRole));userRepository.save(user);}
}
8. 应用属性配置
application.properties:
# H2 Database
spring.datasource.url=jdbc:h2:mem:testdb
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=# H2 Console
spring.h2.console.enabled=true
spring.h2.console.path=/h2-console# JPA
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
spring.jpa.properties.hibernate.format_sql=true# Thymeleaf
spring.thymeleaf.cache=false
9. 运行应用
创建主应用类 SecurityApplication.java:
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;@SpringBootApplication
public class SecurityApplication {public static void main(String[] args) {SpringApplication.run(SecurityApplication.class, args);}
}
10. 测试应用
- 访问
http://localhost:8080查看主页 - 访问
http://localhost:8080/login登录- 管理员: admin/admin123
- 普通用户: user/user123
- 访问
http://localhost:8080/dashboard查看仪表盘 - 访问
http://localhost:8080/admin测试权限控制 - 访问
http://localhost:8080/h2-console查看H2数据库
补充功能
注册功能
添加注册控制器方法:
@GetMapping("/register")
public String showRegistrationForm(Model model) {model.addAttribute("user", new User());return "register";
}@PostMapping("/register")
public String registerUser(@ModelAttribute("user") User user) {user.setPassword(passwordEncoder.encode(user.getPassword()));Role userRole = roleRepository.findByName("ROLE_USER");user.setRoles(Set.of(userRole));userRepository.save(user);return "redirect:/login?registered";
}
记住我功能
在安全配置中添加:
.rememberMe(remember -> remember.key("uniqueAndSecret").tokenValiditySeconds(86400) // 24小时
)
在登录表单中添加复选框:
<div class="form-group"><input type="checkbox" id="remember-me" name="remember-me"><label for="remember-me">Remember me</label>
</div>
这个完整示例涵盖了 Spring Boot 中使用 Spring Security 的主要功能,包括认证、授权、自定义登录页面、数据库用户存储和密码加密等。