Java Architect solution spring security (1) quick start (with complete project code)

Blank jackdking 2020-11-11 17:54:45
java architect solution spring security

1. After reading this article, you will get one for free SpringSecurity test demo Project source code ( Direct operation ).
2. You will learn how to quickly create a SpringSecurity project , To achieve a simple login function , It's easy to integrate into Springboot project .
3. see demo Running test results of the project , Learn more about SpringSecurity function ..

What is? Spring Security

Spring Security The predecessor was Acegi Security , yes Spring The framework used in the project group to provide security authentication services . It supports many authentication technologies , Such as LDAP、 be based on IEFT RFC Standards for 、Form-based authentication( Simple user interface ) wait . Generalization is : Control system login interception 、 User login authentication 、 User login token The authentication 、 System api Access control of simple user interface for resources such as interfaces .

In short , That is, the login logic and code implementation of the system do not need to be developed by ourselves , Use Spring Security Configuration development can be .

Compare Spring Security Login service and native login service

The development process of native login logic is as follows :

1) Write the login page form Code .

2) Write login controller Interface code .

3) Query the user information from the database according to the user name parameter passed in .

4) Compare the password data found and the password passed in , If the same, log in through , Otherwise the login fails .

Spring Security Login logic development process :

1) Write the login page form Code .

2)Spring Security Core configuration class development .

3) Realization UserDetailsService Interface , stay loadUserByUsername Method to load user information .

Why? SpringSecurity Login business development workload is small

SpringSecurity Less development work , It's because it has a very complete modeling of the login business , The whole process of logging into the business , There is not much local logic to be developed by developers themselves , These include : Custom login page , Custom user data acquisition source (UserDetailsService Implementation class )

Use SpringSecurity How cool is it to provide security services for the system , The picture below represents my heart at the moment .


Quick start

SpringBoot project pom rely on

This is integration SpringSecurity What we need to rely on jar package .

<!--security start-->


Springboot Project pom The package must contain at least two files .

SpringSecurity Configuration class

Configuration class should inherit abstract class WebSecurityConfigurerAdapter, And use annotations @Configuration、@EnableGlobalMethodSecurity(prePostEnabled = true) Decorated configuration class .

* @Author: Galen
* @Date: 2019/3/27-14:43
* @Description: spring-security The core configuration of rights management
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private UserSecurityService userSecurityService;
* @Author: jackdking
* @Description: To configure userDetails Data source , Password encryption format
* @Date: 2020/5/21-5:24
* @Param: [auth]
* @return: void
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
.passwordEncoder(new BCryptPasswordEncoder());// Implementation of custom login verification 
* @Author: Galen
* @Description: Allocate released resources
* @Date: 2019/3/28-9:23
* @Param: [web]
* @return: void
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/login.html", "/index.html","/css/**", "/static/**", "/login_p", "/favicon.ico")
// to swagger release ; Resources that do not require permission to access 
.antMatchers("/swagger-ui.html", "/swagger-resources/**", "/images/**", "/webjars/**", "/v2/api-docs", "/configuration/ui", "/configuration/security");
* @Author: Galen
* @Description: Intercept configuration
* @Date: 2019/4/4-10:44
* @Param: [http]
* @return: void
protected void configure(HttpSecurity http) throws Exception {
// Make it support cross domain 
 .requestMatchers(CorsUtils :: isPreFlightRequest).permitAll()
// Other paths need to be authorized to access 
.formLogin().loginPage("/login_p")// Set up login page ,
// Strangely enough This url There was no access to .
.loginProcessingUrl("/login")// Custom login interface , This interface must be with your login page form Of action The address is the same . Otherwise, keep going into login_p page : If loginProcessingUrl Not configured , The default is to follow loginPage equally 
.usernameParameter("username").passwordParameter("password")// tell security form Parameter expressions for the user name and password of the form .
.failureHandler(new MyAuthenticationFailureHandler())// This failure handling Follow failureUrl Configuration is mutually exclusive . Choose only one of the two 
.successHandler(new MyAuthenticationSuccessHandler())// Follow defaultSuccessUrl Mutually exclusive , This support goes back to json data . If you don't set this successful processor , May be an error 999.
// .defaultSuccessUrl("/index") // Follow successHandler Configure mutual exclusion , This support redirects to the success page . Visit the specified page , The user is not logged in , Jump to the login page , If login is successful , Jump to the user to visit the specified page , Users visit the login page , Default jump page
// .failureUrl("/error_p") // Redirection failed page Follow failureHandler Configuration is mutually exclusive . Choose only one of the two 
.csrf().disable(); // close csrf


  • Configuration class override configure(AuthenticationManagerBuilder auth), Set user information source interface userDetailsService Implementation class of , And the user password encryption implementation object BCryptPasswordEncoder.
  • Configuration class override configure(WebSecurity web), inform security Frame what url You can visit without logging in , For example, some css file 、js file 、 Login page and so on .
  • Configuration class override configure(HttpSecurity http), inform security Some information about login service , For example, the login page 、 Custom login interface 、form Parameter expressions for the user name and password of the form 、 Login failed or succeeded handler class .

userDetailsService Development of

In this implementation class ,security The framework allows developers to customize the source of user information : It can be in the code , Or the database 、 Cache server 、 Third party services, etc . In this demo In the project , We use it more simply , Write directly in code , Created SecuritySysUser Object returned to Security.

SecuritySysUser securityUser = new SecuritySysUser();
List<SecuritySysRole> roles = new ArrayList<>();
SecuritySysRole role = new SecuritySysRole();
if (securityUser == null) {
throw new UsernameNotFoundException(" Wrong user name ");
}" User information :{}" , securityUser.toString());
return securityUser;


Here we are , Use security Framework to develop user login business is over , Let's see how it works .

In this paper, the demo Project access is at the bottom of the article .

Right click on the project file, choice Run As -> Java Application.

Browser input http://localhost:9090, Get into login Login page .


enter one user name / password :admin/admin, Click the login button , Then check the login back in json Information .


Login successfully returned to json The data is security Results of successful login to the processor framework :successHandler(new MyAuthenticationSuccessHandler()).

public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
RespBean respBean = RespBean.ok("【MyAuthenticationSuccessHandler】 Login successful !", SecurityUserUtil.getCurrentUser());
new GalenWebMvcWrite().writeToWeb(request,response, respBean);
System.out.println("【MyAuthenticationSuccessHandler】 Login successful !");


Enter the wrong user name and password , Back to json Information , Is the first exception error class in the error handler UsernameNotFoundException.


Login failure returned json The data is security The login of the framework failed. The result returned by the processor is :failureHandler(new MyAuthenticationFailureHandler()).

RespBean respBean;
if (exception instanceof BadCredentialsException ||
exception instanceof UsernameNotFoundException) {
respBean = RespBean.error(" Wrong account name or password !");
} else if (exception instanceof LockedException) {
respBean = RespBean.error(" The account is locked , Please contact the Administrator !");
} else if (exception instanceof CredentialsExpiredException) {
respBean = RespBean.error(" Password expired , Please contact the Administrator !");
} else if (exception instanceof AccountExpiredException) {
respBean = RespBean.error(" Account expired , Please contact the Administrator !");
} else if (exception instanceof DisabledException) {
respBean = RespBean.error(" Account is disabled , Please contact the Administrator !");
} else {
respBean = RespBean.error(" Login failed !");
System.out.println(" Failure logic processing .");
new GalenWebMvcWrite().writeToWeb(request, response, respBean);


As an architect , Of course, I hope the system can use mature 、 Security service framework with rich features , and security It's a good choice . And whether it's from building security services to manpower 、 test 、 Operation and maintenance 、 Consider the cost ,security They are very fragrant .

Spring Security The configuration development of security service framework also greatly improves the development efficiency of the whole team , If the system makes its own security service framework , In the future, the handover cost of team members will also be very high , It will also be accompanied by higher risk costs .


To view more “Java Architect solutions ” Series articles as well as SpringBoot2.0 Learning examples



complete demo project , Please pay attention to the official account. “ Cutting edge technology bot“ And send the "SEC-ONE" obtain .


本文为[Blank jackdking]所创,转载请带上原文链接,感谢

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云