Spring Security Principle (1) - A Preliminary Study

Introduction

Spring Security Principle (1) - Preliminary Exploration of Spring Security Principle (2) - Authentication Spring Security Principle (3) - Authorization Spring Security Principle (4) - Filter Spring Security Principle (5) - Extension and Configuration

When I used Shiro before, I thought it was a bit cumbersome. When I started using Spring Security recently, I found that compared with Spring Security, Shiro is simply too friendly to newbies.

The main reason is that although the Spring Security architecture is relatively clear, it considers too many problems. Simply put, Spring Security has prepared a large and comprehensive solution for us.

In many cases, we may not need such a comprehensive solution. A few simple examples, a user authentication, it is likely that we only need a username and password.

However, Spring Security is designed more like a Linux user system, taking into account user expiration, user disablement, user password expiration, etc. The most important thing is that there is no default implementation, and we must rewrite the methods we do not need by ourselves. It's not difficult, but it's always a bit awkward. For details, see the org.springframework.security.core.userdetails.UserDetails interface.

Although Spring Security is complicated, the entire architecture is relatively clear. Let's take a brief look at the principles of Spring Security.

Pre-knowledge

Spring Security mainly serves Web applications, and Spring Security is also mainly implemented through Java's Filter.

The two cores of Java web applications are:

1. Servlet
2. Filter

Many friends may have forgotten the fear of being dominated by java's web.xml configuration before SpringMVC.

If you are not impressed by this, or have never used it at all, you can look at the web.xml configuration below and recall it to see if you can still remember the meaning of each configuration.

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">
    <display-name>terrible</display-name>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>
    <filter>
        <display-name>EcodingFilter</display-name>
        <filter-name>EcodingFilter</filter-name>
        <filter-class>vip.mycollege.filter.EnCodeFilter</filter-class>
        <init-param>
            <param-name>EncodeCoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>EcodingFilter</filter-name>
        <servlet-name>hello</servlet-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>hello</servlet-name>
        <servlet-class></servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>hello</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
</web-app>

The above configuration is still just a simple Servet and a Filter.

The whole process of Java Web is still simple, that is, the Servelt container, that is, the Java Web server. For example, when Tomcat, Jetty, etc. are started, go back to load the web.xml file, parse the configuration inside, mainly Servlet and Filter, and put the url and Servlet, The Filter corresponds to, so that when a url request is received, the corresponding Filter and Servlet are handed over to process.

Filter first and then Servlet, there can be multiple Filters, which is a chain structure and has priority.

The biggest problem with the configuration method of web.xml is that the url mapping configuration is complicated, and it will cause 404 if you are not careful.

Later, it was better with SpringMVC. You only need to configure a servlet, and hand it over to org.springframework.web.servlet.DispatcherServlet. This servlet handles the mapping and distribution of urls in a unified manner. Spring parses the Controller annotations and maps the urls to the corresponding methods. , you don't have to configure the url mapping yourself.

Later, with SpringBoot, it took off. DispatcherServlet does not need to be configured, and it can be used out of the box.

Although there is no need for manual configuration, the principle still needs to be understood a little. Here we just need to remember that Java Web requests must go through Filter first, and this is where Spring Security comes into play.

simple example

If you just talk about abstract concepts as soon as you come up, many friends may give up treatment. So, let's start with a simple entry-level example and see what Spring Security is at the door.

pom dependency

First of all, to introduce Spring Security dependencies, if you use SpringBoot, the introduction is very simple

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.4.5</version>
        <relativePath/>
    </parent>
    <groupId>vip.oschool</groupId>
    <artifactId>spsecurity</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>spsecurity</name>
    <description>Demo project for Spring Boot</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>
</project>

configuration file

server:
  port: 8081

spring:
    security:
      user:
        name: tim
        password: 111111

A user tim is configured above, and the password is 111111. If it is not configured, Spring Security will use the default user and generate a random password each time.

controller

Add a simple controller

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/index")
public class IndexController {

    @RequestMapping("/hello")
    public String hello(){
        return "Hello World";
    }
}

startup class

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class StartApplication {

	public static void main(String[] args) {
		SpringApplication.run(StartApplication.class, args);
	}
}

login interface

After startup, visit directly: http://localhost:8081/index/hello

Then, it will be redirected to: http://localhost:8081/login

You need to enter a username and password. This process has a proper noun called: Authentication, Authentication

Documentation

Spring Security official documentation

{{o.name}}

{{m.name}}