Concept and configuration of spring security

Concept and configuration of spring security

1. What is spring security?
Spring Security is a security framework that can provide descriptive security access control solutions for Spring-based enterprise application systems. It provides a set of Beans that can be configured in the context of Spring applications, making full use of Spring IoC (dependency injection, also known as inversion of control) and AOP (aspect-oriented programming) functions to provide declarative security access control functions for the application system , Reducing the work of writing a lot of repetitive code for enterprise system security control.

2. What are the operations of spring security?
"Authentication": Create a subject for the user as he declared. The subject generally refers to the user, device, or other system that can perform actions in your system.
"Authorization": Can a user perform an operation in your application? Before reaching the authorization judgment, the subject of the identity has been established by the authentication process

3. What is the role of spring security?
Generally used for security control of the page, such as login verification

4. How to use spring security?
The steps are as follows:

First, import dependencies (note that the ${spring-security.version} here refers to <spring.security.version>5.0.1.RELEASE</spring.security.version>)

<dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>${spring.security.version}</version>
        </dependency>

Step 2: Configure the filter in web.xml (note: springSecurityFilterChain cannot be changed)

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Step 3: Need to create spring-security.xml configuration file

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">

 <security:global-method-security pre-post-annotations="enabled" />
 
    <!--配置不拦截的资源-->
    <security:http pattern="/login.jsp" security="none"/>
    <security:http pattern="/failer.jsp" security="none"/>
    <security:http pattern="/css/**" security="none"/>
    <security:http pattern="/js/**" security="none"/>
    <security:http pattern="/plugins/**" security="none"/>

    <!--
        配置具体的规则
            auto-config="true" 不用自己编写登录的页面，框架提供默认登录页面
            user-expression="false" 是否使用SPEL表达式
    -->
    <security:http auto-config="true" use-expressions="false">
        <!--配置具体的拦截规则，pattern=“请求路径的规则” access=“访问系统的人，必须有ROLE_USER的角色”-->
        <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER'，'ROLE_ADMIN')"/>

        <!--定义跳转的具体页面-->
        <security:form-login login-page="/login.jsp"
                             login-processing-url="/login.do"
                             default-target-url="index.jsp"
                             authentication-failure-url="/failer.jsp"
                             authentication-success-forward-url="/pages/main.jsp"
        />
        <security:csrf disabled="true"/>

        <!--退出-->
        <security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.jsp"/>
    </security:http>

    <!--切换成数据库中的用户名和密码-->
    <security:authentication-manager>
        <security:authentication-provider user-service-ref="userService">
            <!--配置加密的方式-->
            <security:password-encoder ref="passwordEncoder"/>
        </security:authentication-provider>
    </security:authentication-manager>
      <!--配置加密类-->
    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
</beans>

There is also a tool class for testing password encryption (you can use the encryption class provided by spring-security or you can write your own encryption tool class)

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

public class BCryptPasswordEncoderUtils {
    
    
    private static BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
    public static String encoderPassword(String password){
    
    
        return bCryptPasswordEncoder.encode(password);
    }

    public static void main(String[] args) {
    
    
        String password = "234";
        String pwd = encoderPassword(password);
        System.out.println(pwd);
    }
}

Finally, if you want to use it, you need to integrate the framework, which is just the preliminary configuration work.