Using Spring Security without using any XML
本文只做简单的翻译,想看原文请移步官网,有问题请留言。
1、配置环境
- 下载并解压Spring Security Distribution,假设解压后的目录为 SPRING_SECURITY_HOME.
2、导入空项目
- 导入项目(i.e. SPRING_SECURITY_HOME/samples/insecure)
- 右键点击项目,Run As→Run on Server
3、Securing the application
- add maven dependency
<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
</dependencies>
- Maven→Update project…
- 创建包org.springframework.security.samples.config,包下创建类SecurityConfig.java,like this
src/main/java/org/springframework/security/samples/config/SecurityConfig.java
package org.springframework.security.samples.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.*;
@EnableWebSecurity
public class SecurityConfig {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
大致的意思是:configureGlobal方法名不重要,重要的是需要在有@EnableWebSecurity、 @EnableGlobalMethodSecurity、@EnableGlobalAuthentication等注解的类下配置 AuthenticationManagerBuilder,否则导致不可预知的结果。
SecurityConfig 的作用:
-
Require authentication to every URL in your application(访问应用中的每一个url都需要认证)
-
Generate a login form for you(生成一个登陆的表单)
-
Allow the user with the Username user and the Password password to authenticate with form based authentication(使用 用户名为user 和 密码为password 的认证信息进行认证)
-
Allow the user to logout
-
CSRF attack prevention(防范CSRF攻击)
-
Session Fixation protection(session固化保护)
-
Security Header integration(集成Security Header)
-
HTTP Strict Transport Security for secure requests
-
X-Content-Type-Options integration
-
Cache Control (can be overridden later by your application to allow caching of your static resources)
-
X-XSS-Protection integration
-
X-Frame-Options integration to help prevent Clickjacking
-
-
Integrate with the following Servlet API methods(整合了以下这些方法的功能)
4、注册springSecurityFilterChain
- 在org.springframework.security.samples.config里再创建一个类SecurityWebApplicationInitializer.java
src/main/java/org/springframework/security/samples/config/SecurityWebApplicationInitializer.java
package org.springframework.security.samples.config;
import org.springframework.security.web.context.*;
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
public SecurityWebApplicationInitializer() {
super(SecurityConfig.class);
}
}
SecurityWebApplicationInitializer主要做下面几个事情:
-
Automatically register the springSecurityFilterChain Filter for every URL in your application(自动为每个url注册一个springSecurityFilterChain Filte)
-
Add a ContextLoaderListener that loads the SecurityConfig.(增加一个context监听器去加载SecurityConfig)
5、部署项目,并尝试登陆
- 启动server后,会看到一个登录页面,使用user和password进行登录。
- 在页面上增加登陆后的用户名信息
src/main/webapp/index.jsp
<body>
<div class="container">
<h1>This is secured!</h1>
<p>
Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
</p>
</div>
</body>
6、退出登陆
src/main/webapp/index.jsp
<body>
<div class="container">
<h1>This is secured!</h1>
<p>
Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
</p>
<c:url var="logoutUrl" value="/logout"/>
<form class="form-inline" action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
</div>
</body>
In order to help protect against CSRF attacks, by default, Spring Security Java Configuration log out requires:
-
the HTTP method must be a POST
-
the CSRF token must be added to the request You can access it on the ServletRequest using the attribute _csrf as illustrated above.