spring boot 2.0 security 5.0 整合
1.spring boot 2.0 security 5.0 整合需要引入的maven配置
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>demo-security</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>demo-security</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
2.spring boot 2.0 security 5.0 整合核心配置文件
package com.example.demosecurity;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
/**
* 配置忽略安全管理的路径,一般为资源文件例如css,js,IMG等
*
* @param web
* @throws Exception
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/webjars/**", "/resources/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// super.configure(http); //注意!注意!注意!这个必须注释或者删除掉否则以下配置回受到默认您spring security规则影响
http
.authorizeRequests()
.antMatchers("/account/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/account/login.html")//自定义登录页面的地址
.loginProcessingUrl("/account/login")//自定义登录表单提交地址(默认:/login)
.passwordParameter("pwd")//自定义登录用密码的表单名称(默认password)
.usernameParameter("username")//自定义登录用户名的表单名称(默认username)
.defaultSuccessUrl("/admin")//自定义登录成功后跳转的页面
.failureForwardUrl("/account/login.html?error")//自定义登录失败跳转的页面
.and()
.logout()
.invalidateHttpSession(true)//登出时候清除sessionion
.clearAuthentication(true)//登出时候清除认证信息
.logoutUrl("/account/logout")//登出表单的地址
.logoutSuccessUrl("/account/login.html")//登出成功后跳转页面
.and()
// .csrf().disable()//配置是否启用csrf,默认启用
.cors().disable().headers().frameOptions().sameOrigin();//解决iframe无法访问
}
}
3.spring boot 2.0 security 5.0 整合配置csrf安全登录
如果在上面配置中没有禁用csrf则在登录或者登出的表单中都必须添加以下隐藏字段:
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
