Good articles on GitHub are popular overnight! ! Ali senior architect compiled and shared (internal) SpringSecurity actual technical documents. After reading it, I immediately knelt! !

Preface

SpringSecurity is a powerful and highly customizable security framework dedicated to providing identity authentication and authorization for Java applications.

The predecessor of Spring Security was Acegi Security, which was officially renamed Spring Security after being included as a Spring sub-project. When the author wrote the book, Spring Security has been upgraded to version 5.1.3.RELEASE, which not only adds a native OAuth framework, but also supports more modern password encryption methods. It is foreseeable that in the field of Java application security, Spring Security will become the first recommended security solution.

 

I hope you can read the content of this article carefully, truly grasp it in your own hands, and be able to apply it flexibly to actual work, continue to strengthen yourself, increase your technical depth and breadth, and hope to help everyone I hope to be liked by everyone! !

This article will introduce to you from three parts: catalog, main content, and reader-oriented, I hope you can read it carefully! !

table of Contents

 

main content

This article introduces all aspects of Spring Security from the shallower to the deeper through 4 parts and 14 chapters.

Part 1 mainly explains the basic configuration of Spring Security;

The first chapter first met Spring Security. The predecessor of Spring Security was Acegi Security, which was officially renamed Spring Security after being included as a Spring sub-project.

 

Chapter 2 form authentication. In Chapter 1, we initially introduced Spring Security and used its default HTTP basic authentication to protect URL resources. In this chapter, we use form authentication to protect URL resources.

 

Chapter 3 Authentication and Authorization. In Chapter 2, we followed the default security mechanism of Spring Security: there is only one user and only one role. In actual development, this naturally cannot meet the demand. This chapter will configure Spring Security in more depth and initially use the authorization mechanism.

 

The second part analyzes the security problems that Web projects may encounter, and explains how to use Spring Security for effective protection;

Chapter 4 implements graphic verification code. Before verifying the user name and password, the introduction of auxiliary verification can effectively prevent violent trial and error. Graphic verification code is a simple and effective auxiliary verification method. The following two methods will use filter and custom authentication to realize the function of graphic verification code.

 

In Chapter 5, automatic login and logout, there are usually some contradictions regarding the security design of the website. As developers of some systems, we are also acting as users of other systems. Some empathy can bring a lot of thinking.

 

Chapter 6 Session Management, you only need to log in with the same account in two browsers and you will find that so far, the system does not have any session concurrency restrictions. It is not a good strategy to log in to multiple places at the same time for an account. In fact, Spring Security has provided us with comprehensive session management functions, including session fixation attacks, session timeout detection, and session concurrency control.

 

Chapter 7: Password encryption. Password security is a microcosm of Internet security. While enjoying Internet services, we should also pay more attention to it.

 

Chapter 8 Cross-domain and CORS. Cross-domain is a browser same-origin security policy, that is, browsers unilaterally restrict cross-domain access to scripts.

 

Chapter 9 Protection of Cross-Domain Request Forgery. The full name of CSRF is (Cross Site Request Forgery), which can be translated as cross-domain request forgery. It is an attack method that uses cookies with login states for users to perform security operations. CSRF is actually not difficult to prevent, but it is often ignored by system developers, thereby laying down huge security risks.

 

Chapter 10 Single Sign On and CAS, Single Sign On (SSO) means that in multiple application systems, you only need to log in once to share the functions of all related and independent systems of the enterprise at the same time. . For companies with many systems under its umbrella, single sign-on not only reduces the user's login cost, unifies the account system between different systems, but also reduces the effort that each system pays in user design.

 

Chapter 11 HTTP authentication, in addition to the user name and password authentication technologies maintained in the system, Spring Security also supports HTTP-level authentication technologies, including HTTP basic authentication and HTTP digest authentication.

 

Chapter 12 @EnableWebSecurity and filter chain mechanism, why add @EnableWebSecurity annotation to make Spring Security work? In what way does Spring Security intercept requests and perform authentication? With these two questions, let's take a closer look at the source code.

 

Part 3 introduces OAuth in detail, and uses Spring Social to integrate Spring Security to realize QQ quick login;

Chapter 13 uses Spring Social to implement OAuth docking. OAuth solves the problem of giving third-party applications the right to obtain user data and basic information when users do not provide passwords to third-party applications.

 

Part 4 focuses on the Spring Security OAuth framework and analyzes part of the core source code of Spring Security OAuth.

Chapter 14 uses Spring Security OAuth to implement OAuth docking. Spring Security OAuth is a framework that focuses on OAuth authentication. It completely covers the three modules of client, resource service and authentication service. These three modules were integrated in Spring Security 5.0, 5.1 and 5.3 respectively, and the original independent project entered the maintenance state.

 

This [SpringSecurity Actual Combat] has 319 pages, you need the full version of friends, forward + comment, follow my private message and reply "666" to get it for free!

 

Readers of this article

This article contains Spring Security Java configuration, Spring Security security protection and source code guide;

Explain the actual combat of OAuth2 in detail, and briefly analyze part of the core source code of OAuth2;

This article is mainly for readers who have a certain Java foundation and developers who want to apply Spring Security in actual projects.

I hope this article can help you learn, and I hope you can master all the technical content and apply it to actual project development work! ! !