一、SpringSecurity的模块
At the least, you’ll want to include the Core and Configuration modules in your application’s classpath. Spring Security is often used to secure web applications, and that’s certainly the case with the Spittr application, so you’ll also need to add the Web module. We’ll also be taking advantage of Spring Security’s JSP tag library, so you’ll need to add that module to the mix.
二、开启SpringSecurity的DelegatingFilterProxy
Spring Security employs several servlet filters to provide various aspects of security.You might be thinking that means you’ll need to configure several filters in a web.xml file, or perhaps in a WebApplicationInitializer class. But thanks to a little Spring magic, you’ll only need to configure one of those filters.
DelegatingFilterProxy is a special servlet filter that, by itself, doesn’t do much.Instead, it delegates to an implementation of javax.servlet.Filter that’s registered as a <bean> in the Spring application context, as illustrated in figure 9.1.
1.Java形式
If you'd rather configure DelegatingFilterProxy in Java with a WebApplicationInitializer , then all you need to do is create a new class that extends AbstractSecurityWebApplicationInitializer
1 package spittr.config; 2 3 import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; 4 5 public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer { 6 }
AbstractSecurityWebApplicationInitializer implements WebApplicationInitializer , so it will be discovered by Spring and be used to register DelegatingFilterProxy with the web container. Although you can override its appendFilters() or insertFilters() methods to register filters of your own choosing, you need not override anything to register DelegatingFilterProxy
2.xml形式
1 <filter> 2 <filter-name>springSecurityFilterChain</filter-name> 3 <filter-class> 4 org.springframework.web.filter.DelegatingFilterProxy 5 </filter-class> 6 </filter>
The most important thing here is that the <filter-name> be set to springSecurityFilterChain . That’s because you’ll soon be configuring Spring Security for web security, and there will be a filter bean named springSecurityFilterChain that
DelegatingFilterProxy will need to delegate to.
Whether you configure DelegatingFilterProxy in web.xml or by subclassing AbstractSecurityWebApplicationInitializer , it will intercept requests coming into the application and delegate them to a bean whose ID is springSecurityFilterChain .
As for the springSecurityFilterChain bean itself, it’s another special filter known as FilterChainProxy . It’s a single filter that chains together one or more additional filters. Spring Security relies on several servlet filters to provide different security features, but you should almost never need to know these details, as you likely won’t need to explicitly declare the springSecurityFilterChain bean or any of the filters it chains together. Those filters will be created when you enable web security.
三、编写简单的SpringSecurity配置
1.Java形式
(1)一般应用,@EnableWebSecurity
1 package spitter.config; 2 import org.springframework.context.annotation.Configuration; 3 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 4 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 5 6 @Configuration 7 @EnableWebSecurity 8 public class SecurityConfig extends WebSecurityConfigurerAdapter {}
As its name suggests, the @EnableWebSecurity annotation enables web security. It is useless on its own, however. Spring Security must be configured in a bean that implements WebSecurityConfigurer or (for convenience) extends WebSecurityConfigurerAdapter . Any bean in the Spring application context that implements WebSecurityConfigurer can contribute to Spring Security configuration, but it’s often most convenient for the configuration class to extend WebSecurityConfigurerAdapter , as shown in listing 9.1. @EnableWebSecurity is generally useful for enabling security in any web application. But if you happen to be developing a Spring MVC application, you should consider using @EnableWebMvcSecurity instead
(2)SpringMVC应用@EnableWebMvcSecurity
1 package spitter.config; 2 import org.springframework.context.annotation.Configuration; 3 import org.springframework.security.config.annotation.web. 4 configuration.WebSecurityConfigurerAdapter; 5 import org.springframework.security.config.annotation.web.servlet. 6 configuration.EnableWebMvcSecurity; 7 8 @Configuration 9 @EnableWebMvcSecurity 10 public class SecurityConfig extends WebSecurityConfigurerAdapter { 11 }
Among other things, the @EnableWebMvcSecurity annotation configures a Spring MVC argument resolver so that handler methods can receive the authenticated user’s principal (or username) via @AuthenticationPrincipal -annotated parameters. It also configures a bean that automatically adds a hidden cross-site request forgery ( CSRF ) token field on forms using Spring’s form-binding tag library.
It may not look like much, but the security configuration class in listings 9.1 and 9.2 packs quite a punch. Either one will lock down an application so tightly that nobody can get in!
Although it’s not strictly required, you’ll probably want to specify the finer points of web security by overriding one or more of the methods from WebSecurityConfigurerAdapter . You can configure web security by overriding WebSecurity-
ConfigurerAdapter ’s three configure() methods and setting behavior on the parameter passed in. Table 9.2 describes these three methods.
四、重写WebSecurityConfigurerAdapter ’s configure()
1.
2.默认的方法如下:
1 protected void configure(HttpSecurity http) throws Exception { 2 http 3 .authorizeRequests() 4 .anyRequest().authenticated() 5 .and() 6 .formLogin().and() 7 .httpBasic(); 8 }
This simple default configuration specifies how HTTP requests should be secured and what options a client has for authenticating the user. The call to authorizeRequests() and anyRequest().authenticated() demands that all HTTP requests coming into the application be authenticated. It also configures Spring Security to support authentication via a form-based login (using a predefined login page) as well as HTTP Basic.
Meanwhile, because you haven’t overridden the configure(AuthenticationManagerBuilder) method, there’s no user store backing the authentication process.With no user store, there are effectively no users. Therefore, all requests require
authentication, but there’s nobody who can log in.You’re going to need to add a bit more configuration to bend Spring Security to fit your application’s needs. Specifically, you’ll need to…
Configure a user store
Specify which requests should and should not require authentication, as well as what authorities they require
Provide a custom login screen to replace the plain default login screen In addition to these facets of Spring Security, you may also want to selectively render certain content in your web views based on security constraints.