SPRING IN ACTION 第4版笔记-第九章Securing web applications-001-SpringSecurity简介(DelegatingFilterProxy、AbstractSecurityWebApplicationInitializer、WebSecurityConfigurerAdapter、@EnableWebSecurity、@EnableWebMvcS)
一、SpringSecurity的模块

At the least, you’ll want to include the Core and Configuration modules in your application’s classpath. Spring Security is often used to secure web applications, and that’s certainly the case with the Spittr application, so you’ll also need to add the Web module. We’ll also be taking advantage of Spring Security’s JSP tag library, so you’ll need to add that module to the mix.
二、开启SpringSecurity的DelegatingFilterProxy
Spring Security employs several servlet filters to provide various aspects of security.You might be thinking that means you’ll need to configure several filters in a web.xml file, or perhaps in a WebApplicationInitializer class. But thanks to a little Spring magic, you’ll only need to configure one of those filters.
DelegatingFilterProxy is a special servlet filter that, by itself, doesn’t do much.Instead, it delegates to an implementation of javax.servlet.Filter that’s registered as a <bean> in the Spring application context, as illustrated in figure 9.1.

1.Java形式
If you'd rather configure DelegatingFilterProxy in Java with a WebApplicationInitializer , then all you need to do is create a new class that extends AbstractSecurityWebApplicationInitializer
package spittr.config;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer {
}
AbstractSecurityWebApplicationInitializer implements WebApplicationInitializer , so it will be discovered by Spring and be used to register DelegatingFilterProxy with the web container. Although you can override its appendFilters() or insertFilters() methods to register filters of your own choosing, you need not override anything to register DelegatingFilterProxy
2.xml形式
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
The most important thing here is that the <filter-name> be set to springSecurityFilterChain . That’s because you’ll soon be configuring Spring Security for web security, and there will be a filter bean named springSecurityFilterChain that
DelegatingFilterProxy will need to delegate to.
Whether you configure DelegatingFilterProxy in web.xml or by subclassing AbstractSecurityWebApplicationInitializer , it will intercept requests coming into the application and delegate them to a bean whose ID is springSecurityFilterChain .
As for the springSecurityFilterChain bean itself, it’s another special filter known as FilterChainProxy . It’s a single filter that chains together one or more additional filters. Spring Security relies on several servlet filters to provide different security features, but you should almost never need to know these details, as you likely won’t need to explicitly declare the springSecurityFilterChain bean or any of the filters it chains together. Those filters will be created when you enable web security.
三、编写简单的SpringSecurity配置
1.Java形式
(1)一般应用,@EnableWebSecurity
package spitter.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {}
As its name suggests, the @EnableWebSecurity annotation enables web security. It is useless on its own, however. Spring Security must be configured in a bean that implements WebSecurityConfigurer or (for convenience) extends WebSecurityConfigurerAdapter . Any bean in the Spring application context that implements WebSecurityConfigurer can contribute to Spring Security configuration, but it’s often most convenient for the configuration class to extend WebSecurityConfigurerAdapter , as shown in listing 9.1. @EnableWebSecurity is generally useful for enabling security in any web application. But if you happen to be developing a Spring MVC application, you should consider using @EnableWebMvcSecurity instead
(2)SpringMVC应用@EnableWebMvcSecurity
package spitter.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.
configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.
configuration.EnableWebMvcSecurity; @Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
}
Among other things, the @EnableWebMvcSecurity annotation configures a Spring MVC argument resolver so that handler methods can receive the authenticated user’s principal (or username) via @AuthenticationPrincipal -annotated parameters. It also configures a bean that automatically adds a hidden cross-site request forgery ( CSRF ) token field on forms using Spring’s form-binding tag library.
It may not look like much, but the security configuration class in listings 9.1 and 9.2 packs quite a punch. Either one will lock down an application so tightly that nobody can get in!
Although it’s not strictly required, you’ll probably want to specify the finer points of web security by overriding one or more of the methods from WebSecurityConfigurerAdapter . You can configure web security by overriding WebSecurity-
ConfigurerAdapter ’s three configure() methods and setting behavior on the parameter passed in. Table 9.2 describes these three methods.
四、重写WebSecurityConfigurerAdapter ’s configure()
1.
2.默认的方法如下:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().and()
.httpBasic();
}
This simple default configuration specifies how HTTP requests should be secured and what options a client has for authenticating the user. The call to authorizeRequests() and anyRequest().authenticated() demands that all HTTP requests coming into the application be authenticated. It also configures Spring Security to support authentication via a form-based login (using a predefined login page) as well as HTTP Basic.
Meanwhile, because you haven’t overridden the configure(AuthenticationManagerBuilder) method, there’s no user store backing the authentication process.With no user store, there are effectively no users. Therefore, all requests require
authentication, but there’s nobody who can log in.You’re going to need to add a bit more configuration to bend Spring Security to fit your application’s needs. Specifically, you’ll need to…
Configure a user store
Specify which requests should and should not require authentication, as well as what authorities they require
Provide a custom login screen to replace the plain default login screen In addition to these facets of Spring Security, you may also want to selectively render certain content in your web views based on security constraints.
SPRING IN ACTION 第4版笔记-第九章Securing web applications-001-SpringSecurity简介(DelegatingFilterProxy、AbstractSecurityWebApplicationInitializer、WebSecurityConfigurerAdapter、@EnableWebSecurity、@EnableWebMvcS)的更多相关文章
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-011-把敏感信息请求转为https(requiresChannel())
1.把包含敏感信息的请求转为https请求,则较为安全,但如何只把有需要安全的请求转为https,而不是不加分辩就把所有请求都转为https呢?可以用requiresChannel() @Overri ...
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-010-拦截请求
一. What if you wanted to restrict access to certain roles only on Tuesday? Using the access() method ...
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-008-使用非关系型数据库时如何验证用户(自定义UserService)
一. 1.定义接口 Suppose that you need to authenticate against users in a non-relational database suchas Mo ...
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-007-设置LDAP server比较密码(contextSource、root()、ldif()、)
一.LDAP server在哪 By default, Spring Security’s LDAP authentication assumes that the LDAP server is li ...
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-004-对密码加密passwordEncoder
一. 1.Focusing on the authentication query, you can see that user passwords are expected to be stored ...
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-003-把用户数据存在数据库
一. 1.It’s quite common for user data to be stored in a relational database, accessed via JDBC . To c ...
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-002-把用户数据存在memory里(AuthenticationManagerBuilder、 UserDetailsManagerConfigurer.UserDetailsBuilder)
Spring Security is extremely flexible and is capable of authenticating users against virtually any d ...
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-009-拦截请求()
一. 对特定的请求拦截 For example, consider the requests served by the Spittr application. Certainly, thehome ...
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-006-用LDAP比较密码(passwordCompare()、passwordAttribute("passcode")、passwordEncoder(new Md5PasswordEncoder()))
一. The default strategy for authenticating against LDAP is to perform a bind operation,authenticatin ...
随机推荐
- 【译】 Node.js v0.12的新特性 -- 性能优化
原文: https://strongloop.com/strongblog/performance-node-js-v-0-12-whats-new/ January 21, 2014/in Comm ...
- struts2的知识
result的类型 转向 <result type="dispatcher"> <param name="location" > ... ...
- EFFECTIVE JAVA 第十一章 系列化
EFFECTIVE JAVA 第十一章 系列化(将一个对象编码成一个字节流) 74.谨慎地实现Serializable接口 *实现Serializable接口付出的代价就是大大降低了“改变这个类 ...
- UVALive 3645 Objective: Berlin(最大流 :时序模型)
题意:已知n(n <= 150)个城市和m(m <= 5000)个航班,每个航班有出发地.到达地.乘坐人数.起飞时间和降落时间(时间用时和分表示),求从一个指定城市出发,去往另一个指定城市 ...
- Access数据库一种树形结构的实现和子节点查询
BOOL CManageDataBase::GetDepTreeAllSons( int rootItem ) { CADORecordset Rst(&m_DataBase); BOOL b ...
- Gitlab 与 Git Windows 客户端一起使用的入门流程
我的技术博客经常被流氓网站恶意爬取转载.请移步原文:http://www.cnblogs.com/hamhog/p/3824934.html,享受整齐的排版.有效的链接.正确的代码缩进.更好的阅读体验 ...
- CVTE面试总结
刚面完了CVTE的一面,感觉完败,现总结. 一:准备不充分 这个跟时间仓促也有关系.昨天下午收到通知,晚上九点多回来填写给定格式的简历,题目也比较多.由于时间较仓促,那些问题的答案没有过多斟酌.但糟糕 ...
- struts2中的常量
struts2中的常量: 在:struts2-core-2.1.8.1\org\apache\struts2\default.properties 文件里 <!-- 配制i18n国际化--> ...
- Linq一对多联合查询
问题: 学生表,班级表,我要班级下面学生 A表,字段:AID,CLASSB表,字段 :BID,BNAME,AIDA表数据1 班级12 班级2B表数据1 学生1 12 学生2 1 3 学生3 24 学生 ...
- Java语法糖
1.创建数组:String[] s = new String[]{"1","2","3"};//这种方法可以在不指定数组元素数量的情况下生成 ...