⒈添加starter依赖

 1         <dependency>
 2             <groupId>org.springframework.boot</groupId>
 3             <artifactId>spring-boot-starter-web</artifactId>
 4         </dependency>
 5 
 6         <dependency>
 7             <groupId>org.springframework.boot</groupId>
 8             <artifactId>spring-boot-starter-security</artifactId>
 9         </dependency>
10 
11         <dependency>
12             <groupId>org.springframework.boot</groupId>
13             <artifactId>spring-boot-starter-thymeleaf</artifactId>
14         </dependency>
15 
16         <!--添加Thymeleaf Spring Security依赖-->
17         <dependency>
18             <groupId>org.thymeleaf.extras</groupId>
19             <artifactId>thymeleaf-extras-springsecurity4</artifactId>
20             <version>3.0.4.RELEASE</version>
21         </dependency>

⒉使用配置类定义授权与定义规则

 1 package cn.coreqi.config;
 2 
 3 import org.springframework.context.annotation.Configuration;
 4 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 5 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 6 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 7 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 8 
 9 //@Configuration
10 @EnableWebSecurity
11 public class SecurityConfig extends WebSecurityConfigurerAdapter {
12 
13     //定义授权规则
14     @Override
15     protected void configure(HttpSecurity http) throws Exception {
16         //定制请求授权规则
17         http.authorizeRequests()
18                 .antMatchers("/css/**","/js/**","/fonts/**","index").permitAll()    //不拦截，直接访问
19                 .antMatchers("/vip1/**").hasRole("VIP1")
20                 .antMatchers("/vip2/**").hasRole("VIP2")
21                 .antMatchers("/vip3/**").hasRole("VIP3");
22         //开启登陆功能（自动配置）
23         //如果没有登陆就会来到/login（自动生成）登陆页面
24         //如果登陆失败就会重定向到/login?error
25         //默认post形式的/login代表处理登陆
26         http.formLogin().loginPage("/userLogin").failureUrl("/login-error");
27         //开启自动配置的注销功能
28         //访问/logout表示用户注销，清空session
29         //注销成功会返回/login?logout页面
30         //logoutSuccessUrl()设置注销成功后跳转的页面地址
31         http.logout().logoutSuccessUrl("/");
32         //开启记住我功能
33         //登陆成功以后，将cookie发给浏览器保存，以后访问页面带上这个cookie，只要通过检查就可以免登陆
34         //点击注销会删除cookie
35         http.rememberMe();
36     }
37 
38     //定义认证规则
39     @Override
40     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
41         //jdbcAuthentication()  在JDBC中查找用户
42         //inMemoryAuthentication() 在内存中查找用户
43 
44         auth.inMemoryAuthentication().withUser("fanqi").password("admin").roles("VIP1","VIP2","VIP3")
45                 .and()
46                 .withUser("zhangsan").password("123456").roles("VIP1");
47     }
48 }

⒊编写控制器类（略）

⒋编写相关页面

 1 <!DOCTYPE html>
 2 <html lang="en"
 3       xmlns:th="http://www.thymeleaf.org"
 4       xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
 5       xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
 6 <head>
 7     <meta charset="UTF-8">
 8     <title>登录页面</title>
 9 </head>
10 <body>
11     <div sec:authorize="isAuthenticated()">
12         <p>用户已登录</p>
13         <p>登录的用户名为：<span sec:authentication="name"></span></p>
14         <p>用户角色为：<span sec:authentication="principal.authorities"></span></p>
15     </div>
16     <div sec:authorize="isAnonymous()">
17         <p>用户未登录</p>
18     </div>
19 </body>
20 </html>