Simple use of Spring Security

Community links: http://www.spring4all.com/article/428

There are some problems in Spring Security introduction series Spring Security dynamic permission modification. Here is the corrected code.

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.springframework</groupId>
    <artifactId>gs-securing-web</artifactId>
    <version>0.1.0</version>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.5.7.RELEASE</version>
    </parent>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-security</artifactId>
            </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-oauth2</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity4</artifactId>
        </dependency>

        <!-- bootstrap and jquery -->
        <dependency>
            <groupId>org.webjars</groupId>
            <artifactId>bootstrap</artifactId>
            <version>3.3.7</version>
        </dependency>
        <dependency>
            <groupId>org.webjars</groupId>
            <artifactId>jquery</artifactId>
            <version>3.2.1</version>
        </dependency>

        <!-- testing -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>Camden.SR5</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <properties>
        <java.version>1.8</java.version>
    </properties>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

    <repositories>
        <repository>
            <id>spring-releases</id>
            <name>Spring Releases</name>
            <url>https://repo.spring.io/libs-release</url>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>spring-releases</id>
            <name>Spring Releases</name>
            <url>https://repo.spring.io/libs-release</url>
        </pluginRepository>
    </pluginRepositories>
</project>

Startup class

package top.heliming.shiro.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

@SpringBootApplication
@EnableGlobalMethodSecurity(prePostEnabled = true)//Open permission validation
public class DemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }

}

Configuration class

package top.heliming.shiro.demo.config;

/**
 * description:
 *
 * @author: he QQ:       905845006
 * @email: 905845006@qq.com
 * @date: 2020/3/26    5:04 PM
 */
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

// Use annotation to configure spring security. When you remember my configuration, turn on this annotation
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers(
                        "/js/**",
                        "/css/**",
                        "/img/**",
                        "/webjars/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
                .logout()
                .invalidateHttpSession(true)
                .clearAuthentication(true)
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/login?logout")
                .permitAll()
                .and()
                .rememberMe()
                .key("unique-and-secret")
                .rememberMeCookieName("remember-me-cookie-name")
                .tokenValiditySeconds(24 * 60 * 60);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");

        //Create ADMIN role
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
                .withUser("vip").password(new BCryptPasswordEncoder()
                .encode("123456")).roles("VIP");
        //Create USER role
        auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
                .withUser("demo").password(new BCryptPasswordEncoder()
                .encode("demo")).roles("USER");

    }



}


control class

package top.heliming.shiro.demo.controller;

/**
 * description:
 *
 * @author: he QQ:       905845006
 * @email: 905845006@qq.com
 * @date: 2020/3/26    5:08 PM
 */

import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import java.util.ArrayList;
import java.util.List;

@Controller
public class HomeController {

    @GetMapping("/")
    public String greeting(){
        return "index";
    }

    @GetMapping("/login")
    public String login() {
        return "login";
    }

    @GetMapping("/vip/test")
    //Verify login rights for different roles
    @PreAuthorize("hasRole('ROLE_VIP')")//Only those with the ADMIN permission can access the address. To use the permission, you need to introduce the open permission verification annotation in the header
    @ResponseBody
    public String vipPath() {
        return "only ROLE_VIP Can see";
    }

    @GetMapping("/vip")
    @ResponseBody
    public boolean updateToVIP() {
        // Get current authentication information
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        //  Generate all current authorizations
        List<GrantedAuthority> updatedAuthorities = new ArrayList<>(auth.getAuthorities());
        // Add role? VIP authorization
        updatedAuthorities.add(new SimpleGrantedAuthority("ROLE_VIP"));
        // Generate new authentication information
        Authentication newAuth = new UsernamePasswordAuthenticationToken(auth.getPrincipal(), auth.getCredentials(), updatedAuthorities);
        // Reset authentication information
        SecurityContextHolder.getContext().setAuthentication(newAuth);
        return true;
    }
}


Static file

login.html

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="utf-8"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
    <meta name="viewport" content="width=device-width, initial-scale=1"/>

    <link rel="stylesheet" type="text/css" th:href="@{/webjars/bootstrap/3.3.7/css/bootstrap.min.css}"/>
    <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>

    <title>Login</title>
</head>
<body>
<div class="container">
    <div class="row">
        <div class="col-md-4 col-md-offset-4">
            <div class="panel panel-default">
                <div class="panel-body">
                    <div class="text-center">
                        <h3><i class="glyphicon glyphicon-lock" style="font-size:2em;"></i></h3>
                        <h2 class="text-center">Login</h2>
                        <div class="panel-body">

                            <div th:if="${param.error}">
                                <div class="alert alert-danger">
                                    Invalid username or password.
                                </div>
                            </div>
                            <div th:if="${param.logout}">
                                <div class="alert alert-info">
                                    You have been logged out.
                                </div>
                            </div>

                            <form th:action="@{/login}" method="post">
                                <div class="form-group">
                                    <div class="input-group">
                                        <span class="input-group-addon">@</span>
                                        <input id="username"
                                               name="username"
                                               autofocus="autofocus"
                                               class="form-control"
                                               placeholder="Username"/>
                                    </div>
                                </div>
                                <div class="form-group">
                                    <div class="input-group">
                                        <span class="input-group-addon">
                                            <i class="glyphicon glyphicon-lock"></i>
                                        </span>
                                        <input id="password"
                                               name="password"
                                               class="form-control"
                                               placeholder="Password"
                                               type="password"/>
                                    </div>
                                </div>
                                <div class="form-group">
                                    <label>
                                        <input id="remember-me"
                                               name="remember-me"
                                               type="checkbox"/> Remember me
                                    </label>
                                </div>
                                <div class="form-group">
                                    <button type="submit" class="btn btn-success btn-block">Login</button>
                                </div>
                            </form>

                        </div>
                    </div>
                </div>
            </div>
        </div>
    </div>
</div>

<script type="text/javascript" th:src="@{/webjars/jquery/3.2.1/jquery.min.js/}"></script>
<script type="text/javascript" th:src="@{/webjars/bootstrap/3.3.7/js/bootstrap.min.js}"></script>

</body>
</html>

index.html

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org"
      xmlns:sec="http://www.w3.org/1999/xhtml">
    <head>
        <meta charset="utf-8"/>
        <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
        <meta name="viewport" content="width=device-width, initial-scale=1"/>

        <link rel="stylesheet" type="text/css" th:href="@{/webjars/bootstrap/3.3.7/css/bootstrap.min.css}"/>
        <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>

        <title>Registration</title>
    </head>
    <body>
        <div class="container">
            <h1>Spring Security Remember Me Hashing Configuration Example</h1>

            <div sec:authorize="isRememberMe()">
                The user: <span sec:authentication="name"></span> is logged in by "Remember Me Cookies".
            </div>

            <div sec:authorize="isFullyAuthenticated()">
                The user: <span sec:authentication="name"></span> is logged in by "Username / Password".
            </div>

        </div>
        <footer>
            <div class="container">
                <p>
                    &copy; Memorynotfound.com
                    <span sec:authorize="isAuthenticated()" style="display: inline-block;">
                        | Logged user: <span sec:authentication="name"></span> |
                        Roles: <span sec:authentication="principal.authorities"></span> |
                        <a th:href="@{/logout}">Sign Out</a>
                    </span>
                </p>
            </div>
        </footer>

        <script type="text/javascript" th:src="@{/webjars/jquery/3.2.1/jquery.min.js/}"></script>
        <script type="text/javascript" th:src="@{/webjars/bootstrap/3.3.7/js/bootstrap.min.js}"></script>

    </body>
</html>

test

Visit: http://localhost:8080

Enter user: demo password: Demo

Log in to the home page

Visit: http://localhost:8080/vip/test prompt 403 no permission
 Visit: http://localhost:8080/vip to add role permissions
 Visit: http://localhost:8080/vip/test, return only role "VIP to see

Revised place:

  1. Start class on

     @EnableGlobalMethodSecurity(prePostEnabled = true)//Open permission validation
    
  2. Configuration class

     Add user
     //        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    
     //Create ADMIN role
     auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
             .withUser("vip").password(new BCryptPasswordEncoder()
             .encode("123456")).roles("VIP");
     //Create USER role
     auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
             .withUser("demo").password(new BCryptPasswordEncoder()
             .encode("demo")).roles("USER");
    
  3. control class

     1. The vippath() method modifies the annotation @ secured ("role? VIP") to
     //Verify login rights for different roles
     @Preauthorize ("hasrole ('role'vip ')) / / only those with the ADMIN permission can access this address. To use this permission, you need to introduce the open permission verification annotation in the header
     Add annotation @ ResponseBody
    
     2. updateToVIP() adds the annotation @ ResponseBody
    

Tags: Spring JQuery Maven Thymeleaf

Posted on Thu, 26 Mar 2020 10:59:09 -0400 by jimson