Introduction to SpringSecurity
The mainstream framework of rights management
- SpringSecurity
- It is a security management framework in the Spring family and can be seamlessly integrated with Spring.
- Comprehensive access control
- Specially developed for web environment
- The old version cannot be separated from the web environment
- The new version has a hierarchical extraction of the entire framework, divided into core modules and web modules, the core module can be separated from the web environment.
- Is a heavyweight frame
- Shiro
- Lightweight, make the complex simple, and have better performance for Internet applications with high performance requirements.
- Compatibility
- Benefits: Not limited to web environment, can be used without web environment.
- Defects: In the web environment, some specific needs require manual coding and customization.
SpringSecurity's core functions
- Certification (Who are you)
- Authorization (what can you do)
- Attack protection (prevent forgery)
- Essentially, the core is a set of filter chains.
Introduction to SpringSecurity usage
- When a user logs in to the system, we need to assist springsecurity to assemble the corresponding roles and permissions of the user, and set the permission information required by each resource.
- The rest of the "login verification", "authorization verification" and other tasks are left to springsecurity to do.
- We use a picture to describe this process
Related concepts in the authority process
- Principal
- Users or devices using the system or users logging in remotely from other systems, etc.
- Simply put, whoever uses the system is the subject.
- Authentication
- The rights management system confirms the identity of a subject and allows the subject to enter the system.
- Simply put, the subject proves who he is
- The general idea is that it is a landing operation.
- Authorization
- The power of the system is granted to the subject, so that the subject has the ability to perform specific functions in the system.
- Simply put, authorization is to assign permissions to users.
Prepare to use the environment
- Create maven web project
- Required dependencies to join the Spring MVC environment
<dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>4.3.20.RELEASE</version> </dependency> <!-- 引入Servlet容器中相关依赖 --> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> <scope>provided</scope> </dependency> <!-- JSP页面使用的依赖 --> <dependency> <groupId>javax.servlet.jsp</groupId> <artifactId>javax.servlet.jsp-api</artifactId> <version>2.3.1</version> <scope>provided</scope> </dependency>
- Create SpringMVC configuration file
<context:component-scan base-package="xxx"></context:component-scan> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/WEB-INF/views/"></property> <property name="suffix" value=".jsp"></property> </bean> <mvc:annotation-driven></mvc:annotation-driven> <mvc:default-servlet-handler />
- Configure DispatcherServlet in web.xml
<servlet> <servlet-name>springDispatcherServlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-mvc.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>springDispatcherServlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping>
Join SpringSecurity
- Add SpringSecurity dependency
<!-- SpringSecurity对Web应用进行权限管理 --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${bw.spring.security.version}</version> </dependency> <!-- SpringSecurity配置 --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${bw.spring.security.version}</version> </dependency> <!-- SpringSecurity标签库 --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${bw.spring.security.version}</version> </dependency>
- Add the Filter of SpringSecurity control permission
- The use of Filter instead of Interceptor in Spring Security means that Spring Security can manage not only controller requests in Spring MVC, but also all requests in web applications to control permissions.
- SpringSecurity will search the required beans in the IOC container based on the filter-name in DelegatingFilterProxy, so the filter-name must be springSecurityFilterChain
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
- Join the configuration class
// The current class is marked as configuration class @Configuration // Enable the permission control function in web environment @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { }
- Enable is understood to be enabled, and the @EnableWebSecurity annotation indicates that web security is enabled.
- You must inherit WebSecurityConfigurerAdapter, which has its default configuration.
- Description of two important methods in the configuration class
@Override protected void configure (AuthenticationManagerBuilder builder) throws Exception { // related to user login in SpringSecurity environment
} @Override public void configure (HttpSecurity security) throws Exception { // related to request authorization in SpringSecurity environment }