姓名:岳沁
学号:17101223458
转载自:http://www.mkyong.com/spring-boot/spring-boot-spring-security-thymeleaf-example/
【嵌牛导读】:
Spring Boot + Spring Security + Thymeleaf example
【嵌牛鼻子】:thymeleaf
【嵌牛提问】:thymeleaf解析机制是什么?
【嵌牛正文】:
A Spring Boot Thymeleaf example, uses Spring Security to protect path/adminand/user
Technologies used :
Spring Boot 1.5.3.RELEASE
Spring 4.3.8.RELEASE
Spring Security 4.2.2
Thymeleaf 2.1.5.RELEASE
Thymeleaf extras Spring Security4 2.1.3
Tomcat Embed 8.5.14
Maven 3
Java 8
1. Project Directory
2. Project Dependencies
Declaresspring-boot-starter-security, it will get anything you need to develop aSpring Boot + Spring Securityweb application.
pom.xml
4.0.0spring-boot-web-spring-securityjarSpring Boot Web Spring SecuritySpring Boot Web Spring Security Examplehttps://www.mkyong.com1.0org.springframework.bootspring-boot-starter-parent1.5.3.RELEASE1.8org.springframework.bootspring-boot-starter-securityorg.springframework.bootspring-boot-starter-thymeleaforg.thymeleaf.extrasthymeleaf-extras-springsecurity4org.springframework.bootspring-boot-devtoolstrueorg.webjarsbootstrap3.3.7org.springframework.bootspring-boot-maven-plugin
Display project dependencies :
$ mvn dependency:tree[INFO]Scanningforprojects...[INFO][INFO]------------------------------------------------------------------------[INFO]Building Spring Boot Web Spring Security 1.0[INFO]------------------------------------------------------------------------[INFO][INFO]--- maven-dependency-plugin:2.10:tree(default-cli)@ spring-boot-web-spring-security ---[INFO]org.springframework.boot:spring-boot-web-spring-security:jar:1.0[INFO]+- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.3.RELEASE:compile[INFO]|+- org.springframework.boot:spring-boot-starter:jar:1.5.3.RELEASE:compile[INFO]||+- org.springframework.boot:spring-boot-starter-logging:jar:1.5.3.RELEASE:compile[INFO]|||+- ch.qos.logback:logback-classic:jar:1.1.11:compile[INFO]||||\- ch.qos.logback:logback-core:jar:1.1.11:compile[INFO]|||+- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile[INFO]|||+- org.slf4j:jul-to-slf4j:jar:1.7.25:compile[INFO]|||\- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile[INFO]||+- org.springframework:spring-core:jar:4.3.8.RELEASE:compile[INFO]||\- org.yaml:snakeyaml:jar:1.17:runtime[INFO]|+- org.springframework.boot:spring-boot-starter-web:jar:1.5.3.RELEASE:compile[INFO]||+- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.3.RELEASE:compile[INFO]|||+- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.14:compile[INFO]|||+- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.14:compile[INFO]|||\- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.14:compile[INFO]||+- org.hibernate:hibernate-validator:jar:5.3.5.Final:compile[INFO]|||+- javax.validation:validation-api:jar:1.1.0.Final:compile[INFO]|||+- org.jboss.logging:jboss-logging:jar:3.3.1.Final:compile[INFO]|||\- com.fasterxml:classmate:jar:1.3.3:compile[INFO]||+- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8:compile[INFO]|||+- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile[INFO]|||\- com.fasterxml.jackson.core:jackson-core:jar:2.8.8:compile[INFO]||+- org.springframework:spring-web:jar:4.3.8.RELEASE:compile[INFO]||\- org.springframework:spring-webmvc:jar:4.3.8.RELEASE:compile[INFO]|+- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile[INFO]||\- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile[INFO]||+- ognl:ognl:jar:3.0.8:compile[INFO]||+- org.javassist:javassist:jar:3.21.0-GA:compile[INFO]||\- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile[INFO]|\- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile[INFO]|\- org.codehaus.groovy:groovy:jar:2.4.10:compile[INFO]+- org.springframework.boot:spring-boot-starter-security:jar:1.5.3.RELEASE:compile[INFO]|+- org.springframework:spring-aop:jar:4.3.8.RELEASE:compile[INFO]||\- org.springframework:spring-beans:jar:4.3.8.RELEASE:compile[INFO]|+- org.springframework.security:spring-security-config:jar:4.2.2.RELEASE:compile[INFO]||+- org.springframework.security:spring-security-core:jar:4.2.2.RELEASE:compile[INFO]||\- org.springframework:spring-context:jar:4.3.8.RELEASE:compile[INFO]|\- org.springframework.security:spring-security-web:jar:4.2.2.RELEASE:compile[INFO]|\- org.springframework:spring-expression:jar:4.3.8.RELEASE:compile[INFO]+- org.thymeleaf.extras:thymeleaf-extras-springsecurity4:jar:2.1.3.RELEASE:compile[INFO]|\- org.slf4j:slf4j-api:jar:1.7.25:compile[INFO]+- org.springframework.boot:spring-boot-devtools:jar:1.5.3.RELEASE:compile[INFO]|+- org.springframework.boot:spring-boot:jar:1.5.3.RELEASE:compile[INFO]|\- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.3.RELEASE:compile[INFO]\- org.webjars:bootstrap:jar:3.3.7:compile[INFO]\- org.webjars:jquery:jar:1.11.1:compile[INFO]------------------------------------------------------------------------[INFO]BUILD SUCCESS[INFO]------------------------------------------------------------------------[INFO]Total time: 2.072 s[INFO]Finished at: 2017-05-04T10:13:05+08:00[INFO]Final Memory: 19M/309M[INFO]------------------------------------------------------------------------
3. Spring Security
3.1 ExtendsWebSecurityConfigurerAdapter, and defined the security rules in theconfiguremethod.
For user “admin” :
Able to access/adminpage
Unable to access/userpage, redirect to 403 access denied page.
For user “user” :
able to access/userpage
unable to access/adminpage, redirect to 403 access denied page.
SpringSecurityConfig.java
packagecom.mkyong.config;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.context.annotation.Configuration;importorg.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;importorg.springframework.security.config.annotation.web.builders.HttpSecurity;importorg.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;importorg.springframework.security.web.access.AccessDeniedHandler;@ConfigurationpublicclassSpringSecurityConfigextendsWebSecurityConfigurerAdapter{@AutowiredprivateAccessDeniedHandler accessDeniedHandler;// roles admin allow to access /admin/**// roles user allow to access /user/**// custom 403 access denied handler@Overrideprotectedvoidconfigure(HttpSecurity http)throwsException{http.csrf().disable().authorizeRequests().antMatchers("/","/home","/about").permitAll().antMatchers("/admin/**").hasAnyRole("ADMIN").antMatchers("/user/**").hasAnyRole("USER").anyRequest().authenticated().and().formLogin().loginPage("/login").permitAll().and().logout().permitAll().and().exceptionHandling().accessDeniedHandler(accessDeniedHandler);}// create two users, admin and user@AutowiredpublicvoidconfigureGlobal(AuthenticationManagerBuilder auth)throwsException{auth.inMemoryAuthentication().withUser("user").password("password").roles("USER").and().withUser("admin").password("password").roles("ADMIN");}}
3.2 Custom 403 Access denied handler, logs the request and redirect to/403
WelcomeController.java
packagecom.mkyong.error;importorg.slf4j.Logger;importorg.slf4j.LoggerFactory;importorg.springframework.security.access.AccessDeniedException;importorg.springframework.security.core.Authentication;importorg.springframework.security.core.context.SecurityContextHolder;importorg.springframework.security.web.access.AccessDeniedHandler;importorg.springframework.stereotype.Component;importjavax.servlet.ServletException;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;importjava.io.IOException;// handle 403 page@ComponentpublicclassMyAccessDeniedHandlerimplementsAccessDeniedHandler{privatestaticLogger logger=LoggerFactory.getLogger(MyAccessDeniedHandler.class);@Overridepublicvoidhandle(HttpServletRequest httpServletRequest,HttpServletResponse httpServletResponse,AccessDeniedException e)throwsIOException,ServletException{Authentication auth=SecurityContextHolder.getContext().getAuthentication();if(auth!=null){logger.info("User '"+auth.getName()+"' attempted to access the protected URL: "+httpServletRequest.getRequestURI());}httpServletResponse.sendRedirect(httpServletRequest.getContextPath()+"/403");}}
4. Spring Boot
4.1 A controller class, to define the http request and view name.
DefaultController.java
packagecom.mkyong.controller;importorg.springframework.stereotype.Controller;importorg.springframework.web.bind.annotation.GetMapping;@ControllerpublicclassDefaultController{@GetMapping("/")publicStringhome1(){return"/home";}@GetMapping("/home")publicStringhome(){return"/home";}@GetMapping("/admin")publicStringadmin(){return"/admin";}@GetMapping("/user")publicStringuser(){return"/user";}@GetMapping("/about")publicStringabout(){return"/about";}@GetMapping("/login")publicStringlogin(){return"/login";}@GetMapping("/403")publicStringerror403(){return"/error/403";}}
4.2 Start Spring Boot application.
DefaultController.java
packagecom.mkyong;importorg.springframework.boot.SpringApplication;importorg.springframework.boot.autoconfigure.SpringBootApplication;@SpringBootApplicationpublicclassSpringBootWebApplication{publicstaticvoidmain(String[]args)throwsException{SpringApplication.run(SpringBootWebApplication.class,args);}}
5. Thymeleaf + Resources + Static files
5.1 For Thymeleaf files, put insrc/main/resources/templates/folder.
5.2 Thymeleaf fragments, for template layout – header.
src/main/resources/templates/fragments/header.html
Spring BootHome
5.3 Thymeleaf fragments, for template layout – footer. Review thesectag, it is a useful tag to display the Spring Security stuff, refer to thisThymeleaf extra Spring Securityfor detail.
src/main/resources/templates/fragments/footer.html
© 2017 mkyong.com| Logged user:| Roles:|Sign Out
5.4 List of the Thymeleaf files, nothing special, self-explanatory.
home ~
src/main/resources/templates/home.html
Spring Boot Thymeleaf + Spring Security
Spring Boot Web Thymeleaf + Spring Security
1. VisitAdmin page (Spring Security protected, Need Admin Role)
2. VisitUser page (Spring Security protected, Need User Role)
3. VisitNormal page
admin ~
src/main/resources/templates/admin.html
Admin page (Spring Security protected)
Hello [[${#httpServletRequest.remoteUser}]]!user ~
src/main/resources/templates/user.html
User page (Spring Security protected)
Hello [[${#httpServletRequest.remoteUser}]]!about ~
src/main/resources/templates/about.html
Normal page (No need login)
login ~
src/main/resources/templates/login.html
Spring Security Example
Please Sign In
Invalid username and password.You have been logged out.403 ~
src/main/resources/templates/error/403.html
403 - Access is denied
Hello '[[${#httpServletRequest.remoteUser}]]', you do not have permission to access this page.5.5 For static files like CSS or Javascript, put in/src/main/resources/static/
/src/main/resources/static/css/main.css
h1{color:#0000FF;}h2{color:#FF0000;}footer{margin-top:60px;}
Note
Read thisSpring Boot Serving static contentto understand the resource mapping.
6. Demo
6.1 Start the Spring Boot web app. This/admin/**is protected, you need login as admin to access it.
Terminal
$ mvn spring-boot:run//...
6.2 Accesshttp://localhost:8080
6.3 Accesshttp://localhost:8080/admin, redirect tohttp://localhost:8080/login
6.4 Invalid username or passwordhttp://localhost:8080/login
6.5 Login successful, redirect back to admin pagehttp://localhost:8080/admin, review the footer section, the user info is displayed.
6.6 Accesshttp://localhost:8080/user, redirect tohttp://localhost:8080/403
6.7 Clicks on the sign out link in the footer, redirect tohttp://localhost:8080/login?logout
Done. Try login with another username “user” and access the admin page.
Download Source Code
Download it –spring-boot-spring-security-thymeleaf.zip(15 KB)
