锐客网

  1. 首页 > 睿知 > it技术 > >

SpringBoot + Spring Security + Thymeleaf 实现权限管理登录

Spring-Boot

本文通过一个登录的例子介绍 SpringBoot + Spring Security + Thymeleaf 权限管理。

一、数据库 用户登录账号是 admin,saysky,lockeduser
密码都是 123456

1、表结构
user 表


authority 表


user_authority 表



2、数据
user 表


authority 表


user_authority 表


3、SQL 代码

  1. SET NAMES utf8;
  2. SET FOREIGN_KEY_CHECKS = 0;

  4. -- ----------------------------
  5. --Table structure for `authority`
  6. -- ----------------------------
  7. DROP TABLE IF EXISTS `authority`;
  8. CREATE TABLE `authority` (
  9. `id` bigint(20) NOT NULL AUTO_INCREMENT,
  10. `name` varchar(255) NOT NULL,
  11. PRIMARY KEY (`id`)
  12. ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;

  14. -- ----------------------------
  15. --Records of `authority`
  16. -- ----------------------------
  17. BEGIN;
  18. INSERT INTO `authority` VALUES ('1', 'ROLE_ADMIN'), ('2', 'ROLE_USER');
  19. COMMIT;


  22. -- ----------------------------
  23. --Table structure for `user`
  24. -- ----------------------------
  25. DROP TABLE IF EXISTS `user`;
  26. CREATE TABLE `user` (
  27. `id` bigint(20) NOT NULL AUTO_INCREMENT,
  28. `username` varchar(20) NOT NULL,
  29. `password` varchar(100) NOT NULL,
  30. `name` varchar(20) NOT NULL,
  31. `email` varchar(50) NOT NULL,
  32. `avatar` varchar(200) DEFAULT NULL,
  33. `create_time` datetime DEFAULT NULL,
  34. `last_login_time` datetime DEFAULT NULL,
  35. `status` varchar(10) DEFAULT NULL,
  36. PRIMARY KEY (`id`),
  37. UNIQUE KEY `UK_ob8kqyqqgmefl0aco34akdtpe` (`email`),
  38. UNIQUE KEY `UK_sb8bbouer5wak8vyiiy4pf2bx` (`username`)
  39. ) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;

  41. -- ----------------------------
  42. --Records of `user`
  43. -- ----------------------------
  44. BEGIN;
  45. INSERT INTO `user` VALUES ('1', 'admin', '$2a$10$N.zmdr9k7uOCQb376NoUnuTJ8iAt6Z5EHsM8lE9lBOsl7iKTVKIUi', '管理员', 'admin@liuyanzhao.com', null, null, null, 'normal'), ('2', 'saysky', '$2a$10$N.zmdr9k7uOCQb376NoUnuTJ8iAt6Z5EHsM8lE9lBOsl7iKTVKIUi', '言曌', '847064370@qq.com', null, null, null, 'normal'), ('3', 'lockuser', '$2a$10$N.zmdr9k7uOCQb376NoUnuTJ8iAt6Z5EHsM8lE9lBOsl7iKTVKIUi', '锁定账号', 'locked@qq.com', null, null, null, 'locked');
  46. COMMIT;

  48. -- ----------------------------
  49. --Table structure for `user_authority`
  50. -- ----------------------------
  51. DROP TABLE IF EXISTS `user_authority`;
  52. CREATE TABLE `user_authority` (
  53. `user_id` bigint(20) NOT NULL,
  54. `authority_id` bigint(20) NOT NULL,
  55. KEY `FKgvxjs381k6f48d5d2yi11uh89` (`authority_id`),
  56. KEY `FKpqlsjpkybgos9w2svcri7j8xy` (`user_id`),
  57. CONSTRAINT `FKgvxjs381k6f48d5d2yi11uh89` FOREIGN KEY (`authority_id`) REFERENCES `authority` (`id`),
  58. CONSTRAINT `FKpqlsjpkybgos9w2svcri7j8xy` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`)
  59. ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

  61. -- ----------------------------
  62. --Records of `user_authority`
  63. -- ----------------------------
  64. BEGIN;
  65. INSERT INTO `user_authority` VALUES ('1', '1'), ('2', '2'), ('1', '2');
  66. COMMIT;

  68. SET FOREIGN_KEY_CHECKS = 1;

二、Maven 依赖 【SpringBoot + Spring Security + Thymeleaf 实现权限管理登录】pom.xml
  3. xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  4. 4.0.0

  6. com.liuyanzhao
  7. chuyun
  8. 0.0.1-SNAPSHOT
  9. war

  11. chuyun
  12. Chuyun Blog for Spring Boot


  16. org.springframework.boot
  17. spring-boot-starter-parent
  18. 1.5.9.RELEASE

  23. UTF-8
  24. UTF-8
  25. 1.8
  26. 3.0.3.RELEASE
  27. 2.0.0
  28. 2.4.4



  35. org.springframework.boot
  36. spring-boot-starter-web

  41. org.projectlombok
  42. lombok
  43. true

  47. org.springframework.boot
  48. spring-boot-starter-test
  49. test

  54. org.springframework.boot
  55. spring-boot-starter-thymeleaf

  60. org.springframework.boot
  61. spring-boot-starter-data-jpa

  66. mysql
  67. mysql-connector-java

  72. org.springframework.boot
  73. spring-boot-devtools
  74. true

  79. org.springframework.boot
  80. spring-boot-starter-data-elasticsearch
  83. net.java.dev.jna
  84. jna
  85. 4.3.0

  90. org.springframework.boot
  91. spring-boot-starter-security
  94. org.thymeleaf.extras
  95. thymeleaf-extras-springsecurity4
  96. 3.0.2.RELEASE


  102. com.alibaba
  103. fastjson
  104. 1.2.7

  109. com.github.penggle
  110. kaptcha
  111. 2.3.2


  119. org.springframework.boot
  120. spring-boot-maven-plugin
  122. true



主要需要 SpringBoot、Thymeleaf、Spring Security 的依赖

三、实体类 User.java
  1. package com.liuyanzhao.chuyun.entity;


  4. import lombok.Data;
  5. import org.hibernate.validator.constraints.Email;
  6. import org.hibernate.validator.constraints.NotEmpty;
  7. import org.springframework.security.core.GrantedAuthority;
  8. import org.springframework.security.core.authority.SimpleGrantedAuthority;
  9. import org.springframework.security.core.userdetails.UserDetails;
  10. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  11. import org.springframework.security.crypto.password.PasswordEncoder;

  13. import javax.persistence.*;
  14. import javax.validation.constraints.Size;
  15. import java.io.Serializable;
  16. import java.util.ArrayList;
  17. import java.util.Collection;
  18. import java.util.Date;
  19. import java.util.List;

  21. /**
  22. * @author 言曌
  23. * @date 2017/12/28 上午9:06
  24. */

  26. @Entity // 实体
  27. @Data
  28. public class User implements UserDetails, Serializable {

  30. private static final long serialVersionUID = 1L;

  32. @Id // 主键
  33. @GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略
  34. private Long id; // 用户的唯一标识

  36. @NotEmpty(message = "昵称不能为空")
  37. @Size(min=2, max=20)
  38. @Column(nullable = false, length = 20) // 映射为字段,值不能为空
  39. private String name;

  41. @NotEmpty(message = "邮箱不能为空")
  42. @Size(max=50)
  43. @Email(message= "邮箱格式不对" )
  44. @Column(nullable = false, length = 50, unique = true)
  45. private String email;

  47. @NotEmpty(message = "账号不能为空")
  48. @Size(min=3, max=20)
  49. @Column(nullable = false, length = 20, unique = true)
  50. private String username; // 用户账号,用户登录时的唯一标识

  52. @NotEmpty(message = "密码不能为空")
  53. @Size(max=100)
  54. @Column(length = 100)
  55. private String password; // 登录时密码

  57. @Column(length = 200)
  58. private String avatar; // 头像图片地址

  60. private Date createTime;

  62. private Date lastLoginTime;

  64. @Column(length = 10)
  65. private String status;

  67. @ManyToMany(cascade = CascadeType.DETACH, fetch = FetchType.EAGER)
  68. @JoinTable(name = "user_authority", joinColumns = @JoinColumn(name = "user_id", referencedColumnName = "id"),
  69. inverseJoinColumns = @JoinColumn(name = "authority_id", referencedColumnName = "id"))
  70. private List authorities;

  72. protected User() { // JPA 的规范要求无参构造函数;设为 protected 防止直接使用
  73. }

  75. public User(String name, String email,String username,String password) {
  76. this.name = name;
  77. this.email = email;
  78. this.username = username;
  79. this.password = password;
  80. }



  84. public Collection getAuthorities() {
  85. //需将 List 转成 List,否则前端拿不到角色列表名称
  86. List simpleAuthorities = new ArrayList<>();
  87. for(GrantedAuthority authority : this.authorities){
  88. simpleAuthorities.add(new SimpleGrantedAuthority(authority.getAuthority()));
  89. }
  90. return simpleAuthorities;
  91. }

  93. public void setAuthorities(List authorities) {
  94. this.authorities = authorities;
  95. }


  98. public void setEncodePassword(String password) {
  99. PasswordEncoderencoder = new BCryptPasswordEncoder();
  100. String encodePasswd = encoder.encode(password);
  101. this.password = encodePasswd;
  102. }

  104. @Override
  105. public boolean isAccountNonExpired() {
  106. return true;
  107. }

  109. @Override
  110. public boolean isAccountNonLocked() {
  111. return true;
  112. }

  114. @Override
  115. public boolean isCredentialsNonExpired() {
  116. return true;
  117. }

  119. @Override
  120. public boolean isEnabled() {
  121. return true;
  122. }


  125. }

Authority.java
  1. package com.liuyanzhao.chuyun.entity;

  3. import org.springframework.security.core.GrantedAuthority;

  5. import javax.persistence.*;

  7. /**
  8. * 权限
  9. * @author 言曌
  10. * @date 2018/1/26 下午2:05
  11. */
  12. @Entity
  13. public class Authority implements GrantedAuthority {

  15. private static final long serialVersionUID = 1L;

  17. @Id // 主键
  18. @GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略
  19. private Long id; // 用户的唯一标识

  21. @Column(nullable = false) // 映射为字段,值不能为空
  22. private String name;

  24. public Long getId() {
  25. return id;
  26. }

  28. public void setId(Long id) {
  29. this.id = id;
  30. }


  33. @Override
  34. public String getAuthority() {
  35. return name;
  36. }

  38. public void setName(String name) {
  39. this.name = name;
  40. }

  42. }

四、Dao 层 UserRepository.java
  1. package com.liuyanzhao.chuyun.repository;

  3. import com.liuyanzhao.chuyun.entity.User;
  4. import org.springframework.data.jpa.repository.JpaRepository;


  7. /**
  8. * 用户repository
  9. * @author 言曌
  10. * @date 2017/12/27 0027 20:50
  11. */

  13. public interface UserRepository extends JpaRepository {

  15. /**
  16. * 根据用户名查找用户
  17. * @param username
  18. * @return
  19. */
  20. User findByUsername(String username);

  22. }


五、Service 层 CustomUserService.java
  1. package com.liuyanzhao.chuyun.service;

  3. import com.liuyanzhao.chuyun.entity.User;
  4. import com.liuyanzhao.chuyun.repository.UserRepository;
  5. import org.springframework.beans.factory.annotation.Autowired;
  6. import org.springframework.security.authentication.LockedException;
  7. import org.springframework.security.core.userdetails.UserDetailsService;
  8. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  9. import org.springframework.stereotype.Service;

  11. /**
  12. * @author 言曌
  13. * @date 2018/1/30 下午8:37
  14. */

  16. @Service
  17. public class CustomUserService implements UserDetailsService{

  19. @Autowired
  20. private UserRepository userRepository;

  22. @Override
  23. public User loadUserByUsername(String username) throws UsernameNotFoundException {
  24. User user = userRepository.findByUsername(username);
  25. if (user == null) {
  26. throw new UsernameNotFoundException("用户名不存在");
  27. } else if("locked".equals(user.getStatus())) { //被锁定,无法登录
  28. throw new LockedException("用户被锁定");
  29. }
  30. return user;
  31. }
  32. }

六、Spring Security 配置 SecurityConfig.java
  1. package com.liuyanzhao.chuyun.config;


  4. import com.liuyanzhao.chuyun.service.CustomUserService;
  5. import org.springframework.beans.factory.annotation.Autowired;
  6. import org.springframework.context.annotation.Bean;
  7. import org.springframework.security.authentication.AuthenticationProvider;
  8. import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
  9. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  10. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
  11. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  12. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  13. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  14. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  15. import org.springframework.security.crypto.password.PasswordEncoder;


  18. /**
  19. * 安全配置类
  20. *
  21. * @author 言曌
  22. * @date 2018/1/23 上午11:37
  23. */
  24. @EnableWebSecurity
  25. @EnableGlobalMethodSecurity(prePostEnabled = true) // 启用方法安全设置
  26. public class SecurityConfig extends WebSecurityConfigurerAdapter {

  28. private static final String KEY = "liuyanzhao.com";

  30. @Autowired
  31. private PasswordEncoder passwordEncoder;

  33. @Bean
  34. CustomUserService customUserService() {
  35. return new CustomUserService();
  36. }

  38. @Bean
  39. public PasswordEncoder passwordEncoder() {
  40. return new BCryptPasswordEncoder(); // 使用 BCrypt 加密
  41. }

  43. @Bean
  44. public AuthenticationProvider authenticationProvider() {
  45. DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
  46. authenticationProvider.setUserDetailsService(customUserService());
  47. authenticationProvider.setPasswordEncoder(passwordEncoder); // 设置密码加密方式
  48. return authenticationProvider;
  49. }

  51. /**
  52. * 自定义配置
  53. */
  54. @Override
  55. protected void configure(HttpSecurity http) throws Exception {
  56. http.authorizeRequests().antMatchers("/","/css/**", "/js/**", "/fonts/**","/users").permitAll() // 都可以访问
  57. .antMatchers("/h2-console/**").permitAll() // 都可以访问
  58. .antMatchers("/admin/**").hasRole("ADMIN") // 需要相应的角色才能访问
  59. .antMatchers("/console/**").hasAnyRole("ADMIN","USER") // 需要相应的角色才能访问
  60. .and()
  61. .formLogin()//基于 Form 表单登录验证
  62. .loginPage("/login").failureUrl("/login?error=true") // 自定义登录界面
  63. .and().rememberMe().key(KEY) // 启用 remember me
  64. .and().exceptionHandling().accessDeniedPage("/403"); // 处理异常,拒绝访问就重定向到 403 页面
  65. http.csrf().ignoringAntMatchers("/h2-console/**"); // 禁用 H2 控制台的 CSRF 防护
  66. http.headers().frameOptions().sameOrigin(); // 允许来自同一来源的H2 控制台的请求
  67. }

  69. /**
  70. * 认证信息管理
  71. *
  72. * @param auth
  73. * @throws Exception
  74. */
  75. @Autowired
  76. public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
  77. //auth.userDetailsService(userDetailsService);
  78. auth.userDetailsService(customUserService());
  79. auth.authenticationProvider(authenticationProvider());
  80. }

  82. }

七、HTML 页面 首页:http://localhost:8080
登录页面:http://localhost:8080/login
登录错误页面:http://localhost:8080/login?error=true
退出登录:http://localhost:8080/logout

index.html
  3. xmlns:th="http://www.thymeleaf.org"
  4. xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
  8. content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">

  14. 未登录,点击 登录

  • 已登录
  • 登录名:
  • 角色:
  • Username:
  • Password:
  • Email :
  • Name:
  • Status:
  • 拥有的角色:
  • 管理员
  • 用户


  • login.html
    3. xmlns:th="http://www.thymeleaf.org">
    7. 登录页面 - 锐客网

    12. 用户名:
    13. 密 码:
    14. oncontextmenu="return false"
    15. onpaste="return false"/>
    16. 记住我


    八、运行效果 1、访问首页:http://localhost:8080


    2、点击 登录,填写登录信息,不勾选记住我
    账号:admin,密码:123456


    3、登录成功,跳转到首页,显示登录信息


    4、访问 http://localhost:8080/logout,可退出登录


    5、登录错误显示


    这里,登录失败的话(用户名不存在或者密码错误),都是显示Bad credentials


    如果登录被锁定的用户,如用户名为lockeduser



    6、记住我也是有效的,关闭浏览器后,下次启动,依然是登录状态
    记住密码后,我们可以看到浏览器里添加了 一条 cookie

      推荐阅读


      上一篇:javascript|[MobX State Tree数据组件化开发][2](实例-TodoList)

      下一篇:数据库|oracle数据库排序后获取第一条数据