本文通过一个登录的例子介绍 SpringBoot + Spring Security + Thymeleaf 权限管理。

一、数据库 用户登录账号是 admin，saysky，lockeduser
密码都是 123456

1、表结构
user 表


authority 表


user_authority 表



2、数据
user 表


authority 表


user_authority 表


3、SQL 代码

1. SET NAMES utf8;
2. SET FOREIGN_KEY_CHECKS = 0;
3. 
   
4. -- ----------------------------
5. --Table structure for `authority`
6. -- ----------------------------
7. DROP TABLE IF EXISTS `authority`;
8. CREATE TABLE `authority` (
9. `id` bigint(20) NOT NULL AUTO_INCREMENT,
10. `name` varchar(255) NOT NULL,
11. PRIMARY KEY (`id`)
12. ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
13. 
    
14. -- ----------------------------
15. --Records of `authority`
16. -- ----------------------------
17. BEGIN;
18. INSERT INTO `authority` VALUES ('1', 'ROLE_ADMIN'), ('2', 'ROLE_USER');
19. COMMIT;
20. 
    
21. 
    
22. -- ----------------------------
23. --Table structure for `user`
24. -- ----------------------------
25. DROP TABLE IF EXISTS `user`;
26. CREATE TABLE `user` (
27. `id` bigint(20) NOT NULL AUTO_INCREMENT,
28. `username` varchar(20) NOT NULL,
29. `password` varchar(100) NOT NULL,
30. `name` varchar(20) NOT NULL,
31. `email` varchar(50) NOT NULL,
32. `avatar` varchar(200) DEFAULT NULL,
33. `create_time` datetime DEFAULT NULL,
34. `last_login_time` datetime DEFAULT NULL,
35. `status` varchar(10) DEFAULT NULL,
36. PRIMARY KEY (`id`),
37. UNIQUE KEY `UK_ob8kqyqqgmefl0aco34akdtpe` (`email`),
38. UNIQUE KEY `UK_sb8bbouer5wak8vyiiy4pf2bx` (`username`)
39. ) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;
40. 
    
41. -- ----------------------------
42. --Records of `user`
43. -- ----------------------------
44. BEGIN;
45. INSERT INTO `user` VALUES ('1', 'admin', '$2a$10$N.zmdr9k7uOCQb376NoUnuTJ8iAt6Z5EHsM8lE9lBOsl7iKTVKIUi', '管理员', 'admin@liuyanzhao.com', null, null, null, 'normal'), ('2', 'saysky', '$2a$10$N.zmdr9k7uOCQb376NoUnuTJ8iAt6Z5EHsM8lE9lBOsl7iKTVKIUi', '言曌', '847064370@qq.com', null, null, null, 'normal'), ('3', 'lockuser', '$2a$10$N.zmdr9k7uOCQb376NoUnuTJ8iAt6Z5EHsM8lE9lBOsl7iKTVKIUi', '锁定账号', 'locked@qq.com', null, null, null, 'locked');
46. COMMIT;
47. 
    
48. -- ----------------------------
49. --Table structure for `user_authority`
50. -- ----------------------------
51. DROP TABLE IF EXISTS `user_authority`;
52. CREATE TABLE `user_authority` (
53. `user_id` bigint(20) NOT NULL,
54. `authority_id` bigint(20) NOT NULL,
55. KEY `FKgvxjs381k6f48d5d2yi11uh89` (`authority_id`),
56. KEY `FKpqlsjpkybgos9w2svcri7j8xy` (`user_id`),
57. CONSTRAINT `FKgvxjs381k6f48d5d2yi11uh89` FOREIGN KEY (`authority_id`) REFERENCES `authority` (`id`),
58. CONSTRAINT `FKpqlsjpkybgos9w2svcri7j8xy` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`)
59. ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
60. 
    
61. -- ----------------------------
62. --Records of `user_authority`
63. -- ----------------------------
64. BEGIN;
65. INSERT INTO `user_authority` VALUES ('1', '1'), ('2', '2'), ('1', '2');
66. COMMIT;
67. 
    
68. SET FOREIGN_KEY_CHECKS = 1;

二、Maven 依赖 【SpringBoot + Spring Security + Thymeleaf 实现权限管理登录】pom.xml

3. xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
4. 4.0.0
5. 
   
6. com.liuyanzhao
7. chuyun
8. 0.0.1-SNAPSHOT
9. war
10. 
    
11. chuyun
12. Chuyun Blog for Spring Boot
13. 
    
14. 
    
16. org.springframework.boot
17. spring-boot-starter-parent
18. 1.5.9.RELEASE
21. 
    
23. UTF-8
24. UTF-8
25. 1.8
26. 3.0.3.RELEASE
27. 2.0.0
28. 2.4.4
30. 
    
31. 
    
33. 
    
35. org.springframework.boot
36. spring-boot-starter-web
38. 
    
41. org.projectlombok
42. lombok
43. true
45. 
    
47. org.springframework.boot
48. spring-boot-starter-test
49. test
51. 
    
54. org.springframework.boot
55. spring-boot-starter-thymeleaf
57. 
    
60. org.springframework.boot
61. spring-boot-starter-data-jpa
63. 
    
66. mysql
67. mysql-connector-java
69. 
    
72. org.springframework.boot
73. spring-boot-devtools
74. true
76. 
    
79. org.springframework.boot
80. spring-boot-starter-data-elasticsearch
83. net.java.dev.jna
84. jna
85. 4.3.0
87. 
    
90. org.springframework.boot
91. spring-boot-starter-security
94. org.thymeleaf.extras
95. thymeleaf-extras-springsecurity4
96. 3.0.2.RELEASE
98. 
    
99. 
    
102. com.alibaba
103. fastjson
104. 1.2.7
106. 
     
109. com.github.penggle
110. kaptcha
111. 2.3.2
113. 
     
115. 
     
119. org.springframework.boot
120. spring-boot-maven-plugin
122. true
126. 
     
128. 
     
129. 
     

主要需要 SpringBoot、Thymeleaf、Spring Security 的依赖

三、实体类 User.java

1. package com.liuyanzhao.chuyun.entity;
2. 
   
3. 
   
4. import lombok.Data;
5. import org.hibernate.validator.constraints.Email;
6. import org.hibernate.validator.constraints.NotEmpty;
7. import org.springframework.security.core.GrantedAuthority;
8. import org.springframework.security.core.authority.SimpleGrantedAuthority;
9. import org.springframework.security.core.userdetails.UserDetails;
10. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
11. import org.springframework.security.crypto.password.PasswordEncoder;
12. 
    
13. import javax.persistence.*;
14. import javax.validation.constraints.Size;
15. import java.io.Serializable;
16. import java.util.ArrayList;
17. import java.util.Collection;
18. import java.util.Date;
19. import java.util.List;
20. 
    
21. /**
22. * @author 言曌
23. * @date 2017/12/28 上午9:06
24. */
25. 
    
26. @Entity // 实体
27. @Data
28. public class User implements UserDetails, Serializable {
29. 
    
30. private static final long serialVersionUID = 1L;
31. 
    
32. @Id // 主键
33. @GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略
34. private Long id; // 用户的唯一标识
35. 
    
36. @NotEmpty(message = "昵称不能为空")
37. @Size(min=2, max=20)
38. @Column(nullable = false, length = 20) // 映射为字段，值不能为空
39. private String name;
40. 
    
41. @NotEmpty(message = "邮箱不能为空")
42. @Size(max=50)
43. @Email(message= "邮箱格式不对" )
44. @Column(nullable = false, length = 50, unique = true)
45. private String email;
46. 
    
47. @NotEmpty(message = "账号不能为空")
48. @Size(min=3, max=20)
49. @Column(nullable = false, length = 20, unique = true)
50. private String username; // 用户账号，用户登录时的唯一标识
51. 
    
52. @NotEmpty(message = "密码不能为空")
53. @Size(max=100)
54. @Column(length = 100)
55. private String password; // 登录时密码
56. 
    
57. @Column(length = 200)
58. private String avatar; // 头像图片地址
59. 
    
60. private Date createTime;
61. 
    
62. private Date lastLoginTime;
63. 
    
64. @Column(length = 10)
65. private String status;
66. 
    
67. @ManyToMany(cascade = CascadeType.DETACH, fetch = FetchType.EAGER)
68. @JoinTable(name = "user_authority", joinColumns = @JoinColumn(name = "user_id", referencedColumnName = "id"),
69. inverseJoinColumns = @JoinColumn(name = "authority_id", referencedColumnName = "id"))
70. private List authorities;
71. 
    
72. protected User() { // JPA 的规范要求无参构造函数；设为 protected 防止直接使用
73. }
74. 
    
75. public User(String name, String email,String username,String password) {
76. this.name = name;
77. this.email = email;
78. this.username = username;
79. this.password = password;
80. }
81. 
    
82. 
    
83. 
    
84. public Collection getAuthorities() {
85. //需将 List 转成 List，否则前端拿不到角色列表名称
86. List simpleAuthorities = new ArrayList<>();
87. for(GrantedAuthority authority : this.authorities){
88. simpleAuthorities.add(new SimpleGrantedAuthority(authority.getAuthority()));
89. }
90. return simpleAuthorities;
91. }
92. 
    
93. public void setAuthorities(List authorities) {
94. this.authorities = authorities;
95. }
96. 
    
97. 
    
98. public void setEncodePassword(String password) {
99. PasswordEncoderencoder = new BCryptPasswordEncoder();
100. String encodePasswd = encoder.encode(password);
101. this.password = encodePasswd;
102. }
103. 
     
104. @Override
105. public boolean isAccountNonExpired() {
106. return true;
107. }
108. 
     
109. @Override
110. public boolean isAccountNonLocked() {
111. return true;
112. }
113. 
     
114. @Override
115. public boolean isCredentialsNonExpired() {
116. return true;
117. }
118. 
     
119. @Override
120. public boolean isEnabled() {
121. return true;
122. }
123. 
     
124. 
     
125. }

Authority.java

1. package com.liuyanzhao.chuyun.entity;
2. 
   
3. import org.springframework.security.core.GrantedAuthority;
4. 
   
5. import javax.persistence.*;
6. 
   
7. /**
8. * 权限
9. * @author 言曌
10. * @date 2018/1/26 下午2:05
11. */
12. @Entity
13. public class Authority implements GrantedAuthority {
14. 
    
15. private static final long serialVersionUID = 1L;
16. 
    
17. @Id // 主键
18. @GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略
19. private Long id; // 用户的唯一标识
20. 
    
21. @Column(nullable = false) // 映射为字段，值不能为空
22. private String name;
23. 
    
24. public Long getId() {
25. return id;
26. }
27. 
    
28. public void setId(Long id) {
29. this.id = id;
30. }
31. 
    
32. 
    
33. @Override
34. public String getAuthority() {
35. return name;
36. }
37. 
    
38. public void setName(String name) {
39. this.name = name;
40. }
41. 
    
42. }

四、Dao 层 UserRepository.java

1. package com.liuyanzhao.chuyun.repository;
2. 
   
3. import com.liuyanzhao.chuyun.entity.User;
4. import org.springframework.data.jpa.repository.JpaRepository;
5. 
   
6. 
   
7. /**
8. * 用户repository
9. * @author 言曌
10. * @date 2017/12/27 0027 20:50
11. */
12. 
    
13. public interface UserRepository extends JpaRepository {
14. 
    
15. /**
16. * 根据用户名查找用户
17. * @param username
18. * @return
19. */
20. User findByUsername(String username);
21. 
    
22. }

五、Service 层 CustomUserService.java

1. package com.liuyanzhao.chuyun.service;
2. 
   
3. import com.liuyanzhao.chuyun.entity.User;
4. import com.liuyanzhao.chuyun.repository.UserRepository;
5. import org.springframework.beans.factory.annotation.Autowired;
6. import org.springframework.security.authentication.LockedException;
7. import org.springframework.security.core.userdetails.UserDetailsService;
8. import org.springframework.security.core.userdetails.UsernameNotFoundException;
9. import org.springframework.stereotype.Service;
10. 
    
11. /**
12. * @author 言曌
13. * @date 2018/1/30 下午8:37
14. */
15. 
    
16. @Service
17. public class CustomUserService implements UserDetailsService{
18. 
    
19. @Autowired
20. private UserRepository userRepository;
21. 
    
22. @Override
23. public User loadUserByUsername(String username) throws UsernameNotFoundException {
24. User user = userRepository.findByUsername(username);
25. if (user == null) {
26. throw new UsernameNotFoundException("用户名不存在");
27. } else if("locked".equals(user.getStatus())) { //被锁定，无法登录
28. throw new LockedException("用户被锁定");
29. }
30. return user;
31. }
32. }

六、Spring Security 配置 SecurityConfig.java

1. package com.liuyanzhao.chuyun.config;
2. 
   
3. 
   
4. import com.liuyanzhao.chuyun.service.CustomUserService;
5. import org.springframework.beans.factory.annotation.Autowired;
6. import org.springframework.context.annotation.Bean;
7. import org.springframework.security.authentication.AuthenticationProvider;
8. import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
9. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
10. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
11. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
12. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
13. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
14. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
15. import org.springframework.security.crypto.password.PasswordEncoder;
16. 
    
17. 
    
18. /**
19. * 安全配置类
20. *
21. * @author 言曌
22. * @date 2018/1/23 上午11:37
23. */
24. @EnableWebSecurity
25. @EnableGlobalMethodSecurity(prePostEnabled = true) // 启用方法安全设置
26. public class SecurityConfig extends WebSecurityConfigurerAdapter {
27. 
    
28. private static final String KEY = "liuyanzhao.com";
29. 
    
30. @Autowired
31. private PasswordEncoder passwordEncoder;
32. 
    
33. @Bean
34. CustomUserService customUserService() {
35. return new CustomUserService();
36. }
37. 
    
38. @Bean
39. public PasswordEncoder passwordEncoder() {
40. return new BCryptPasswordEncoder(); // 使用 BCrypt 加密
41. }
42. 
    
43. @Bean
44. public AuthenticationProvider authenticationProvider() {
45. DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
46. authenticationProvider.setUserDetailsService(customUserService());
47. authenticationProvider.setPasswordEncoder(passwordEncoder); // 设置密码加密方式
48. return authenticationProvider;
49. }
50. 
    
51. /**
52. * 自定义配置
53. */
54. @Override
55. protected void configure(HttpSecurity http) throws Exception {
56. http.authorizeRequests().antMatchers("/","/css/**", "/js/**", "/fonts/**","/users").permitAll() // 都可以访问
57. .antMatchers("/h2-console/**").permitAll() // 都可以访问
58. .antMatchers("/admin/**").hasRole("ADMIN") // 需要相应的角色才能访问
59. .antMatchers("/console/**").hasAnyRole("ADMIN","USER") // 需要相应的角色才能访问
60. .and()
61. .formLogin()//基于 Form 表单登录验证
62. .loginPage("/login").failureUrl("/login?error=true") // 自定义登录界面
63. .and().rememberMe().key(KEY) // 启用 remember me
64. .and().exceptionHandling().accessDeniedPage("/403"); // 处理异常，拒绝访问就重定向到 403 页面
65. http.csrf().ignoringAntMatchers("/h2-console/**"); // 禁用 H2 控制台的 CSRF 防护
66. http.headers().frameOptions().sameOrigin(); // 允许来自同一来源的H2 控制台的请求
67. }
68. 
    
69. /**
70. * 认证信息管理
71. *
72. * @param auth
73. * @throws Exception
74. */
75. @Autowired
76. public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
77. //auth.userDetailsService(userDetailsService);
78. auth.userDetailsService(customUserService());
79. auth.authenticationProvider(authenticationProvider());
80. }
81. 
    
82. }

七、HTML 页面 首页：http://localhost:8080
登录页面：http://localhost:8080/login
登录错误页面：http://localhost:8080/login?error=true
退出登录：http://localhost:8080/logout

index.html

3. xmlns:th="http://www.thymeleaf.org"
4. xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
8. content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
11. 
    
14. 未登录，点击 登录