Spring Security（十二）：5. Java Configuration

General support for Java Configuration was added to Spring Framework in Spring 3.1. Since Spring Security 3.2 there has been Spring Security Java Configuration support which enables users to easily configure Spring Security without the use of any XML.

Spring 3.1在Spring Framework中添加了对Java Configuration的一般支持。自Spring Security 3.2以来，Spring Security Java Configuration支持使用户无需使用任何XML即可轻松配置Spring Security。

 

If you are familiar with the Chapter 6, Security Namespace Configuration then you should find quite a few similarities between it and the Security Java Configuration support.

如果您熟悉第6章安全命名空间配置，那么您应该发现它与安全Java配置支持之间有很多相似之处。

 

Spring Security provides lots of sample applications which demonstrate the use of Spring Security Java Configuration.

Spring Security提供了许多示例应用程序，用于演示Spring Security Java Configuration的使用。

 

5.1 Hello Web Security Java Configuration

The first step is to create our Spring Security Java Configuration. The configuration creates a Servlet Filter known as the springSecurityFilterChain which is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the log in form, etc) within your application. You can find the most basic example of a Spring Security Java Configuration below:

第一步是创建Spring Security Java配置。该配置创建一个名为springSecurityFilterChain的Servlet过滤器，它负责应用程序中的所有安全性（保护应用程序URL，验证提交的用户名和密码，重定向到登录表单等）。您可以在下面找到Spring Security Java配置的最基本示例：

 

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.context.annotation.*;
import org.springframework.security.config.annotation.authentication.builders.*;
import org.springframework.security.config.annotation.web.configuration.*;

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Bean
	public UserDetailsService userDetailsService() throws Exception {
		InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
		manager.createUser(User.withUsername("user").password("password").roles("USER").build());
		return manager;
	}
}

There really isn’t much to this configuration, but it does a lot. You can find a summary of the features below:

这种配置确实没什么用，但它做了很多。您可以在下面找到以下功能的摘要：

 

• Require authentication to every URL in your application
• 要求对应用程序中的每个URL进行身份验证
   
• Generate a login form for you
• 为您生成登录表单
   
• Allow the user with the Username user and the Password password to authenticate with form based authentication
• 允许具有Username用户和密码密码的用户使用基于表单的身份验证进行身份验证
   
• Allow the user to logout
• 允许用户注销
   
• CSRF attack prevention
• CSRF攻击预防
   
• Session Fixation protection
• 会话固定保护
   

• Security Header integration

• 安全标头集成
   

•  

  • HTTP Strict Transport Security for secure requests
  • 用于安全请求的HTTP严格传输安全性
  • X-Content-Type-Options integration
  • X-Content-Type-Options集成
  • Cache Control (can be overridden later by your application to allow caching of your static resources)
  • 缓存控制（稍后可由应用程序覆盖以允许缓存静态资源）
  • X-XSS-Protection integration
  • X-XSS-Protection集成
     
  • X-Frame-Options integration to help prevent Clickjacking
  • X-Frame-Options集成有助于防止Clickjacking
     

• Integrate with the following Servlet API methods

• 与以下Servlet API方法集成

•  

  • HttpServletRequest#getRemoteUser()
  • HttpServletRequest.html#getUserPrincipal()
  • HttpServletRequest.html#isUserInRole(java.lang.String)
  • HttpServletRequest.html#login(java.lang.String, java.lang.String)
  • HttpServletRequest.html#logout()

 

5.1.1 AbstractSecurityWebApplicationInitializer 

The next step is to register the springSecurityFilterChain with the war. This can be done in Java Configuration with Spring’s WebApplicationInitializer support in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class AbstractSecurityWebApplicationInitializer that will ensure the springSecurityFilterChain gets registered for you. The way in which we use AbstractSecurityWebApplicationInitializer differs depending on if we are already using Spring or if Spring Security is the only Spring component in our application.

下一步是使用war注册springSecurityFilterChain。这可以在Java配置中使用Spring的WebApplicationInitializer支持在Servlet 3.0+环境中完成。不出所料，Spring Security提供了一个基类AbstractSecurityWebApplicationInitializer，它将确保为您注册springSecurityFilterChain。我们使用AbstractSecurityWebApplicationInitializer的方式取决于我们是否已经使用Spring，或者Spring Security是否是我们应用程序中唯一的Spring组件。

 

• Section 5.1.2, “AbstractSecurityWebApplicationInitializer without Existing Spring” - Use these instructions if you are not using Spring already
• 如果您尚未使用Spring，请使用这些说明
• Section 5.1.3, “AbstractSecurityWebApplicationInitializer with Spring MVC” - Use these instructions if you are already using Spring
• 如果您已经在使用Spring，请使用这些说明

5.1.2 AbstractSecurityWebApplicationInitializer without Existing Spring  （没有现有的）

If you are not using Spring or Spring MVC, you will need to pass in the WebSecurityConfig into the superclass to ensure the configuration is picked up. You can find an example below:

如果您不使用Spring或Spring MVC，则需要将WebSecurityConfig传递到超类中以确保获取配置。你可以在下面找到一个例子：

 

import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer
	extends AbstractSecurityWebApplicationInitializer {

	public SecurityWebApplicationInitializer() {
		super(WebSecurityConfig.class);
	}
}

The SecurityWebApplicationInitializer will do the following things:

SecurityWebApplicationInitializer将执行以下操作：

• Automatically register the springSecurityFilterChain Filter for every URL in your application
• 自动为应用程序中的每个URL注册springSecurityFilterChain过滤器
   
• Add a ContextLoaderListener that loads the WebSecurityConfig.
• 添加一个加载WebSecurityConfig的ContextLoaderListener。

5.1.3 AbstractSecurityWebApplicationInitializer with Spring MVC

5.1.3使用Spring MVC的AbstractSecurityWebApplicationInitializer

If we were using Spring elsewhere in our application we probably already had a WebApplicationInitializer that is loading our Spring Configuration. If we use the previous configuration we would get an error. Instead, we should register Spring Security with the existing ApplicationContext. For example, if we were using Spring MVC our SecurityWebApplicationInitializer would look something like the following:

如果我们在应用程序的其他地方使用Spring，我们可能已经有了一个加载Spring配置的WebApplicationInitializer。如果我们使用以前的配置，我们会收到错误。相反，我们应该使用现有的ApplicationContext注册Spring Security。例如，如果我们使用Spring MVC，我们的SecurityWebApplicationInitializer将如下所示：

 

This would simply only register the springSecurityFilterChain Filter for every URL in your application. After that we would ensure that WebSecurityConfig was loaded in our existing ApplicationInitializer. For example, if we were using Spring MVC it would be added in the getRootConfigClasses()

 

这只会为应用程序中的每个URL注册springSecurityFilterChain过滤器。之后，我们将确保在现有的ApplicationInitializer中加载WebSecurityConfig。例如，如果我们使用Spring MVC，它将被添加到getRootConfigClasses（）中

 

public class MvcWebApplicationInitializer extends
		AbstractAnnotationConfigDispatcherServletInitializer {

	@Override
	protected Class<?>[] getRootConfigClasses() {
		return new Class[] { WebSecurityConfig.class };
	}

	// ... other overrides ...
}