security simple principle:
Use a large number of interceptors to intercept url, in order to manage permissions. But so many interceptors, it is impossible explores each one in terms of the main stresses inside two core processes.
First of all, rights management can not do without login authentication, so the login authentication interceptor AuthenticationProcessingFilter talk; there is access to resources managed it, so Explorer interceptor AbstractSecurityInterceptor talk; but inside the interceptor implementation of some of the components needed to achieve , so there AuthenticationManager, accessDecisionManager and other components to support.
For now probably go over the whole process, user login, will be blocked AuthenticationProcessingFilter, call implementation AuthenticationManager, and AuthenticationManager calls ProviderManager to obtain user authentication information (different different Provider call service because that information may be on the database, you can It is on the LDAP server, may be a fine xml configuration file), if the verification use authority information of the user will be encapsulated into a user SecurityContextHolder spring in the global cache, ready for later access resources.
Access to resources (ie, authorization management), when accessing url, will pass AbstractSecurityInterceptor interceptor to intercept, which calls FilterInvocationSecurityMetadataSource way to get all the required permissions intercepted url, calling the Authorization Manager AccessDecisionManager, Authorization Manager will pass this spring the global cache SecurityContextHolder obtain information about the user's permission, will get intercepted and full access was blocked url url you want, and in accordance with the distribution policy (there: one vote decision, a negative vote, majority rule, etc.), If sufficient authority is returned, the access is not enough and calls the error are insufficient permissions page.
Although spoke like a good complex, readers may be a bit dizzy, but it does not matter, really behind, readers can read the code behind the code is achieved by explaining, then return to see this simple principle, there may be a good harvest.
Security in the use of spring boot
is first introduced into the spring security packages:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
In the spring security has a very important need to write the configuration class
is to inherit the abstract class WebSecurityConfigurerAdapter, as shown in the following code
The purpose of this bean is to keep our users into memory, this can still be used for debugging, but we have developed in is no such
@Bean
@Override
protected UserDetailsService userDetailsService(){
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("user_1").password("123456").authorities("USER").build());
manager.createUser(User.withUsername("user_2").password("123456").authorities("USER").build());
return manager;
}
After this is completed we will userdetail above also need to add the class to the interceptor, because we need to log in to authenticate the user, so you can directly
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
There may also set other parameters, such as encryption methods and others.
In this class you can be set up to intercept the sea like a neglected to write, that does not require authentication
/**
* 忽略设置的接口
*/
@Override
public void configure(WebSecurity web) throws Exception {
String ignoring = env.getProperty("msi.auth.ignoring","/health|/info");
web.ignoring().antMatchers(ignoring.split("\\|"));
}
No matter which way you will save user memory or save to database operations, the operation needs to be put
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}