spring-security.md

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
    <scope>runtime</scope>
</dependency>

$ mysql -uroot -p
mysql> CREATE DATABASE sampledb;
mysql> create table users(
  username varchar(128) not null primary key,
  password varchar(128) not null,
  authority varchar(32) not null,
  enabled boolean not null
);
mysql> INSERT INTO users (username, password, authority, enabled)
VALUES ("ishii", "password", "ROLE_ADMIN", true); 

spring.datasource.url=jdbc:mysql://localhost/sampledb
spring.datasource.username=root
spring.datasource.password=password
spring.datasource.driver-class-name=com.mysql.jdbc.Driver

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    DataSource dataSource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .defaultSuccessUrl("/home").failureUrl("/login")
                .usernameParameter("username").passwordParameter("password")
                .and()
            .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))//.logoutUrl("/logout")は動作しない
                .logoutSuccessUrl("/");
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .jdbcAuthentication()
                .dataSource(dataSource)
                .authoritiesByUsernameQuery("SELECT username, authority FROM users WHERE username = ?")
                .usersByUsernameQuery("SELECT username, password, enabled from users WHERE username = ?")
        ;
    }
}

<h3>Login with Username and Password</h3>
<form name="f" action="/login" method="POST">
  <table>
  	<tbody><tr><td>User:</td><td><input name="username" value="" type="text"></td></tr>
  	<tr><td>Password:</td><td><input name="password" type="password"></td></tr>
  	<tr><td colspan="2"><input name="submit" value="Login" type="submit"></td></tr>
  	<input name="_csrf" value="0591fc72-5106-43ce-a165-3d724023549f" type="hidden">
    </tbody>
  </table>
</form>

@Controller
public class HomeController {
    @RequestMapping("/")
    @ResponseBody
    String root(Principal principal){
        return "ROOT PAGE";
    }

    @RequestMapping("/home")
    @ResponseBody
    String home(Principal principal){
        return "Login User Name:" + principal.getName();
    }

    @RequestMapping("/hogehoge")
    @ResponseBody
    String hogehoge(Principal principal){
        return "Hogehoge:" + principal.getName();
    }
}

ブラウザからSessionIDを確認

Cookie:"SESSION=e36d64ed-cc04-47f8-939f-a45d3bd50333"

redis-cli
127.0.0.1:6379> flushall
OK
127.0.0.1:6379> keys *
(empty list or set)
127.0.0.1:6379> keys *
1) "spring:session:sessions:expires:e36d64ed-cc04-47f8-939f-a45d3bd50333"
2) "spring:session:index:org.springframework.session.FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME:ishii"
3) "spring:session:sessions:da641b42-a7be-4da0-bdde-8de964f7d218"
4) "spring:session:expirations:1471638540000"
5) "spring:session:sessions:e36d64ed-cc04-47f8-939f-a45d3bd50333"
6) "spring:session:expirations:1471636740000"

それっぽいキーの中身を確認。

127.0.0.1:6379> type "spring:session:index:org.springframework.session.FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME:ishii"
set
127.0.0.1:6379> smembers "spring:session:index:org.springframework.session.FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME:ishii"
1) "\xac\xed\x00\x05t\x00$e36d64ed-cc04-47f8-939f-a45d3bd50333"
127.0.0.1:6379> type "spring:session:sessions:e36d64ed-cc04-47f8-939f-a45d3bd50333"
hash
127.0.0.1:6379> hgetall "spring:session:sessions:e36d64ed-cc04-47f8-939f-a45d3bd50333"
 1) "lastAccessedTime"
 2) "\xac\xed\x00\x05sr\x00\x0ejava.lang.Long;\x8b\xe4\x90\xcc\x8f#\xdf\x02\x00\x01J\x00\x05valuexr\x00\x10java.lang.Number\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00xp\x00\x00\x01V\xa4f`\xc7"
 3) "sessionAttr:org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN"
 4) "\xac\xed\x00\x05sr\x006org.springframework.security.web.csrf.DefaultCsrfTokenZ\xef\xb7\xc8/\xa2\xfb\xd5\x02\x00\x03L\x00\nheaderNamet\x00\x12Ljava/lang/String;L\x00\rparameterNameq\x00~\x00\x01L\x00\x05tokenq\x00~\x00\x01xpt\x00\x0cX-CSRF-TOKENt\x00\x05_csrft\x00$616f9356-72b7-4305-a9ad-971c87bf22d2"
 5) "creationTime"
 6) "\xac\xed\x00\x05sr\x00\x0ejava.lang.Long;\x8b\xe4\x90\xcc\x8f#\xdf\x02\x00\x01J\x00\x05valuexr\x00\x10java.lang.Number\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00xp\x00\x00\x01V\xa4bh\xec"
 7) "sessionAttr:SPRING_SECURITY_CONTEXT"
 8) "\xac\xed\x00\x05sr\x00=org.springframework.security.core.context.SecurityContextImpl\x00\x00\x00\x00\x00\x00\x01\x9a\x02\x00\x01L\x00\x0eauthenticationt\x002Lorg/springframework/security/core/Authentication;xpsr\x00Oorg.springframework.security.authentication.UsernamePasswordAuthenticationToken\x00\x00\x00\x00\x00\x00\x01\x9a\x02\x00\x02L\x00\x0bcredentialst\x00\x12Ljava/lang/Object;L\x00\tprincipalq\x00~\x00\x04xr\x00Gorg.springframework.security.authentication.AbstractAuthenticationToken\xd3\xaa(~nGd\x0e\x02\x00\x03Z\x00\rauthenticatedL\x00\x0bauthoritiest\x00\x16Ljava/util/Collection;L\x00\adetailsq\x00~\x00\x04xp\x01sr\x00&java.util.Collections$UnmodifiableList\xfc\x0f%1\xb5\xec\x8e\x10\x02\x00\x01L\x00\x04listt\x00\x10Ljava/util/List;xr\x00,java.util.Collections$UnmodifiableCollection\x19B\x00\x80\xcb^\xf7\x1e\x02\x00\x01L\x00\x01cq\x00~\x00\x06xpsr\x00\x13java.util.ArrayListx\x81\xd2\x1d\x99\xc7a\x9d\x03\x00\x01I\x00\x04sizexp\x00\x00\x00\x01w\x04\x00\x00\x00\x01sr\x00Borg.springframework.security.core.authority.SimpleGrantedAuthority\x00\x00\x00\x00\x00\x00\x01\x9a\x02\x00\x01L\x00\x04rolet\x00\x12Ljava/lang/String;xpt\x00\nROLE_ADMINxq\x00~\x00\rsr\x00Horg.springframework.security.web.authentication.WebAuthenticationDetails\x00\x00\x00\x00\x00\x00\x01\x9a\x02\x00\x02L\x00\rremoteAddressq\x00~\x00\x0fL\x00\tsessionIdq\x00~\x00\x0fxpt\x00\x0f0:0:0:0:0:0:0:1t\x00$da641b42-a7be-4da0-bdde-8de964f7d218psr\x002org.springframework.security.core.userdetails.User\x00\x00\x00\x00\x00\x00\x01\x9a\x02\x00\aZ\x00\x11accountNonExpiredZ\x00\x10accountNonLockedZ\x00\x15credentialsNonExpiredZ\x00\aenabledL\x00\x0bauthoritiest\x00\x0fLjava/util/Set;L\x00\bpasswordq\x00~\x00\x0fL\x00\busernameq\x00~\x00\x0fxp\x01\x01\x01\x01sr\x00%java.util.Collections$UnmodifiableSet\x80\x1d\x92\xd1\x8f\x9b\x80U\x02\x00\x00xq\x00~\x00\nsr\x00\x11java.util.TreeSet\xdd\x98P\x93\x95\xed\x87[\x03\x00\x00xpsr\x00Forg.springframework.security.core.userdetails.User$AuthorityComparator\x00\x00\x00\x00\x00\x00\x01\x9a\x02\x00\x00xpw\x04\x00\x00\x00\x01q\x00~\x00\x10xpt\x00\x05ishii"
 9) "maxInactiveInterval"
10) "\xac\xed\x00\x05sr\x00\x11java.lang.Integer\x12\xe2\xa0\xa4\xf7\x81\x878\x02\x00\x01I\x00\x05valuexr\x00\x10java.lang.Number\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00xp\x00\x00\a\b"
11) "sessionAttr:SPRING_SECURITY_LAST_EXCEPTION"
12) ""
127.0.0.1:6379>