当前位置: 首页 > news >正文

初探 Spring Security

前言

在當今瞬息萬變的 Web 環境中,應用程式安全比以往任何時候都更加重要。為保護服務、資料等各項資源,不被任意存取。Spring 提供了 Spring Security 驗證框架,它能幫助我們開發有關認證與授權等有關安全管理的功能。下面讓我們透過簡單的例子初窺如何運用。

專案實作

註: 基於 初探 Vue 與 Spring boot 的對話之Backend (SpringBoot-Backend)文章 專案延生

1. 新增 相關 Dependencies

Pom.xml

<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency>

備註:

spring-security-test 官方提供的測試套件,用來在 單元測試 與整合測試 中方便地測試與 Spring Security 相關的功能

2.增修相關代碼

增修 Web 安全性, 網路安全配置類別 WebSecurityConfig

/* Web 安全性配置, 網路安全配置 */ @Configuration @EnableWebSecurity @EnableMethodSecurity(prePostEnabled = true) public class WebSecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http.csrf(csrf -> csrf.disable()) .authorizeHttpRequests(auth -> auth .requestMatchers("/api/public/**", "/login").permitAll() .requestMatchers("/api/user/**").hasAnyRole("USER", "ADMIN") .requestMatchers("/api/users/**").hasRole("ADMIN") .requestMatchers(HttpMethod.POST, "/api/user").hasRole("ADMIN") .requestMatchers(HttpMethod.DELETE, "/api/users/*") .hasRole("ADMIN") .anyRequest().authenticated()) .httpBasic(Customizer.withDefaults()) .formLogin(Customizer.withDefaults()) .build(); } /** * 使用 InMemoryUserDetailsManager,建立帳號與密碼並儲存於記憶體中 * 用於測試,定義帶有不同權限的用戶。 */ @Bean public UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) { // ADMIN 用戶:擁有 ADMIN 角色 UserDetails admin = User .withUsername("admin") .password(passwordEncoder.encode("password")) .roles("ADMIN") .build(); // USER 用戶:擁有 USER 角色 UserDetails normalUser = User .withUsername("user") .password(passwordEncoder.encode("password")) .roles("USER") .build(); // GUEST 用戶:沒有任何角色 UserDetails guest = User .withUsername("guest") .password(passwordEncoder.encode("password")) .roles("GUEST") .build(); return new InMemoryUserDetailsManager(admin, normalUser, guest); } @Bean public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } }

備註:

/api/users 僅匹配 完全相同 的路徑。

例子:

/api/users 匹配

/api/users/ 不匹配

/api/users/123 不匹配

/api/users/** 匹配以 /api/users/ 開頭的 所有路徑,無論子路徑有多少層級。

例子:

/api/users 匹配

/api/users/ 匹配

/api/users/123 匹配

/api/users/data/1 匹配

增修 Entity

增修 Entity @Entity @Getter @Setter @NoArgsConstructor @AllArgsConstructor @Builder @Table(name = "users") public class User { @Id @GeneratedValue(strategy = GenerationType.IDENTITY) private Long id; @Column(name = "username", nullable = false) private String username; @Column(name = "password", nullable = false) private String password; @Column(name = "first_name", nullable = false) private String firstName; @Column(name = "last_name") private String lastName; @Column(name = "email", nullable = false, unique = true) private String email; public User(String username, String password, String firstName, String lastName, String email) { this.username = username; this.password = password; this.firstName = firstName; this.lastName = lastName; this.email = email; } }

增修UserRepository

@Repository public interface UserRepository extends JpaRepository<User, Long> { Optional<User> findByUsername(String username); Boolean existsByUsername(String username); Boolean existsByEmail(String email); }

增修UserSerice

@Slf4j @Service public class UserService { @Autowired private UserRepository userRepository; @Transactional @PreAuthorize("hasAnyRole('ADMIN', 'USER')") public User saveUser(User user) { log.info("Saving user: " + user.getUsername()); if (user == null) { throw new IllegalArgumentException("User must not be null"); } return userRepository.save(user); } /* * @PreAuthorize: 在方法執行之前,決定是否允許訪問 */ @PreAuthorize("hasAuthority('ADMIN')") public List<User> getUsers() { List<User> users = null; try { users = userRepository.findAll(); log.debug("Number of users fetched: " + users.size()); } catch (Exception e) { e.printStackTrace(); } return users; } public User getUserById(Long uid) { if (uid == null) { throw new UserNotFoundException(null); } User user = userRepository.findById(uid) .orElseThrow(() -> new UserNotFoundException(uid)); return user; } public User updateUser(@RequestBody User newUser, @PathVariable Long id) { log.info("Updating user with id: " + id); return userRepository.findById(id) .map(user -> { user.setUsername(null == newUser.getUsername() ? user.getUsername() : newUser.getUsername()); user.setPassword(null == newUser.getPassword() ? user.getPassword() : newUser.getPassword()); user.setFirstName(null == newUser.getFirstName() ? user.getFirstName() : newUser.getFirstName()); user.setLastName(null == newUser.getLastName() ? user.getLastName() : newUser.getLastName()); user.setEmail(null == newUser.getEmail() ? user.getEmail() : newUser.getEmail()); return userRepository.save(user); }) .orElseGet(() -> { return userRepository.save(newUser); }); } public void deleteUser(Long uid) { if (uid == null) { throw new UserNotFoundException(null); } userRepository.deleteById(uid); } }

增修Controller

@Slf4j @RestController @RequestMapping("/api") public class UserController { @Autowired private UserService userService; @Autowired private UserRepository userRepository; @GetMapping("/public") public String publicApi() { return "public OK"; } @PostMapping("/user") public ResponseEntity<?> createUser(@RequestBody User newUser) { User user = userService.saveUser(newUser); return ResponseEntity.ok(user); } @GetMapping("/user/{uid}") public User getUserById(@PathVariable Long uid) { return userService.getUserById(uid); } @GetMapping("/users") public List<User> getAllUsers() { List<User> users = userRepository.findAll(); return users; } @PutMapping("/users/{uid}") User replaceUser(@RequestBody User newUser, @PathVariable Long uid) { return userService.updateUser(newUser, uid); } @DeleteMapping("/users/{uid}") @PreAuthorize("hasAuthority('delete')") void deleteUser(@PathVariable Long uid) { userService.deleteUser(uid); } }

建立SpringBootTestMockMvc測試範例

import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.MethodOrderer; import org.junit.jupiter.api.Order; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestMethodOrder; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.setup.MockMvcBuilders; import org.springframework.web.context.WebApplicationContext; import com.dannyyu.backend.model.User; import com.fasterxml.jackson.databind.ObjectMapper; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.http.MediaType; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user; import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.*; @SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT) @AutoConfigureMockMvc @TestMethodOrder(MethodOrderer.OrderAnnotation.class) public class SecurityTest { @Autowired private WebApplicationContext context; private MockMvc mockMvc; static Long uid = 0L; @BeforeEach public void setup() throws Exception { mockMvc = MockMvcBuilders .webAppContextSetup(context) .apply(springSecurity()) .build(); } @Test @Order(7) @WithMockUser(username = "admin", authorities = { "delete", "ROLE_ADMIN" }) void testDeleteUser() throws Exception { mockMvc.perform(delete("/api/users/" + uid)) .andExpect(status().isOk()); } @Test @Order(1) @WithMockUser(username = "admin", roles = { "ADMIN" }) public void testCreateUser() throws Exception { MvcResult result = null; User createdUser = null; String json = ""; User user = new User("test", "123456", "test", "wu", "test@example.com"); String jsoString = asJsonString(user); result = mockMvc.perform( MockMvcRequestBuilders .post("/api/user") .content( jsoString) .contentType(MediaType.APPLICATION_JSON) .accept(MediaType.APPLICATION_JSON)) .andExpect(status().isOk()) .andReturn(); json = result.getResponse().getContentAsString(); createdUser = new ObjectMapper().readValue(json, User.class); uid = createdUser.getId(); } // Public API 無需登入 @Test @Order(2) @WithMockUser(roles = { "USER" }) void testPublicApi() throws Exception { mockMvc.perform(get("/api/public")) .andExpect(status().isOk()); } // 測試 USER角色可存取 /user @Test @Order(3) @WithMockUser(username = "user", roles = { "USER" }) void testUserApi() throws Exception { mockMvc.perform(get("/api/user/" + uid)) .andExpect(status().isOk()); } // 測試 USER 不能存取 /admin @Test @Order(4) @WithMockUser(roles = { "USER" }) void testAdminDenied() throws Exception { mockMvc.perform(get("/api/users")) .andExpect(status().isForbidden()); } // ADMIN 可存取 /users @Test @Order(5) @WithMockUser(roles = { "ADMIN" }) void testAdminApi() throws Exception { mockMvc.perform(get("/api/users")) .andExpect(status().isOk()); } @Test @Order(6) void testUserApiWithRequestPostProcessor() throws Exception { String responseBody = mockMvc.perform( get("/api/user/" + uid).with( user("admin").roles("ADMIN"))) .andExpect(status().isOk()) .andReturn().getResponse().getContentAsString(); System.out.println("****** 取得角色: ******"); System.out.println(responseBody); } public static String asJsonString(final Object obj) { try { return new ObjectMapper().writeValueAsString(obj); } catch (Exception e) { throw new RuntimeException(e); } } }

執行測試案例,成功

% mvn test

. . .

[INFO] -------------------------------------------------------

[INFO] T E S T S

[INFO] -------------------------------------------------------

[INFO] Running com.dannyyu.backend.controller.SecurityTest

. . .

. . .

Hibernate: select u1_0.id,u1_0.email,u1_0.first_name,u1_0.last_name,u1_0.password,u1_0.username from users u1_0 where u1_0.id=?

Hibernate: delete from users where id=?

[INFO] Tests run: 7, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 2.966 s -- in com.dannyyu.backend.controller.SecurityTest

[INFO]

[INFO] Results:

[INFO]

[INFO] Tests run: 7, Failures: 0, Errors: 0, Skipped: 0

[INFO]

[INFO] ------------------------------------------------------------------------

[INFO] BUILD SUCCESS

. . .

使用 Browser 測試

測試 USER 不能存取 /users (只有admin才可以查看所有使用者)

使用 user 登入

沒處理登入後頁面, 出現 Error Page, 不用擔心,沒事

修改 URL http://localhost:8088/api/users , Enter (查看所有使用者)

權限不足導致請求失敗

有關HTTP 回應狀態碼可參看以下網址

https://developer.mozilla.org/zh-TW/docs/Web/HTTP/Reference/Status

打http://localhost:8088/logout 登出

改使用 Admin 登入

修改 URL http://localhost:8088/api/users , Enter (查看所有使用者)

測試資料來源 users 資料表,不是 admin, user。因為,用於測試,使用 InMemoryUserDetailsManager,建立帳號與密碼並儲存於記憶體中。

查看 WebSecurityConfig

文章到此完結。希望都有所得。
謝謝!

祝妳好運!

http://www.cnnetsun.cn/news/16430.html

相关文章:

  • Windows系统终极清理工具:快速免费释放C盘空间
  • Spring AOP场景3——接口防抖(附带源码)
  • 黑客技术水深!普通人不要随便碰
  • AI建议的C++基础入门顺序
  • 35、使用 Ansible 部署脚本化服务器环境
  • 13、文件操作与命令全解析
  • 第32课 PCB布局的常用操作命令介绍
  • 终极修复指南:彻底解决Atmosphere固件2168-0002启动错误
  • 第一章——办公自动化之Word报告自动生成:解放双手,高效创作
  • 压电材料的d33(纵向压电应变常数)测试流程及影响因素
  • 中烟创新连续两年被认定为国家级科技型中小企业
  • s4cmd完整指南:终极高性能Amazon S3命令行工具
  • 开题报告不是“过关文档”,而是“学术项目启动书”——Paperzz AI开题报告功能深度拆解:从选题模糊到框架清晰,它如何把你的“研究冲动”翻译成“可执行的科研计划”?
  • 1996-2025年政府采购合同公告明细数据
  • 分布式应用框架Microsoft Orleans - 2、动手实践:构建你的第一个Microsoft Orleans应用程序
  • MAC电脑如何开发淘晶驰串口屏
  • Java 中 new 一个对象的过程是怎么样的?
  • 从规则引擎到大模型:文档生成技术的十年进化与现在的最佳实践
  • AI客户端终极指南:多平台支持与工作区管理快速上手
  • 安全审查--跨站请求伪造--Fetch Metadata防护模式
  • uni-app x封装request,统一API接口请求
  • 4大维度解析DeepLX与官方API:技术实战与成本效益终极评测
  • 本地 AI 服务难共享?TRAE SOLO+cpolar 轻松打破局域网枷锁
  • 助力金融信创与云原生转型,DeepFlow 排障智能体和可观测性建设实践
  • 靠谱的模板网站建设哪家好
  • PuLID技术深度解析:重新定义人物身份定制的新范式
  • SGLang结构化生成语言:重塑大模型工具调用的新范式
  • Windows Insider免登录终极指南:轻松获取预览版更新
  • FluidNC运动控制固件:重新定义ESP32 CNC设备的智能控制
  • 【光照】Unity[PBR]环境光中的[漫反射]