Spring Security is a Spring-based security framework that includes authentication and authorization are two main security module, and the other a popular Apache Shiro security framework in comparison, it has more powerful features. Spring Security can also be easily customized to meet the expansion needs, and provides protection support for common Web security attacks. If your choice is Web framework Spring, then Spring in terms of security Security would be a good choice.
Here we use Spring Boot to integrate Spring Security, Spring Boot version 1.5.14.RELEASE , the Spring Security version 4.2.7RELEASE .
Open Spring Security
Spring Boot create a project, then the introduction of spring-boot-starter-security:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Next we create a TestController, provide external a / hello services:
@RestController
public class TestController {
@GetMapping("hello")
public String hello() {
return "hello spring security";
}
}
This time we start the project directly, visit HTTP: // localhost: 8080 / the Hello , can see the page pop up a HTTP Basic Authentication box:
When the project was introduced in Spring Spring Security dependent when the project will be enabled by default as follows:
security:
basic:
enabled: true
This configuration opens a type of HTTP basic authentication, access all services must have had this certification, the default user name user, password is automatically generated by the Sping Security, return to the IDE's console, you can find the password information:
Using default security password: e9ed391c-93de-4611-ac87-d871d9e749ac
After entering a user name user, password e9ed391c-93de-4611-ac87- d871d9e749ac, we will be able to successfully access / hello interfaces.
Forms-based authentication
We can modify the HTTP Basic Authentication Forms-based authentication through a number of configurations.
Creating a configuration class BrowserSecurityConfig inherit org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter this abstract class and override configure (HttpSecurity http) method. WebSecurityConfigurerAdapter is a Web application provided by Spring Security Security Configuration Adapter:
@Configuration
public class BrowserSecurityConfig the extends WebSecurityConfigurerAdapter {
@Override
protected void Configure (HttpSecurity HTTP) throws Exception {
http.formLogin () // Form embodiment
.AND ()
.authorizeRequests () // authorized configuration
.anyRequest () // all requests
. authenticated (); // needs authentication
}
}
Spring Security provides this chain of method calls. The above configuration specifies the authentication method for the form log in, and all requests must be authenticated. This time we restart the project, once again visit HTTP: // localhost: 8080 / the Hello , you can see the authentication method is already form the form the way:
Username is still user, the password is automatically generated by Spring Security. When you enter credentials error, an error message appears on the page:
If you need to exchange HTTP Basic authentication method, we simply need to modify configure methods to configure:
@Override
protected void the configure (HttpSecurity HTTP) throws Exception {
// http.formLogin () // Form mode
http.httpBasic () // HTTP Basic mode
.AND ()
.authorizeRequests () // authorized configuration
.anyRequest () / / all requests
.authenticated (); // needs authentication
}
Fundamental
Above we opened up a simple security configuration Spring Security, let's understand the basic principles under the Spring Security. Process can be simplified by performing the above arrangement, the code of the figure shows:
如上图所示,Spring Security包含了众多的过滤器,这些过滤器形成了一条链,所有请求都必须通过这些过滤器后才能成功访问到资源。其中UsernamePasswordAuthenticationFilter过滤器用于处理基于表单方式的登录认证,而BasicAuthenticationFilter用于处理基于HTTP Basic方式的登录验证,后面还可能包含一系列别的过滤器(可以通过相应配置开启)。在过滤器链的末尾是一个名为FilterSecurityInterceptor的拦截器,用于判断当前请求身份认证是否成功,是否有相应的权限,当身份认证失败或者权限不足的时候便会抛出相应的异常。ExceptionTranslateFilter捕获并处理,所以我们在ExceptionTranslateFilter过滤器用于处理了FilterSecurityInterceptor抛出的异常并进行处理,比如需要身份认证时将请求重定向到相应的认证页面,当认证失败或者权限不足时返回相应的提示信息。
下面我们通过debug来验证这个过程(登录方式改回表单的方式)。
我们在/hello服务上打个断点:
在FilterSecurityInterceptor的invoke方法的super.beforeInvocation上打个断点:
当这行代码执行通过后,便可以调用下一行的doFilter方法来真正调用/hello服务,否则将抛出相应的异常。
当FilterSecurityInterceptor抛出异常时,异常将由ExceptionTranslateFilter捕获并处理,所以我们在ExceptionTranslateFilter的doFilter方法catch代码块第一行打个断点:
我们待会模拟的是用户未登录直接访问/hello,所以应该是抛出用户未认证的异常,所以接下来应该跳转到UsernamePasswordAuthenticationFilter处理表单方式的用户认证。在UsernamePasswordAuthenticationFilter的attemptAuthentication方法上打个断点:
准备完毕后,我们启动项目,然后访问http://localhost:8080/hello,代码直接跳转到FilterSecurityInteceptor的断点上:
往下执行,因为当前请求没有经过身份认证,所以将抛出异常并被ExceptionTranslateFilter捕获:
捕获异常后重定向到登录表单登录页面,当我们在表单登录页面输入信息点login后,代码跳转到UsernamePasswordAuthenticationFilter过滤器的attemptAuthentication方法上:
判断用户名和密码是否正确之后,代码又跳回FilterSecurityInterceptor的beforeInvocation方法执行上:
当认证通过时,FilterSecurityInterceptor代码往下执行doFilter,然后代码最终跳转到/hello上:
浏览器页面将显示hello spring security