Spring Security学习笔记

关于认证、授权、ACL、RBAC、OAuth、SSO的理解

Spring Security 官网

按照官网的教程这么写

坑一: 运行时报错 java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id “null”

解决手段,添加 PasswordEncoder

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

下面这个写法也行，但是没有谁会在内存里这么写的，都是去用户中心查询用户

坑二：编译时报错 ROLE_USER cannot start with ROLE_ (it is automatically added)

解决手段,去掉 “ROLE_” 前缀

注意：

1. In-Memory Authentication: 基于内存的认证，这个没有实际意义，仅仅用于测试或者演示方便而已

如何禁用登录

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@EnableWebSecurity
@Configuration
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().permitAll()
                .and()
                .csrf().disable()
                .formLogin().disable();
    }
}