一、Spring Boot集成Spring Security专栏

一、Spring Boot集成Spring Security之自动装配

二、实现功能及软件版本说明

  1. 使用Spring Boot集成Spring Security实现Servlet项目的安全个性化配置
  2. Spring Boot版本:2.7.18
  3. Spring Security版本:5.7.11

三、创建Spring Boot项目

  1. 创建Spring Boot项目,目录结构如下

  2. 引入Spring Security包,完整pom.xml如下

<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <parent>

        <groupId>org.springframework.boot</groupId>

        <artifactId>spring-boot-starter-parent</artifactId>

        <version>2.7.18</version>

        <relativePath/>

    </parent>

    <groupId>com.yu</groupId>

    <artifactId>spring-boot-security2-demo</artifactId>

    <version>0.0.1-SNAPSHOT</version>

    <name>spring-boot-security2-demo</name>

    <description>Spring Boot集成Spring Security样例</description>

    <properties>

        <java.version>8</java.version>

    </properties>

    <dependencies>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-web</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-security</artifactId>

        </dependency>

    </dependencies>

</project>

四、查看自动装配配置类

  • 查看Security Servlet相关自动装配配置类

五、自动装配配置类之SecurityAutoConfiguration

1、部分源码

@AutoConfiguration

@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)

@EnableConfigurationProperties(SecurityProperties.class)

@Import({ SpringBootWebSecurityConfiguration.class, SecurityDataConfiguration.class })

public class SecurityAutoConfiguration {

	@Bean

	@ConditionalOnMissingBean(AuthenticationEventPublisher.class)

	public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {

		return new DefaultAuthenticationEventPublisher(publisher);

	}

}

2、主要作用

  1. 导入SpringBootWebSecurityConfiguration

3、SpringBootWebSecurityConfiguration

1)、部分源码

@Configuration(proxyBeanMethods = false)

@ConditionalOnWebApplication(type = Type.SERVLET)

class SpringBootWebSecurityConfiguration {

	@Configuration(proxyBeanMethods = false)

	@ConditionalOnDefaultWebSecurity

	static class SecurityFilterChainConfiguration {

		@Bean

		@Order(SecurityProperties.BASIC_AUTH_ORDER)

		SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {

			http.authorizeRequests().anyRequest().authenticated();

			http.formLogin();

			http.httpBasic();

			return http.build();

		}

	}

	@Configuration(proxyBeanMethods = false)

	@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)

	@ConditionalOnClass(EnableWebSecurity.class)

	@EnableWebSecurity

	static class WebSecurityEnablerConfiguration {

	}

}

2)、主要作用

  1. 默认Security配置(Spring容器中没有SecurityFilterChain和WebSecurityConfigurerAdapter)时,向Spring容器中注入默认过滤器链,即用户没有自定义过滤器链时,生成默认过滤器链

  2. Spring容器中不存在名称为springSecurityFilterChain对象时,启用WebSecurity,即用户未显示的启用WebSecurity时,隐式的启用WebSecurity

4、@EnableWebSecurity

1)、部分源码

@Retention(RetentionPolicy.RUNTIME)

@Target(ElementType.TYPE)

@Documented

@Import({ WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class,

		HttpSecurityConfiguration.class })

@EnableGlobalAuthentication

@Configuration

public @interface EnableWebSecurity {

	/**

	 * Controls debugging support for Spring Security. Default is false.

	 * @return if true, enables debug support with Spring Security

	 */

	boolean debug() default false;

}

2)、主要作用

  1. 导入WebSecurityConfiguration
  2. 导入HttpSecurityConfiguration

5、WebSecurityConfiguration

1)、部分源码

@Configuration(proxyBeanMethods = false)

public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {

@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)

	public Filter springSecurityFilterChain() throws Exception {

		boolean hasConfigurers = this.webSecurityConfigurers != null && !this.webSecurityConfigurers.isEmpty();

		boolean hasFilterChain = !this.securityFilterChains.isEmpty();

		Assert.state(!(hasConfigurers && hasFilterChain),

				"Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.");

		if (!hasConfigurers && !hasFilterChain) {

			WebSecurityConfigurerAdapter adapter = this.objectObjectPostProcessor

					.postProcess(new WebSecurityConfigurerAdapter() {

					});

			this.webSecurity.apply(adapter);

		}

		for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {

			this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);

			for (Filter filter : securityFilterChain.getFilters()) {

				if (filter instanceof FilterSecurityInterceptor) {

					this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);

					break;

				}

			}

		}

		for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) {

			customizer.customize(this.webSecurity);

		}

		return this.webSecurity.build();

	}

}

2)、主要作用

  1. 两种方式注册过滤器链:

    • 继承WebSecurityConfigurerAdapter(本质是实现SecurityConfigurer接口) (已弃用)
    • 直接向Spring容器中注册SecurityFilterChain对象
  2. 没有默认的过滤器链时,使用WebSecurityConfigurerAdapter中默认配置生成过滤器链
  3. 根据配置的SecurityFilterChain集合构建FilterChainProxy类型的对象并注入到Spring容器中名称为springSecurityFilterChain

6、HttpSecurityConfiguration

1)、部分源码

@Configuration(proxyBeanMethods = false)

class HttpSecurityConfiguration {

	@Bean(HTTPSECURITY_BEAN_NAME)

	@Scope("prototype")

	HttpSecurity httpSecurity() throws Exception {

		WebSecurityConfigurerAdapter.LazyPasswordEncoder passwordEncoder = new WebSecurityConfigurerAdapter.LazyPasswordEncoder(

				this.context);

		AuthenticationManagerBuilder authenticationBuilder = new WebSecurityConfigurerAdapter.DefaultPasswordEncoderAuthenticationManagerBuilder(

				this.objectPostProcessor, passwordEncoder);

		authenticationBuilder.parentAuthenticationManager(authenticationManager());

		authenticationBuilder.authenticationEventPublisher(getAuthenticationEventPublisher());

		HttpSecurity http = new HttpSecurity(this.objectPostProcessor, authenticationBuilder, createSharedObjects());

		// @formatter:off

		http

			.csrf(withDefaults())

			.addFilter(new WebAsyncManagerIntegrationFilter())

			.exceptionHandling(withDefaults())

			.headers(withDefaults())

			.sessionManagement(withDefaults())

			.securityContext(withDefaults())

			.requestCache(withDefaults())

			.anonymous(withDefaults())

			.servletApi(withDefaults())

			.apply(new DefaultLoginPageConfigurer<>());

		http.logout(withDefaults());

		// @formatter:on

		applyDefaultConfigurers(http);

		return http;

	}

}

2)、主要作用

  1. Spring容器中注册HttpSecurity对象
  2. httpSecurity用于配置构建自定义过滤器链

六、自动装配配置类之UserDetailsServiceAutoConfiguration

1、部分源码

@AutoConfiguration

@ConditionalOnClass(AuthenticationManager.class)

@ConditionalOnBean(ObjectPostProcessor.class)

@ConditionalOnMissingBean(

		value = { AuthenticationManager.class, AuthenticationProvider.class, UserDetailsService.class,

				AuthenticationManagerResolver.class },

		type = { "org.springframework.security.oauth2.jwt.JwtDecoder",

				"org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector",

				"org.springframework.security.oauth2.client.registration.ClientRegistrationRepository",

				"org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository" })

public class UserDetailsServiceAutoConfiguration {

	@Bean

	@Lazy

	public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties,

			ObjectProvider<PasswordEncoder> passwordEncoder) {

		SecurityProperties.User user = properties.getUser();

		List<String> roles = user.getRoles();

		return new InMemoryUserDetailsManager(User.withUsername(user.getName())

			.password(getOrDeducePassword(user, passwordEncoder.getIfAvailable()))

			.roles(StringUtils.toStringArray(roles))

			.build());

	}

	private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {

		String password = user.getPassword();

		if (user.isPasswordGenerated()) {

			logger.warn(String.format(

					"%n%nUsing generated security password: %s%n%nThis generated password is for development use only. "

							+ "Your security configuration must be updated before running your application in "

							+ "production.%n",

					user.getPassword()));

		}

		if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {

			return password;

		}

		return NOOP_PASSWORD_PREFIX + password;

	}

2、主要作用

  1. 用户未自定义认证接口时,生成默认认证接口inMemoryUserDetailsManager(基于内存用户认证)
  2. 生成默认名称为user,密码为随机生成的uuid(项目启动时会打印在控制台中),角色为空的用户存入内存中
#UserDetailsServiceAutoConfiguration.inMemoryUserDetailsManager方法中获取user对象

SecurityProperties.User user = properties.getUser();

#SecurityProperties中的User类

public static class User {

		private String name = "user";

		private String password = UUID.randomUUID().toString();

		private List<String> roles = new ArrayList<>();

	}
  1. 通过配置文件可以修改默认用户名、密码、角色(示例如下)

七、自动装配配置类之SecurityFilterAutoConfiguration

1、部分源码

@AutoConfiguration(after = SecurityAutoConfiguration.class)

@ConditionalOnWebApplication(type = Type.SERVLET)

@EnableConfigurationProperties(SecurityProperties.class)

@ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class })

public class SecurityFilterAutoConfiguration {

	private static final String DEFAULT_FILTER_NAME = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME;

	@Bean

	@ConditionalOnBean(name = DEFAULT_FILTER_NAME)

	public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(

			SecurityProperties securityProperties) {

		DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(

				DEFAULT_FILTER_NAME);

		registration.setOrder(securityProperties.getFilter().getOrder());

		registration.setDispatcherTypes(getDispatcherTypes(securityProperties));

		return registration;

	}

	private EnumSet<DispatcherType> getDispatcherTypes(SecurityProperties securityProperties) {

		if (securityProperties.getFilter().getDispatcherTypes() == null) {

			return null;

		}

		return securityProperties.getFilter()

			.getDispatcherTypes()

			.stream()

			.map((type) -> DispatcherType.valueOf(type.name()))

			.collect(Collectors.toCollection(() -> EnumSet.noneOf(DispatcherType.class)));

	}

}

2、主要作用

  1. 注册DelegatingFilterProxyRegistrationBean(委托过滤器代理注册Bean)
  2. 设置代理目标Bean对象名称为springSecurityFilterChain

一、Spring Boot集成Spring Security专栏的更多相关文章

  1. Spring Boot集成Spring Data Reids和Spring Session实现Session共享

    首先,需要先集成Redis的支持,参考:http://www.cnblogs.com/EasonJim/p/7805665.html Spring Boot集成Spring Data Redis+Sp ...

  2. SpringBoot系列:Spring Boot集成Spring Cache,使用EhCache

    前面的章节,讲解了Spring Boot集成Spring Cache,Spring Cache已经完成了多种Cache的实现,包括EhCache.RedisCache.ConcurrentMapCac ...

  3. SpringBoot系列:Spring Boot集成Spring Cache,使用RedisCache

    前面的章节,讲解了Spring Boot集成Spring Cache,Spring Cache已经完成了多种Cache的实现,包括EhCache.RedisCache.ConcurrentMapCac ...

  4. Spring Boot 集成 Spring Security 实现权限认证模块

    作者:王帅@CodeSheep   写在前面 关于 Spring Security Web系统的认证和权限模块也算是一个系统的基础设施了,几乎任何的互联网服务都会涉及到这方面的要求.在Java EE领 ...

  5. Spring boot 集成Spring Security

    依赖jar <dependency> <groupId>org.springframework.cloud</groupId> <artifactId> ...

  6. Spring Boot 集成spring security4

    项目GitHub地址 : https://github.com/FrameReserve/TrainingBoot Spring Boot (三)集成spring security,标记地址: htt ...

  7. Spring boot集成spring session实现session共享

    最近使用spring boot开发一个系统,nginx做负载均衡分发请求到多个tomcat,此时访问页面会把请求分发到不同的服务器,session是存在服务器端,如果首次访问被分发到A服务器,那么se ...

  8. Spring Boot 集成 Spring Security

    1.添加依赖 <dependency> <groupId>org.springframework.boot</groupId> <artifactId> ...

  9. Spring Boot 集成 Spring Security 入门案例教程

    前言 本文作为入门级的DEMO,完全按照官网实例演示: 项目目录结构 Maven 依赖 <parent> <groupId>org.springframework.boot&l ...

  10. Spring Boot 集成 Spring Security 使用自定义的安全数据源

    编写一个类自定义实现 UserDetailsService 接口 @Service("customUserDetailService") public class CustomUs ...

随机推荐

  1. 11、SpringMVC之文件下载和上传

    创建名为spring_mvc_file的新module,过程参考9.1节和9.5节 11.1.文件下载 11.1.1.创建图片目录并放置图片 11.1.2.页面请求示例 <a th:href=& ...

  2. Git的分支管理和标签操作

    分支操作 分支是Git使用过程中非常重要的概念.使用分支意味着你可以把你的工作从开发主线上分离出来,以免影响开发主线. 同意一个仓库可以有多个分支,各个分支相互独立,互不干扰.通过git init 命 ...

  3. Attempting to use uninitialized value beta2_power -------TensorFlow报错

    版本: Python=3.7 TensorFlow=1.14 具体代码: init=[tf.global_variables_initializer(), tf.local_variables_ini ...

  4. 中国版的huggingface——始智AI-wisemodel

    新闻: 始智AI-wisemodel社区正式上线,目标打造中国版"HuggingFace" 首先要知道,AI火热了7,8年了,不论是国内还是国外一直有要搞模型分享的网站,但是这东西 ...

  5. 论文《policy-gradient-methods-for-reinforcement-learning-with-function-approximation 》的阅读——强化学习中的策略梯度算法基本形式与部分证明

    最近组会汇报,由于前一阵听了中科院的教授讲解过这篇论文,于是想到以这篇论文为题做了学习汇报.论文<policy-gradient-methods-for-reinforcement-learni ...

  6. openAI的比赛retro contest的一些细节设置(Detail)

    2018年openAI公司搞了一个比赛retro contest,该比赛目的是为了在自家的库retro上测试迁移强化学习的性能,虽然这个比赛已经结束多年但是现在了解一些也是有一定益处的. 比赛细节介绍 ...

  7. vscode 设置窗口菜单栏显示字体大小

    最近换了一块大些的显示屏,发现vscode的窗口字体有些小了,不是很方便,于是研究了一下如何设置vscode的窗口字体大小. 需要注意的是这里的设置是对窗口字体的而不是编辑器的字体. 1 .  通过主 ...

  8. http与https通俗易懂的原理解析

    1.背景 经常都在说http.https,都知道https是安全的, 但是, 为什么说http不安全呢? 为什么又说https是安全的呢? 接下来我将使用通俗易懂的方式给大家分析一下....... 2 ...

  9. DolphinScheduler 3.3.0版本更新一览

    Apache DolphinScheduler即将迎来3.3.0版本的发布,届时将有一系列重要的更新和改进.在近期的社区5月份用户线上分享会上,项目PMC 阮文俊为大家介绍了3.3.0版本将带来的主要 ...

  10. 【动画进阶】神奇的卡片 Hover 效果与 Blur 的特性探究

    本文,我们将一起探讨探讨,如下所示的一个卡片 Hover 动画,应该如何实现: 这个效果的几个难点: 鼠标移动的过程中,展示当前卡片边缘的 border 以及发光效果: 效果只出现在鼠标附近?这一块的 ...