zoukankan      html  css  js  c++  java
  • Spring security工作流程及集成

    A user enters their username and password into a login screen and clicks a login button. The entered information is placed into an object called Authentication which is passed to the AuthenticationManager’s authenticate method. this method will loop through all AuthenticationProviders that are configured and calls their authenticate method, passing in the Authentication object. Each AuthenticationProvider will calls its configured UserDetailsService’s loadUserByUserName method.

    1. spring-security.xml配置文件如下所示:

    <http auto-config="true">
        <intercept-url pattern="/admin**" access="ROLE_ADMIN" />
        <intercept-url pattern="/dba**" access="ROLE_ADMIN,ROLE_DBA" />
    </http>
    
    <authentication-manager>
      <authentication-provider>
        <user-service>
        <user name="mkyong" password="123456" authorities="ROLE_USER" />
        <user name="admin" password="123456" authorities="ROLE_ADMIN" />
        <user name="dba" password="123456" authorities="ROLE_DBA" />
        </user-service>
      </authentication-provider>
    </authentication-manager>

    等同于下面的注解

    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    
    @Configuration
    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
          auth.inMemoryAuthentication().withUser("mkyong").password("123456").roles("USER");
          auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");
          auth.inMemoryAuthentication().withUser("dba").password("123456").roles("DBA");
        }
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
    
          http.authorizeRequests()
            .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
            .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
            .and().formLogin();
    
        }
    }

    其中,@EnableWebSecurity等同于配置文件spring-security.xml

    2. web.xml集成spring-security

           <!-- Loads Spring Security config file -->
        <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                /WEB-INF/spring-security.xml
            </param-value>
        </context-param>
    
        <!-- Spring Security -->
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy
            </filter-class>
        </filter>
    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

    相同功能的注解实现:

    import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
    
    public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
       //do nothing
    }

    其中,AbstractSecurityWebApplicationInitializer的实现类自动加载springSecurityFilterChain

    3. spring.xml配置文件

    <context:component-scan base-package="com.test.web.*" />
    
    <bean
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix">
            <value>/WEB-INF/pages/</value>
        </property>
        <property name="suffix">
            <value>.jsp</value>
        </property>
    </bean>

    相同功能的注解:

    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.ComponentScan;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.context.annotation.Import;
    import org.springframework.web.servlet.config.annotation.EnableWebMvc;
    import org.springframework.web.servlet.view.InternalResourceViewResolver;
    import org.springframework.web.servlet.view.JstlView;
    
    @EnableWebMvc
    @Configuration
    @ComponentScan({ "com.test.web.*" })
    @Import({ SecurityConfig.class })
    public class AppConfig {
    
        @Bean
        public InternalResourceViewResolver viewResolver() {
            InternalResourceViewResolver viewResolver
                              = new InternalResourceViewResolver();
            viewResolver.setViewClass(JstlView.class);
            viewResolver.setPrefix("/WEB-INF/pages/");
            viewResolver.setSuffix(".jsp");
            return viewResolver;
        }
    
    }

    4. spring DispatcherServlet配置

        <!-- Spring MVC -->
        <servlet>
            <servlet-name>mvc-dispatcher</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet
            </servlet-class>
            <load-on-startup>1</load-on-startup>
        </servlet>
        <servlet-mapping>
            <servlet-name>mvc-dispatcher</servlet-name>
            <url-pattern>/</url-pattern>
        </servlet-mapping>

    等同功能的注解

    import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
    import com.mkyong.config.AppConfig;
    
    public class SpringMvcInitializer
           extends AbstractAnnotationConfigDispatcherServletInitializer {
    
        @Override
        protected Class<?>[] getRootConfigClasses() {
            return new Class[] { AppConfig.class };
        }
    
        @Override
        protected Class<?>[] getServletConfigClasses() {
            return null;
        }
    
        @Override
        protected String[] getServletMappings() {
            return new String[] { "/" };
        }
    
    }

    参考文献:

    【1】http://stackoverflow.com/questions/23088004/spring-security-workflow

    【2】http://www.mkyong.com/tutorials/spring-security-tutorials/

    【3】http://www.mkyong.com/spring-security/spring-security-hello-world-annotation-example/

  • 相关阅读:
    Spring Cloud微服务安全实战_5-4_认证服务器使用spring session
    Spring Cloud微服务安全实战_5-3_基于session的SSO
    Spring Cloud微服务安全实战_5-2_实现授权码认证流程&实现SSO初步
    Spring Cloud微服务安全实战_5-1_单点登录基本架构
    Linux启动Spring boot项目命令
    Spring Cloud微服务安全实战_4-10_用spring-cloud-zuul-ratelimit做限流
    Spring Cloud微服务安全实战_4-9_用zuul网关解耦安全逻辑和业务逻辑
    Spring Cloud微服务安全实战_4-8_网关安全_01
    Spring Cloud微服务安全实战_4-7_token&client信息持久化到数据库
    几个好用Maven 镜像仓库地址
  • 原文地址:https://www.cnblogs.com/davidwang456/p/6509195.html
Copyright © 2011-2022 走看看