使用spring security,对数据库中的admin表(id,name,pwd,没有别的字段),student表(id,name,pwd,没有别的字段)的账户密码进行相应的角色配置,并使用oauth2做登录校验,拦截相应url做角色鉴权,及其登录时的处理步骤(假设checkLogin(name,pwd)方法已经定义好),给出代码
时间: 2024-02-13 17:02:28 浏览: 80
好的,以下是对您所描述的场景进行实现的示例代码:
1. 引入依赖
```xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.1.0.RELEASE</version>
</dependency>
```
2. 配置application.yml
```yaml
spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://localhost:3306/testdb?useSSL=false&serverTimezone=Asia/Shanghai
username: root
password: root
security:
oauth2:
client:
client-id: client
client-secret: secret
authorized-grant-types: password,authorization_code,refresh_token
scopes: all
resource:
jwt:
key-value: test
```
3. 配置SecurityConfig
```java
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/oauth/**").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/student/**").hasRole("STUDENT")
.anyRequest().authenticated()
.and().formLogin();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery("select name,pwd,1 from admin where name=?")
.authoritiesByUsernameQuery("select name,'ROLE_ADMIN' from admin where name=?")
.passwordEncoder(new BCryptPasswordEncoder());
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery("select name,pwd,1 from student where name=?")
.authoritiesByUsernameQuery("select name,'ROLE_STUDENT' from student where name=?")
.passwordEncoder(new BCryptPasswordEncoder());
}
}
```
4. 配置OAuth2
```java
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private DataSource dataSource;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()")
.allowFormAuthenticationForClients();
}
}
```
5. 配置Controller
```java
@RestController
@RequestMapping("/api")
public class ApiController {
@GetMapping("/admin")
public String admin() {
return "Hello, Admin!";
}
@GetMapping("/student")
public String student() {
return "Hello, Student!";
}
}
```
6. 编写登录接口
```java
@RestController
@RequestMapping("/oauth")
public class LoginController {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private TokenStore tokenStore;
@PostMapping("/login")
public String login(@RequestParam String name, @RequestParam String pwd) {
Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(name, pwd));
SecurityContextHolder.getContext().setAuthentication(authentication);
return JSON.toJSONString(tokenStore.getAccessToken(authentication));
}
@GetMapping("/logout")
public String logout(HttpServletRequest request) {
String authHeader = request.getHeader("Authorization");
if (authHeader != null) {
String tokenValue = authHeader.replace("Bearer", "").trim();
OAuth2AccessToken accessToken = tokenStore.readAccessToken(tokenValue);
tokenStore.removeAccessToken(accessToken);
}
return "Logout success!";
}
}
```
上述代码中,我们使用了BCryptPasswordEncoder对密码进行加密,并配置了两个角色ADMIN和STUDENT,对不同角色的API进行了鉴权。在登录时,我们使用了AuthenticationManager对用户进行认证,并使用TokenStore存储Token,供后续API访问时进行鉴权。在退出登录时,我们需要调用OAuth2的注销接口,使Token失效。
以上就是一个简单的使用spring security和oauth2对数据库中的账户密码进行角色配置和登录校验的示例代码。
阅读全文