springsecurity入门

SpringSecurity

https://docs.spring.io/spring-security/site/docs/current/reference/html5/#prerequisites

概念

Spring Security is a framework that provides authentication, authorization, and protection against common attacks. With first class support for both imperative and reactive applications, it is the de-facto standard for securing Spring-based applications.

Spring Security 是一个提供身份验证、授权和针对常见攻击的保护的框架。凭借对命令式和反应式应用程序的一流支持，它是基于 保护Spring 的应用程序为标准。

它的核心是一组过滤器链，不同的功能经由不同的过滤器

  org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter //异步方式
  org.springframework.security.web.context.SecurityContextPersistenceFilter //同步方式
  org.springframework.security.web.header.HeaderWriterFilter // 给http响应头（Header）对象添加一些属性，比如X-Frame-Options，X-XSS-Protection*，X-Content-Type-Options。
  org.springframework.security.web.csrf.CsrfFilter //默认开启，用于防止csrf攻击的过滤器
  org.springframework.security.web.authentication.logout.LogoutFilter //处理注销的过滤器
  org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter //对登录post请求中的用户名和密码的校验
　//如果没有配置/login及login page, 系统则会自动配置这两个Filter。
  org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter 
  org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter
  
  org.springframework.security.web.authentication.www.BasicAuthenticationFilter
  org.springframework.security.web.savedrequest.RequestCacheAwareFilter //内部维护了一个RequestCache，用于缓存request请求
  org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter //对ServletRequest进行了一次包装，使得request具有更加丰富的API
  org.springframework.security.web.authentication.AnonymousAuthenticationFilter //匿名身份过滤器
  org.springframework.security.web.session.SessionManagementFilter //和session相关的过滤器
  org.springframework.security.web.access.ExceptionTranslationFilter //异常转换过滤器
  org.springframework.security.web.access.intercept.FilterSecurityInterceptor //决定访问特定路径应该具备的权限

入门示例

添加依赖

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

编写Controller

@RestController
public class TestController {

    @GetMapping("/test")
    public String test(){

        return "Hello Security";
    }
}

访问地址：http://localhost:8080/test

 

security有固定的用户名：User

生成临时密码：