Chapter 9 Securing Web Applications

    Security is a cross-cutting concern that goes beyond the application in most cases. Spring Security is a security framework based on Spring AOP and the Filter implementation in the Servlet specification. 
    Spring Security is a security framework that provides declarative security for Spring-based applications. Spring Security provides a complete security solution that 
    handles authentication and authorization at both the web request level and the method invocation level. Because based on the Spring framework, Spring Security takes full advantage of dependency injection (dependency injection, DI) and 
    aspect-oriented technologies. 
1. Use the Spring Security module to add to the classpath. Spring Security 3.2 is divided into 11 modules. 
    Module Description 
    ACL Support provides security 
    aspects (Aspects) for domain objects via access control lists (access control lists, ACLs) A small module, when using Spring Security annotations, uses AspectJ-based aspects instead of standard ones Spring AOP 
    CAS Client ( CAS Client ) provides the ability to integrate with Jasig's Central Authentication Service ( CAS )
    Configuration ( Configuration ) Contains functional support for configuring Spring Security through XML and Java 
    Core ( Core ) Provides Spring Security basic library 
    Encryption ( Cryptography ) Provides encryption and password encoding functions 
    LDAP Supports authentication based on LDAP 
    OpenID supports centralized authentication using OpenID 
    Remoting provides support for Spring Remoting 
    Tag Library ( Tag Library ) Spring Security's JSP tag library 
    Web provides Spring Security Filter-based Web security support 

    If you want to use Spring Security, you must introduce two modules, Configuration and Core. If it is a web project, you need to import web modules, and if you use jsp, you need to import tag libraries. 
2. Filtering Web requests 
    Spring Security implements security through multiple Servlet Filters. We only need to configure a filter in web.xml or WebApplicationInitialize.
    DelegatingFilterProxy will delegate the work to a bean registered in the context. 
    Configuring <!--DelegatingFilterProxy in web.xml 
        will delegate the filtering logic to a Filter Bean named springSecurityFilterChain--> 
        <filter> 
            <filter-name>springSecurityFilterChain</filter-name> 
            <filter-class> 
                org.springframework. web.filter.DelegatingFilterProxy 
            </filter-calss> 
        </filter> 
    is configured in the WebApplicationInitializer in the java method 
        /** 
        AbstractSecurityWebApplicationInitializer implements WebApplicationInitializer, Spring will find it and register DelegatingFilterProxy. 
        We can overload the appendFilters() or insertFilters() methods to add other Filters by ourselves, but we don't have to do anything for the registration of DelegatingFilterProxy. 
        */
        public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer{} 
    Note: No matter which configuration method is used, they will connect the request sent to the application and delegate the request to the bean whose ID is springSecurityFilterChain. 
          SpringSecurityFilterChain is a special Filter that connects other Filters (each has its own role). These filters will be enabled when security is enabled. 
3. Write a simple security configuration 
    Spring Security was very cumbersome to configure in earlier versions. After Spring Security 2.0, it is simpler. Spring 3.0 introduced the java configuration scheme. The following is the simplest configuration using java 
        /** 
            Any class in Spring that implements WebSecurityConfigurer can be used as the configuration configuration of Spring Security. But the following method is the easiest. 
            @EnableWebSecurity enables web security. 
            But if you are using SpringMVC then you need to use @EnableWebMvcSecurity annotation. This annotation also configures Spring MVC's parameter resolver. 
            Both of these methods will lock the application, preventing anyone from accessing the system. 
        */ 
        @configuration
        @EnableWebSecurity  //启用Web安全性
        public class SecurityConfig extends WebSecurityConfigurerAdapter{}
    指定Web安全的细节
        通过重载WebSecurityConfigurerAdapter中的configure方法实现：
            方　　法                                描　　述
            configure(WebSecurity)                  通过重载，配置 Spring Security 的 Filter 链
            configure(HttpSecurity)                 通过重载，配置如何通过拦截器保护请求
            configure(AuthenticationManagerBuilder) 通过重载，配置 user-detail 服务

            /**
                下面配置指点了保护http请求的方案，和客户端认证用户的方案。
                通过调用authorizeRequests()和anyRequest().authenticated()就会要求所有进入应用的Http请求都需要认证。
                但是没有重写configure(AuthenticationManagerBuilder)方法，导致没有用户可以认证。
            */
            protected void configure(HttpSecurity http) throws Exception{
                http.authorizeRequests().anyRequest().authenticated().add().formLogin().and().httpBasic();
            }
            为了满足我们的要求需要：
                1：配置用户存储
                2：指定那些请求需要认证，那些不需要认证，以及需要的权限。
                3：提供一个自定义的登录界面，替代原来简单的默认登录页。
？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？？
后续内容待续。。。