Permission control is also a scenario that we often encounter in daily development. We need to decide whether we can see a certain resource based on the user's role. At present, this type of framework on the market mainly includes Shiro and the spring security we are going to talk about today. There are complex controls regarding permission control. For example, almost every company has a single sign-in system. It comes to the database based on the username to get the corresponding permissions, and displays the resources you can see under this permission. Another type is simple control, which is what we are going to mention today. By configuring the account, password, and role into the code, you can also perform simple control. The disadvantages are self-evident, the expansion is not good, and there is only a fixed account, but it is still enough for a demonstration.
OK, don't say much nonsense, go to pom
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
spring-boot-starter-security wraps the dependencies required by spring security. We do not need to configure one by one, which simplifies our operations and saves our time. I have to say that these enterprise-level frameworks are considerate. If we add jars ourselves, various problems may arise due to incompatibility between versions. This is all off-topic. I'll be amazed and we will continue. Check out the configuration class
package com.shuqi;import org.springframework.context.annotation.Configuration;import org.springframework.core.annotation.Order;import org.springframework.security.config.annotation.web.builders.HttpSecurity;import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;@EnableWebSecuritypublic class SecurityConfig { @Configuration public static class WebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http .authorizeRequests() .antMatchers( "/index" ).hasRole("ADMIN") .anyRequest().permitAll() .and() .httpBasic() ; } }}This configuration is translated into Chinese: ADMIN permission is required for accessing the /index link, and everything else is allowed. Sometimes we only pay attention to the code. In fact, this annotation @EnableWebSecurity is more important because it is the beginning of spring security. It introduced many configuration classes to make security effective. We set ADMIN permissions, but we did not set the username and password corresponding to ADMIN permissions, so look at the configuration file
security: user: name: root password: root role: ADMIN
The configuration is almost done, take a look at our Controller
package com.shuqi.controller;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RestController;@RestControllerpublic class HelloController { @RequestMapping("/index") public String index(){ return "hello world index"; } @RequestMapping("/index1") public String index1(){ return "hello world index1"; }}One is intercepted /index, and the other is not intercepted /index1, see the difference. Start the project, access /index
You can see that access control has been added and the root and root are entered.
You can see the results
Enter /index1 to see the result directly
This means that our configuration has taken effect, and spring security has indeed helped us control access.
The above is all the content of this article. I hope it will be helpful to everyone's learning and I hope everyone will support Wulin.com more.