- 项目结构
src
└── main
├── java
│ └── com.example.securitydemo
│ ├── RestapiApplication.java
│ ├── config
│ │ └── SecurityConfig.java
│ ├── controller
│ │ └── UserController.java
│ └── service
│ └── CustomUserDetailsService.java
└── resources
├── templates
│ ├── login.html
│ ├── home.html
│ ├── admin.html
├── static
│ └── css
│ └── styles.css
└── application.properties - 创建主应用类
package cn.mayanan.restapi;import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;@SpringBootApplication
public class RestapiApplication {public static void main(String[] args) {SpringApplication.run(RestapiApplication.class, args);}
}
- 配置 Spring Security, 创建用户服务
package cn.mayanan.restapi.config;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;@Configuration
public class SecurityConfig {@Beanpublic PasswordEncoder passwordEncoder() {// 使用 BCrypt 作为密码编码器return new BCryptPasswordEncoder();}@Beanpublic SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.csrf(csrf -> csrf.disable()) // 可选,禁用 CSRF(仅开发时使用).authorizeHttpRequests(auth -> auth.requestMatchers("/login", "/public/**", "/css/**").permitAll() // 公开的资源.requestMatchers("/admin").hasRole("ADMIN") // 仅 ADMIN 用户可以访问.anyRequest().authenticated() // 其他请求需要认证).formLogin(form -> form.loginPage("/login") // 自定义登录页面.defaultSuccessUrl("/home", true) // 登录成功后跳转.permitAll()).logout(logout -> logout.logoutUrl("/logout").logoutSuccessUrl("/login?logout") // 登出后跳转.permitAll());return http.build();}@Beanpublic UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {UserDetails user = User.builder().username("user").password(passwordEncoder.encode("password")).roles("USER").build();UserDetails admin = User.builder().username("admin").password(passwordEncoder.encode("admin")).roles("ADMIN").build();return new InMemoryUserDetailsManager(user, admin);}
}
- 创建控制器
package cn.mayanan.restapi.controller;import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;@Controller
public class UserController {@GetMapping("/home")public String home() {return "home";}@GetMapping("/admin")public String admin() {return "admin";}@GetMapping("/login")public String loginPage() {return "login";}
}
- 添加 HTML 页面
login.html
<!DOCTYPE html>
<html lang="en">
<head><title>Login</title><link rel="stylesheet" href="/css/styles.css">
</head>
<body><h2>Login</h2><form method="post" action="/login"><label for="username">Username:</label><input type="text" name="username" required><br><label for="password">Password:</label><input type="password" name="password" required><br><button type="submit">Login</button></form><p>Don't have an account? Contact admin!</p>
</body>
</html>
home.html
<!DOCTYPE html>
<html lang="en">
<head><title>Home</title>
</head>
<body><h1>Welcome Home!</h1><p>You are logged in.</p><a href="/logout">Logout</a>
</body>
</html>
admin.html
<!DOCTYPE html>
<html lang="en">
<head><title>Admin Page</title>
</head>
<body><h1>Welcome, Admin!</h1><p>Only admins can see this page.</p><a href="/logout">Logout</a>
</body>
</html>
- 添加静态资源(CSS)
在 src/main/resources/static/css/styles.css 中:
body {font-family: Arial, sans-serif;margin: 20px;
}
form {margin: 20px 0;
}
label {display: block;margin-bottom: 5px;
}
input {margin-bottom: 10px;
}
- 配置 application.yml
spring.thymeleaf.cache=false
运行步骤
启动项目。
访问 http://localhost:8080/login 进入登录页面。
用户名:user,密码:password
用户名:admin,密码:admin
登录后:
http://localhost:8080/home:普通用户和管理员都可访问。
http://localhost:8080/admin:仅管理员可访问。
登出:点击页面中的 Logout
——注解后处理器-2)
