- 项目结构
src
└── main
├── java
│ └── com.example.securitydemo
│ ├── RestapiApplication.java
│ ├── config
│ │ └── SecurityConfig.java
│ ├── controller
│ │ └── UserController.java
│ └── service
│ └── CustomUserDetailsService.java
└── resources
├── templates
│ ├── login.html
│ ├── home.html
│ ├── admin.html
├── static
│ └── css
│ └── styles.css
└── application.properties - 创建主应用类
java
package cn.mayanan.restapi;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class RestapiApplication {
public static void main(String[] args) {
SpringApplication.run(RestapiApplication.class, args);
}
}- 配置 Spring Security, 创建用户服务
java
package cn.mayanan.restapi.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfig {
@Bean
public PasswordEncoder passwordEncoder() {
// 使用 BCrypt 作为密码编码器
return new BCryptPasswordEncoder();
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable()) // 可选,禁用 CSRF(仅开发时使用)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/login", "/public/**", "/css/**").permitAll() // 公开的资源
.requestMatchers("/admin").hasRole("ADMIN") // 仅 ADMIN 用户可以访问
.anyRequest().authenticated() // 其他请求需要认证
)
.formLogin(form -> form
.loginPage("/login") // 自定义登录页面
.defaultSuccessUrl("/home", true) // 登录成功后跳转
.permitAll()
)
.logout(logout -> logout
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout") // 登出后跳转
.permitAll()
);
return http.build();
}
@Bean
public UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
UserDetails user = User.builder()
.username("user")
.password(passwordEncoder.encode("password"))
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("admin")
.password(passwordEncoder.encode("admin"))
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
}- 创建控制器
java
package cn.mayanan.restapi.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@Controller
public class UserController {
@GetMapping("/home")
public String home() {
return "home";
}
@GetMapping("/admin")
public String admin() {
return "admin";
}
@GetMapping("/login")
public String loginPage() {
return "login";
}
}- 添加 HTML 页面
login.html
html
<!DOCTYPE html>
<html lang="en">
<head>
<title>Login</title>
<link rel="stylesheet" href="/css/styles.css">
</head>
<body>
<h2>Login</h2>
<form method="post" action="/login">
<label for="username">Username:</label>
<input type="text" name="username" required><br>
<label for="password">Password:</label>
<input type="password" name="password" required><br>
<button type="submit">Login</button>
</form>
<p>Don't have an account? Contact admin!</p>
</body>
</html>home.html
html
<!DOCTYPE html>
<html lang="en">
<head>
<title>Home</title>
</head>
<body>
<h1>Welcome Home!</h1>
<p>You are logged in.</p>
<a href="/logout">Logout</a>
</body>
</html>admin.html
html
<!DOCTYPE html>
<html lang="en">
<head>
<title>Admin Page</title>
</head>
<body>
<h1>Welcome, Admin!</h1>
<p>Only admins can see this page.</p>
<a href="/logout">Logout</a>
</body>
</html>- 添加静态资源(CSS)
在 src/main/resources/static/css/styles.css 中:
css
body {
font-family: Arial, sans-serif;
margin: 20px;
}
form {
margin: 20px 0;
}
label {
display: block;
margin-bottom: 5px;
}
input {
margin-bottom: 10px;
}- 配置 application.yml
yaml
spring.thymeleaf.cache=false运行步骤
启动项目。
访问 http://localhost:8080/login 进入登录页面。
用户名:user,密码:password
用户名:admin,密码:admin
登录后:
http://localhost:8080/home:普通用户和管理员都可访问。
http://localhost:8080/admin:仅管理员可访问。
登出:点击页面中的 Logout