In Spring, let's check the ID and password entered on the login screen with the DB, and easily create a function that prohibits access to a specific URL with user privileges ~ ♪ So far, we have implemented direct link prohibition, login function implementation, error message Japaneseization, password encryption, so we will also implement logout ^ ^
SecurityConfig.java
//Partial excerpt, full text is for reference below
//Logout process
http
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")) //
.logoutUrl("/logout") //Logout URL
.logoutSuccessUrl("/login"); //URL after successful logout
SecurityConfig.java
package com.example.demo;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
//import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//Data source
@Autowired
private DataSource dataSource;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
//SQL statement to get user ID and password
private static final String USER_SQL = "SELECT"
+ " user_id,"
+ " password,"
+ " true"
+ " FROM"
+ " m_user"
+ " WHERE"
+ " user_id = ?";
//
// //SQL statement to get the user's role
private static final String ROLE_SQL = "SELECT"
+ " user_id,"
+ " role"
+ " FROM"
+ " m_user"
+ " WHERE"
+ " user_id = ?";
@Override
public void configure(WebSecurity web) throws Exception {
//No security is applied to access to static resources
web.ignoring().antMatchers("/webjars/∗∗", "/css/∗∗");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//Login-free page settings
http
.authorizeRequests()
.antMatchers("/webjars/**").permitAll() //Permission to webjars
.antMatchers("/css/**").permitAll() //Permission to css
.antMatchers("/login").permitAll() //Direct link OK for login page
.antMatchers("/signup").permitAll() //Direct link OK for user registration screen
// .antMatchers("/admin").hasAuthority("ROLE_ADMIN") //Allow admin users
.anyRequest().authenticated(); //Other than that, direct link is prohibited
//Login process
http
.formLogin()
.loginProcessingUrl("/login") //Login process path
.loginPage("/login") //Specify login page
.failureUrl("/login") //Transition destination when login fails
.usernameParameter("userId") //Login page user ID
.passwordParameter("password") //Login page password
.defaultSuccessUrl("/home", true); //Transition destination after successful login
//Logout process
http
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")) //
.logoutUrl("/logout") //Logout URL
.logoutSuccessUrl("/login"); //URL after successful logout
//Disable CSRF measures (temporary)
http.csrf().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//Get user information at the time of login process from DB
auth.jdbcAuthentication()
.dataSource(dataSource)
.usersByUsernameQuery(USER_SQL)
.authoritiesByUsernameQuery(ROLE_SQL)
.passwordEncoder(passwordEncoder());
}
}
Recommended Posts