Spring Boot uses JWT to implement Token verification, but Spring Boot has a complete security authentication framework: Spring Security. Next we describe how to integrate Security for security authentication.
Security is of paramount importance to enterprises, and the necessary security certifications block external abnormal access for enterprises and ensure the security of internal data.
At present, data security issues are increasingly valued by companies in the industry. A large part of the data leak is caused by improper permission access, so it becomes urgent to secure enterprise services with the right security framework. In the Java space, Spring Security is undoubtedly one of the best options.
Spring Security is a security management framework within the Spring family that provides a declarative secure access control solution for Spring-based enterprise applications. It provides a set of components that can be flexibly configured in Spring applications, taking full advantage of Spring's IoC, DI and AOP features, providing declarative security access control functions for applications, and reducing the work of writing a lot of repetitive code for enterprise system security controls.
Although Spring Security had been around for many years before spring boots, it wasn't widely used. The area of security management has always been Shiro's domain, because compared to Shiro, integrating Spring Security in a project is still a troublesome thing, so Spring Security, although more powerful than Shiro, is not as popular as Shiro.
With the advent of Spring Boot, Spring Boot provides an automated configuration scheme for Spring Security, which can be used with zero configuration. This brings Spring Security back to life.
Spring Boot provides a component package that integrates with Spring Security, Spring-boot-starter-security, allowing us to use Spring Security for permission control in Our Spring Boot projects.
Integrating Spring Boot Security in a Spring Boot project is as simple as adding Spring Boot Security dependencies to your project. The following is an example to demonstrate login authentication for the underlying Security in Spring Boot.
1. Add dependencies
Spring Boot provides a component package that integrates with Spring Security, spring-boot-starter-security, making it easier for us to use Spring Security in spring Boot projects.
In addition to the introduction of the Security component above, because we have to do the permission verification of the Web system, we have also added the Web and Thymeleaf components.
2. Configure the login username and password
The username and password are configured in application.properties.
Added the username and password of the administrator to the application.properties configuration file.
3. Add a Controller
Create a SecurityController class to add a portal to the class to access the page.
4. Create a front-end page
Create a page index .html in the sources/templates directory, which is the specific page that needs to be increased by permission control, and can only enter this page if you are logged in.
5. Test verification
After the configuration is complete, restart the project, access the address: http://localhost:8080/, the page will automatically pop up a login box, as shown in the following figure.
The system automatically jumps to the default login page of Spring Security, enter the previously configured user name and password to log in to the system, and the page after login is shown in the following figure.
Using the above example, we can see that Spring Security automatically protects all access requests by logging in, implementing page permission control.
The previous demonstration of the integration of Spring Security in the Spring Boot project to implement a simple login verification function, in the actual project use process, there may be some function pages do not need login verification, while some function pages can only be accessed for login verification. The following is a complete sample program that demonstrates how to implement login authentication for Security.
1. Create a page content .html
First create a page content .html, this page can only be viewed by the logged-in user, otherwise it will jump to the login page, and it can only be accessed after successful login. The sample code is as follows:
In the example above, we saw that opt-outs are used with post requests, because Security opt-out requests only support post by default.
2. Modify the index .html page
Modify the previous index .html page and add a login button.
In the example above, the index page is a public page, there is no permission to verify, and login verification is required when entering the content page from the index page.
3. Modify the Controller controller
Modify the previous SecurityController controller to add the content page routing address, and the sample code is as follows:
4. Create a SecurityConfig class
Create a configuration file for Security, the SecurityConfig class, which inherits from the WebSecurityConfigurerAdapter, now custom permission validation configuration. The sample code is as follows:
In the example program above, the SecurityConfig class configures index .html can be accessed directly, but the content .html requires a login before it can be viewed, and those who are not logged in automatically jump to the login page.
@EnableWebSecurity: Turn on spring Security permission control and authentication.
antMatchers("/", "/home").permitAll(): Configures requests that can be accessed without login.
anyRequest().authenticated(): Indicates that all other requests must have permission to authenticate.
formLogin(): Customize login information.
loginPage("/login"): Customize the login address, if commented out, use the default login page.
logout(): Exit function, Spring Security automatically monitors /logout.
ignoringAntMatchers ("/logout"): Spring Security has same-origin request control enabled by default, where you choose to ignore the same-origin restrictions for exit requests.
Restart the project after the modification is completed, the access address http://localhost:8080/ can see the content of the index page, click the link to jump to the content page automatically jump to the login page, after the login is successful, it will automatically jump to the http://localhost:8080/content, click the "Exit" button on the content page, you will log out of the login status, jump to the login page and prompt that you have logged out.
Logging in, logging out, and jumping to the login page after requesting a restricted page is a commonly used security control case, and it is also the basic security guarantee of the account system.
Above, we have introduced how Spring Boot integrates with Security to achieve security authentication.