table of Contents
4 WebSecurityConfigurerAdapter 配置
1 Summary
Spring Security is a Spring-based security framework that includes authentication and authorization are two main security module, and the other a popular Apache Shiro security framework in comparison, it has more powerful features. Spring Security can also be easily customized to meet the expansion needs, and provides protection support for common Web security attacks. If your choice is Web framework Spring, then Spring in terms of security Security would be a good choice.
Here we use Spring Boot to integrate Spring Security, Spring Boot version 1.5.14.RELEASE, Spring Security version 4.2.7RELEASE.
2 join pom
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Next we create a TestController, provide external a / hello services:
@RestController
public class TestController {
@GetMapping("hello")
public String hello() {
return "hello spring security";
}
}
Joining Configuration 3
When the project was introduced in Spring Spring Security dependent when the project will be enabled by default as follows:
security:
basic:
enabled: true
This configuration opens a type of HTTP basic authentication, access all services must have had this certification, the default user name user, password is automatically generated by the Sping Security, return to the IDE's console, you can find the password information:
Using default security password: e9ed391c-93de-4611-ac87-d871d9e749ac
After entering a user name user, password e9ed391c-93de-4611-ac87-d871d9e749ac, we will be able to successfully access / hello interfaces.
Forms-based authentication
We can modify the HTTP Basic Authentication Forms-based authentication through a number of configurations.
4 WebSecurityConfigurerAdapter 配置
Creating a configuration class BrowserSecurityConfig inherit org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter this abstract class and override configure (HttpSecurity http) method. WebSecurityConfigurerAdapter is a Web application provided by Spring Security Security Configuration Adapter :
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin() // 表单方式
.and()
.authorizeRequests() // 授权配置
.anyRequest() // 所有请求
.authenticated(); // 都需要认证
}
}Spring Security provides this chain of method calls. The above configuration specifies the authentication method for the form log in, and all requests must be authenticated. This time we restart the project, once again visit http: // localhost: 8080 / hello, you can see the authentication method is already form the form the way:
Username is still user, the password is automatically generated by Spring Security. When you enter credentials error, an error message appears on the page:
4.1 The basic principle
Above we opened up a simple security configuration Spring Security, let's understand the basic principles under the Spring Security. Process can be simplified by performing the above arrangement, the code of the figure shows:
As shown above, Spring Security contains numerous filters, these filters are formed of a chain, it must be successful all requests to access the resources through these filters. among them
- UsernamePasswordAuthenticationFilter filter for processing the forms-based authentication log mode
- BasicAuthenticationFilter log for processing HTTP Basic authentication based mode, the latter may also comprise a series of other filters (which may be turned on by the respective configuration). At the end of the filter chain is named FilterSecurityInterceptor blocker, used to determine whether the current request authentication is successful, whether there is a corresponding authority, when authentication failed or inadequate permissions will throw an appropriate exception.
- ExceptionTranslateFilter caught and handled, so we ExceptionTranslateFilter filter for processing the FilterSecurityInterceptor thrown exception handling, such as redirect requests to the appropriate authentication page when needed authentication, returns the corresponding message when the authentication failure or insufficient permissions .
Let's verify this process by debug (login way back to the form).
We make a breakpoint on / hello services:
- Make a breakpoint on super.beforeInvocation invoke methods of FilterSecurityInterceptor: When this line of code is executed by, they can call doFilter the next line to actually call / hello services, otherwise it will throw an appropriate exception.
- When FilterSecurityInterceptor threw an exception will be ExceptionTranslateFilter caught and handled, so we catch block to make a break point in the first row doFilter method ExceptionTranslateFilter of:
- We will be simulated user is not logged on direct access / hello, so it should not be thrown out user authentication exception, so it should jump to the next user authentication UsernamePasswordAuthenticationFilter way of processing forms. Make a breakpoint on attemptAuthentication method UsernamePasswordAuthenticationFilter of:
When we're finished, we start the project, and then visit http: // localhost: 8080 / hello, the code jumps directly to the breakpoint FilterSecurityInteceptor:
- Down implementation, because the current request without authentication, it will throw an exception and ExceptionTranslateFilter capture:
After capturing abnormal redirected to the login form login page, login page when we enter the login information points in the form, the code jumps to the attemptAuthentication method UsernamePasswordAuthenticationFilter filter:
After determining the user name and password are correct, jump back on the implementation of the code beforeInvocation method of FilterSecurityInterceptor:
When the authentication is passed, code execution doFilter FilterSecurityInterceptor is down, then jump to the code ends / hello:
Browser page will display hello spring security information.
