1 引言

Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架，但是用起来有点复杂，为了便于学习理解，下面将用最简洁的配置和示例，展示整个流程。

2 代码

创建一个spring-security-demo的项目，总共包含5个文件

2.1 pom.xml

引入spring-boot-starter-security

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>org.example</groupId><artifactId>spring-security-demo</artifactId><version>1.0-SNAPSHOT</version><properties><maven.compiler.source>17</maven.compiler.source><maven.compiler.target>17</maven.compiler.target><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding></properties><!--  为Spring Boot项目提供一系列默认的配置和依赖管理--><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>3.3.2</version><relativePath/></parent><dependencies><!--  Spring Boot核心依赖--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter</artifactId></dependency><!-- Spring Boot单元测试和集成测试的依赖--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><!-- Spring Boot构建Web应用程序的依赖--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency></dependencies></project>

2.2 application.properties

保持空白即可

2.3 org/example/Main.java

启动类

package org.example;import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;@SpringBootApplication
public class Main {public static void main(String[] args) {SpringApplication.run(Main.class, args);}}

2.4 org/example/controller/UserController.java

测试类，注意@PreAuthorize注解，用于标记每个接口的权限标识

package org.example.controller;import org.example.conf.SecurityConfig;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;import java.util.*;@Controller
@RequestMapping("/user")
public class UserController {@Autowiredprivate AuthenticationManager authenticationManager;private Map<String, Object> returnOk(String obj) {Map<String, Object> map = new HashMap<>();map.put("code", HttpStatus.OK.value());map.put("msg", "ok");map.put("data", obj);return map;}private Map<String, Object> returnError(String msg) {Map<String, Object> map = new HashMap<>();map.put("code", HttpStatus.INTERNAL_SERVER_ERROR.value());map.put("msg", msg);return map;}@PreAuthorize("hasAuthority('user:hello')")@RequestMapping("/hello")@ResponseBodypublic Object hello() {System.out.println("hello");return returnOk("hello");}@PreAuthorize("hasAuthority('user:hello1')")@RequestMapping("/hello1")@ResponseBodypublic Object hello1() {System.out.println("hello1");return returnOk("hello1");}@PostMapping("/login")@ResponseBodypublic Object login(@RequestBody Map<String, String> param) {String username = param.get("username");String password = param.get("password");//调用Spring Security的loadUserByUsername方法获取用户信息UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);Authentication authenticate = authenticationManager.authenticate(usernamePasswordAuthenticationToken);if (authenticate == null) {return returnError("用户不存在");} else {UserDetails userDetails = (UserDetails) authenticate.getPrincipal();//验证密码BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();if (!passwordEncoder.matches(password, userDetails.getPassword())) {return returnError("账号密码错误");}// 生成tokenString token = UUID.randomUUID().toString();// 存储tokenSecurityConfig.tokenMap.put(token, userDetails);return returnOk(token);}}@PostMapping("/logout")@ResponseBodypublic Object logout() {return returnOk("退出成功");}}

2.5 org/example/conf/SecurityConfig.java

Spring Security配置，为了简化代码，便于查看，我将所有需要自定义的类，以内部类的方式放到里面，然后引入到filterChain方法中即可。

package org.example.conf;import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.filter.OncePerRequestFilter;import java.io.IOException;
import java.util.*;/*** spring security配置*/
@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Configuration
public class SecurityConfig {/*** 简单模拟token存储，可以用redis代替。*/public static Map<String, UserDetails> tokenMap = new HashMap<>();/*** 自定义token过滤器*/public static class MyOncePerRequestFilter extends OncePerRequestFilter {@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {String token = request.getHeader("token");System.out.println("url=" + request.getRequestURI() + ",token=" + token);UserDetails userDetails = tokenMap.get(token);if (null != userDetails) {//如果token存在，则进行spring security权限验证UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));SecurityContextHolder.getContext().setAuthentication(authenticationToken);}chain.doFilter(request, response);}}/*** 自定义未授权访问处理逻辑*/public static class AuthenticationEntryPointImpl implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {Map<String, Object> map = new HashMap<>();map.put("code", HttpStatus.INTERNAL_SERVER_ERROR.value());map.put("msg", "无权限访问该资源");response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());response.setContentType("application/json");response.setCharacterEncoding("utf-8");response.getWriter().print(new ObjectMapper().writeValueAsString(map));}}/*** 定义退出处理逻辑*/public static class LogoutSuccessHandlerImpl implements LogoutSuccessHandler {@Overridepublic void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {String token = request.getHeader("header");tokenMap.remove(token);Map<String, Object> map = new HashMap<>();map.put("code", HttpStatus.OK.value());map.put("msg", "退出成功");response.setStatus(HttpStatus.OK.value());response.setContentType("application/json");response.setCharacterEncoding("utf-8");response.getWriter().print(new ObjectMapper().writeValueAsString(map));}}/*** 定义身份认证处理逻辑*/public static class UserDetailsServiceImpl implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {// 一般情况下，从数据库查询用户信息和权限信息，TODO// 为了方便测试，直接模拟用户信息和权限信息。Set<GrantedAuthority> authorities = new HashSet<>();authorities.add(new SimpleGrantedAuthority("user:hello"));authorities.add(new SimpleGrantedAuthority("user:hello2"));return getUserDetails(username, new BCryptPasswordEncoder().encode("123456"), authorities);}private UserDetails getUserDetails(String username, String password, Set<GrantedAuthority> authorities) {return new UserDetails() {@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {return authorities;}@Overridepublic String getPassword() {return password;}@Overridepublic String getUsername() {return username;}@Overridepublic boolean isAccountNonExpired() {return UserDetails.super.isAccountNonExpired();}@Overridepublic boolean isAccountNonLocked() {return UserDetails.super.isAccountNonLocked();}@Overridepublic boolean isCredentialsNonExpired() {return UserDetails.super.isCredentialsNonExpired();}@Overridepublic boolean isEnabled() {return UserDetails.super.isEnabled();}};}}@Beanprotected SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {return httpSecurity// 不使用session,禁用CSRF.csrf(csrf -> csrf.disable())// 禁用HTTP响应标头.headers((headersCustomizer) -> {headersCustomizer.cacheControl(cache -> cache.disable()).frameOptions(options -> options.sameOrigin());})// 定义未授权访问处理逻辑.exceptionHandling(exception -> exception.authenticationEntryPoint(new AuthenticationEntryPointImpl()))// 不使用session.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))// 记允许匿名访问的url.authorizeHttpRequests((requests) -> {requests.requestMatchers("/user/login", "/user/register").permitAll()// 除上面外的所有请求全部需要鉴权认证.anyRequest().authenticated();})// 定义退出处理逻辑.logout(logout -> logout.logoutUrl("/user/logout").logoutSuccessHandler(new LogoutSuccessHandlerImpl()))// 定义token过滤器.addFilterBefore(new MyOncePerRequestFilter(), UsernamePasswordAuthenticationFilter.class).build();}/*** 身份验证实现*/@Beanpublic AuthenticationManager authenticationManager() {DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();daoAuthenticationProvider.setUserDetailsService(new UserDetailsServiceImpl());daoAuthenticationProvider.setPasswordEncoder(new BCryptPasswordEncoder());return new ProviderManager(daoAuthenticationProvider);}/*** 跨域配置*/@Beanpublic CorsFilter corsFilter() {CorsConfiguration config = new CorsConfiguration();config.setAllowCredentials(true);// 设置访问源地址config.addAllowedOriginPattern("*");// 设置访问源请求头config.addAllowedHeader("*");// 设置访问源请求方法config.addAllowedMethod("*");// 有效期 1800秒config.setMaxAge(1800L);// 添加映射路径，拦截一切请求UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();source.registerCorsConfiguration("/**", config);// 返回新的CorsFilterreturn new CorsFilter(source);}}

3 测试

1. 启动项目访问http://localhost:8080/user/hello，可以看到提示"无权限访问该资源"，由于未登录，请求被正常拦截。
   
2. post调用 http://localhost:8080/user/login进行登录操作，用户名随意，密码123456（在认证方法中自定义的）。然后可以看到返回了data即自定义的token值。
   
   
3. 再次访问http://localhost:8080/user/hello，并提前将token值放到header中。可以看到成功返回，表示请求通过了权限验证。这与我们设置的权限标识刚好一致。
   
   4. 用该token继续访问http://localhost:8080/user/hello1，可以看到 “无权限访问该资源”，由于我们没有赋予用户"user:hello1"的权限标识，请求被正常拦截。