Spring Security(十二):5. Java Configuration
General support for Java Configuration was added to Spring Framework in Spring 3.1. Since Spring Security 3.2 there has been Spring Security Java Configuration support which enables users to easily configure Spring Security without the use of any XML.
Spring Security provides lots of sample applications which demonstrate the use of Spring Security Java Configuration.
5.1 Hello Web Security Java Configuration
The first step is to create our Spring Security Java Configuration. The configuration creates a Servlet Filter known as the springSecurityFilterChain which is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the log in form, etc) within your application. You can find the most basic example of a Spring Security Java Configuration below:
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.*;
import org.springframework.security.config.annotation.authentication.builders.*;
import org.springframework.security.config.annotation.web.configuration.*; @EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean
public UserDetailsService userDetailsService() throws Exception {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("user").password("password").roles("USER").build());
return manager;
}
}
There really isn’t much to this configuration, but it does a lot. You can find a summary of the features below:
- Require authentication to every URL in your application
- 要求对应用程序中的每个URL进行身份验证
- Generate a login form for you
- 为您生成登录表单
- Allow the user with the Username user and the Password password to authenticate with form based authentication
- 允许具有Username用户和密码密码的用户使用基于表单的身份验证进行身份验证
- Allow the user to logout
- 允许用户注销
- CSRF attack prevention
- CSRF攻击预防
- Session Fixation protection
- 会话固定保护
Security Header integration
- 安全标头集成
- HTTP Strict Transport Security for secure requests
- 用于安全请求的HTTP严格传输安全性
- X-Content-Type-Options integration
- X-Content-Type-Options集成
- Cache Control (can be overridden later by your application to allow caching of your static resources)
- 缓存控制(稍后可由应用程序覆盖以允许缓存静态资源)
- X-XSS-Protection integration
- X-XSS-Protection集成
- X-Frame-Options integration to help prevent Clickjacking
- X-Frame-Options集成有助于防止Clickjacking
Integrate with the following Servlet API methods
- 与以下Servlet API方法集成
5.1.1 AbstractSecurityWebApplicationInitializer
The next step is to register the springSecurityFilterChain with the war. This can be done in Java Configuration with Spring’s WebApplicationInitializer support in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class AbstractSecurityWebApplicationInitializer that will ensure the springSecurityFilterChain gets registered for you. The way in which we use AbstractSecurityWebApplicationInitializer differs depending on if we are already using Spring or if Spring Security is the only Spring component in our application.
- Section 5.1.2, “AbstractSecurityWebApplicationInitializer without Existing Spring” - Use these instructions if you are not using Spring already
- 如果您尚未使用Spring,请使用这些说明
- Section 5.1.3, “AbstractSecurityWebApplicationInitializer with Spring MVC” - Use these instructions if you are already using Spring
- 如果您已经在使用Spring,请使用这些说明
5.1.2 AbstractSecurityWebApplicationInitializer without Existing Spring (没有现有的)
If you are not using Spring or Spring MVC, you will need to pass in the WebSecurityConfig into the superclass to ensure the configuration is picked up. You can find an example below:
import org.springframework.security.web.context.*; public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer { public SecurityWebApplicationInitializer() {
super(WebSecurityConfig.class);
}
}
The SecurityWebApplicationInitializer will do the following things:
- Automatically register the springSecurityFilterChain Filter for every URL in your application
- 自动为应用程序中的每个URL注册springSecurityFilterChain过滤器
- Add a ContextLoaderListener that loads the WebSecurityConfig.
- 添加一个加载WebSecurityConfig的ContextLoaderListener。
5.1.3 AbstractSecurityWebApplicationInitializer with Spring MVC
5.1.3使用Spring MVC的AbstractSecurityWebApplicationInitializer
If we were using Spring elsewhere in our application we probably already had a WebApplicationInitializer that is loading our Spring Configuration. If we use the previous configuration we would get an error. Instead, we should register Spring Security with the existing ApplicationContext. For example, if we were using Spring MVC our SecurityWebApplicationInitializer would look something like the following:
WebSecurityConfig was loaded in our existing ApplicationInitializer. For example, if we were using Spring MVC it would be added in the getRootConfigClasses()public class MvcWebApplicationInitializer extends
AbstractAnnotationConfigDispatcherServletInitializer { @Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { WebSecurityConfig.class };
} // ... other overrides ...
}
Spring Security(十二):5. Java Configuration的更多相关文章
- Spring Boot(十二):spring boot如何测试打包部署
Spring Boot(十二):spring boot如何测试打包部署 一.开发阶段 1,单元测试 在开发阶段的时候最重要的是单元测试了,springboot对单元测试的支持已经很完善了. (1)在p ...
- Spring Security(二十七):Part II. Architecture and Implementation
Once you are familiar with setting up and running some namespace-configuration based applications, y ...
- 三十二、Java图形化界面设计——布局管理器之CardLayout(卡片布局)
摘自 http://blog.csdn.net/liujun13579/article/details/7773945 三十二.Java图形化界面设计--布局管理器之CardLayout(卡片布局) ...
- JAVA之旅(三十二)——JAVA网络请求,IP地址,TCP/UDP通讯协议概述,Socket,UDP传输,多线程UDP聊天应用
JAVA之旅(三十二)--JAVA网络请求,IP地址,TCP/UDP通讯协议概述,Socket,UDP传输,多线程UDP聊天应用 GUI写到一半电脑系统挂了,也就算了,最多GUI还有一个提示框和实例, ...
- Spring Security(二)
Spring Security(二) 注:凡是源码部分,我已经把英文注释去掉了,有兴趣的同学可以在自己项目里进去看看.:-) 定义用户认证逻辑 用户登录成功后,用户的信息会被 Security 封装在 ...
- 20155301第十二周java课程程序
20155301第十二周java课程程序 内容一:在IDEA中以TDD的方式对String类和Arrays类进行学习 测试相关方法的正常,错误和边界情况 String类 charAt split Ar ...
- Spring Security 解析(二) —— 认证过程
Spring Security 解析(二) -- 认证过程 在学习Spring Cloud 时,遇到了授权服务oauth 相关内容时,总是一知半解,因此决定先把Spring Security .S ...
- Spring Security教程(二):自定义数据库查询
Spring Security教程(二):自定义数据库查询 Spring Security自带的默认数据库存储用户和权限的数据,但是Spring Security默认提供的表结构太过简单了,其实就 ...
- 《手把手教你》系列技巧篇(三十二)-java+ selenium自动化测试-select 下拉框(详解教程)
1.简介 在实际自动化测试过程中,我们也避免不了会遇到下拉选择的测试,因此宏哥在这里直接分享和介绍一下,希望小伙伴或者童鞋们在以后工作中遇到可以有所帮助. 2.select 下拉框 2.1Select ...
- 《手把手教你》系列技巧篇(五十二)-java+ selenium自动化测试-处理面包屑(详细教程)
1.简介 面包屑(Breadcrumb),又称面包屑导航(BreadcrumbNavigation)这个概念来自童话故事"汉赛尔和格莱特",当汉赛尔和格莱特穿过森林时,不小心迷路了 ...
随机推荐
- C# SqlBulkCopy类批量导入 测试
一.功能说明 1.可以选择,只导入部分列,或者导入全部列. 2.导入速度的确比一般sql要快. 3.不用写sql语句 ----------------------------------------- ...
- JavaScript Array常用属性和方法
Array的length属性可以通过赋值改变,但这样会导致Array原有的大小发生改变. var a = ["I", "Love", "You&quo ...
- 洛谷P4841 城市规划(生成函数 多项式求逆)
题意 链接 Sol Orz yyb 一开始想的是直接设\(f_i\)表示\(i\)个点的无向联通图个数,枚举最后一个联通块转移,发现有一种情况转移不到... 正解是先设\(g(n)\)表示\(n\)个 ...
- 【读书笔记】iOS-更新项目前要注意的事情
在进行永久更改项目的任何现代化操作之前,要问自己几个问题. 1,我还需要返回项目的旧代码吗? 2,我的同事中有没有人无法升级到最新版本的Xcode? 3, 如果我使用了最新的功能,会不会减少用户? ...
- 从换脸到换姿势,AI 在图像处理的道路上越走越魔幻
从换脸到换姿势,AI 在图像处理的道路上越走越魔幻 https://mp.weixin.qq.com/s/VFq3BWLpzyKZ3sqVWf1HKA [导读]加州大学伯克利分校的研究人员,近日在著名 ...
- 照葫芦画瓢系列之Java --- Maven的配置
一.Maven仓库分类 Maven中,仓库只分为两类:本地仓库和远程仓库.当Maven根据坐标寻找构件的时候,它首先去查看本地仓库,如果本地仓库有此构件,则直接使用,如果本地仓库不存在此构件,或者需要 ...
- Python 实现批量从不同的Linux服务器下载文件
基于Python实现批量从不同的Linux服务器下载文件 by:授客 QQ:1033553122 实现功能 1 测试环境 1 使用方法 1 1. 编辑配置文件conf/file_for_downl ...
- Loadrunner 脚本开发-利用web_submit_data函数实现POST请求
脚本开发-利用web_submit_data函数实现POST请求 by:授客 QQ:1033553122 概述 web_link()和web_url()函数都是页面访问型函数,实现HTTP请求中的 ...
- zabbix监控tomcat(使用jmx监控,但不使用系统自带模版)
一,zabbx使用jmx监控tomcat的原理分析 1.Zabbix-Server找Zabbix-Java-Gateway获取Java数据 2.Zabbix-Java-Gateway找Java程序(j ...
- 远程连接MySQL数据库问题总结
远程连接MySQL数据库时,陆陆续续遇到了一些杂七杂八的问题,相信很多人也曾经遇到过这类问题,下面总结归纳在下面,方便以后直接查找. 1:出现ERROR 2003 (HY000): Can't con ...