An example of spring security in Java
An example of spring security in Java
Spring security is a multifaceted security authentication framework, which provides a complete security authentication solution based on Java EE specification. And it can be well integrated with the current mainstream authentication framework (such as CAS, central authorization system). The original intention of using spring security is to solve the problem of permissions for different users to log in to different applications. When it comes to permissions, it includes two parts: authentication and authorization. Authentication tells the system who you are, and authorization refers to whether you have permission to access the system after knowing who you are (after authorization, a token is usually created at the server, and then used for subsequent interaction).
Spring security provides a variety of authentication modes, and many third-party authentication technologies can be well integrated:
Only some are listed here. Later, we will focus on how to integrate CAS and build our own authentication services.
It is easy to use spring security in the spring boot project. Here is how to authenticate based on users in memory and database.
prepare
POM dependency:
to configure:
Here, you need to override the two methods of websecurityconfigureradapter to define what permissions are required for what requests, and what are the authenticated user passwords.
Add the URL of login jump. If this configuration is not added, it will jump to / login by default, so you can also customize the login request path here.
Login page:
Memory based
Securityconfig is configured based on user authentication in memory,
Visiting the home page will jump to the login page, which is successful. The login of users using the configuration will jump to the home page.
Database based
Based on the database will be more complex, but the principle is the same, but the data source is transferred from memory to the database. From the example based on memory, we know the process of spring security authentication: find the user whose username is the input value from memory. If there is a match when verifying their role, for example, ordinary users cannot access the admin page, this can be realized by using @ preauthorize ("hasrole ('role_admin ')) in the controller layer, which means that only users in the admin role can access the page, Roles in spring security are defined as roles_ Start with the specific role name.
If you want to be database-based, you can directly specify the data source:
However, the database label is spring's default, including three tables: users (user information table) and authorities (user role information table)
The following is the SQL for querying user information and creating user roles (see the jdbcuserdetailsmanager class for details):
If you want to customize the database table, you need to configure the following and implement the userdetailsservice interface:
The implementation of customuserdetailsservice is as follows:
We need to implement the loaduserbyusername method, which does two things: query the user information and return the user's role information.
The database design is as follows:
Database design
g_ Users: user basic information table G_ Authority: role information table R_ auth_ User: user role information table. No foreign key constraint is used here.
After generating the mapper using mybatis generator, create the data source securitydatasource.
Then Dao userrepository is well implemented:
Insert relevant data into the database and restart the project. Still visit the home page, jump to the login page and enter the user information inserted in the database. If you successfully jump to the home page, it indicates that the authentication is successful.
If you have any questions, please leave a message or go to the community of this site for exchange and discussion. Thank you for reading. I hope it can help you. Thank you for your support to this site!