Spring Framework (24 Part Series)
1 Spring Configuration
2 External Properties in Spring
… 20 more parts…
3 Profiles in Spring
4 Spring Expression Language (SpEL)
5 How Spring implements Singleton Beans
6 Converting explicit into implicit configuration in Spring
7 Autowiring in Spring
8 Lazy Beans in Spring
9 @PostConstruct and @PreDestroy in Spring
10 Stereotype and Meta Annotations in Spring
11 Spring’s FactoryBean Interface
12 The Spring Bean Lifecycle
13 Spring AOP
14 Caching in Spring
15 Spring JDBC
16 Spring Transaction Management
17 JPA with Spring
18 JPA with Spring Boot
19 Spring Web MVC
20 Spring Boot for war
21 Spring MVC REST
22 Reactive Spring Applications
23 Spring Security
24 Spring Injection Types
There are many authentication mechanisms (basic, digest, form, X.509, etc), and there are many storage options for credentials and authority information (in-memory, database, LDAP, etc). Authorization depends on authentication and determines if you have the required Authority. The decision process is often based on roles (e.g. ADMIN, MEMBER, GUEST, etc).
There are three steps to set up and configure Spring Security in a web environment:
- Setup the filter chain: The implementation is a chain of Spring configured filters (Spring Boot does it automatically)
- Configure security (authorization) rules
- Setup Web Authentication
In the next example, it is defined as specific authorization restrictions for URLs using mvcMatchers.
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().loginPage("/login").permitAll().and().exceptionHandling().accessDeniedPage("/denied").and()
.authorizeRequests().mvcMatchers("/accounts/resources/**").permitAll().mvcMatchers("/accounts/edit*")
.hasRole("EDITOR").mvcMatchers("/accounts/account*").hasAnyRole("VIEWER", "EDITOR")
.mvcMatchers("/accounts/**").authenticated().and().logout().permitAll().logoutSuccessUrl("/");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new StandardPasswordEncoder()).withUser("viewerUser")
.password("abc").roles("VIEWER").and().withUser("editorUser").password("abc").roles("EDITOR");
}
}
Enter fullscreen mode Exit fullscreen mode
As you can see, you can chain multiple restrictions (using the and() method). The first method sets up a form-based authentication. The second method uses a UserDetailsManagerConfigurer. You can use jdbcAuthentication() instead of inMemoryAuthentication().
Learn more at Spring Security Reference and Security Architecture with Spring
Spring Framework (24 Part Series)
1 Spring Configuration
2 External Properties in Spring
… 20 more parts…
3 Profiles in Spring
4 Spring Expression Language (SpEL)
5 How Spring implements Singleton Beans
6 Converting explicit into implicit configuration in Spring
7 Autowiring in Spring
8 Lazy Beans in Spring
9 @PostConstruct and @PreDestroy in Spring
10 Stereotype and Meta Annotations in Spring
11 Spring’s FactoryBean Interface
12 The Spring Bean Lifecycle
13 Spring AOP
14 Caching in Spring
15 Spring JDBC
16 Spring Transaction Management
17 JPA with Spring
18 JPA with Spring Boot
19 Spring Web MVC
20 Spring Boot for war
21 Spring MVC REST
22 Reactive Spring Applications
23 Spring Security
24 Spring Injection Types
原文链接:Spring Security
暂无评论内容