Using Spring Security without using any XML
本文只做简单的翻译,想看原文请移步官网,有问题请留言。
1、配置环境
- 下载并解压Spring Security Distribution,假设解压后的目录为 SPRING_SECURITY_HOME.
2、导入空项目
- 导入项目(i.e. SPRING_SECURITY_HOME/samples/insecure)
- 右键点击项目,Run As→Run on Server
3、Securing the application
- add maven dependency
<dependencies> <!-- ... other dependency elements ... --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>4.0.1.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>4.0.1.RELEASE</version> </dependency> </dependencies>
- Maven→Update project…
- 创建包org.springframework.security.samples.config,包下创建类SecurityConfig.java,like this
src/main/java/org/springframework/security/samples/config/SecurityConfig.java
package org.springframework.security.samples.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.*; @EnableWebSecurity public class SecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } }
大致的意思是:configureGlobal方法名不重要,重要的是需要在有@EnableWebSecurity、 @EnableGlobalMethodSecurity、@EnableGlobalAuthentication等注解的类下配置 AuthenticationManagerBuilder,否则导致不可预知的结果。
SecurityConfig 的作用:
-
Require authentication to every URL in your application(访问应用中的每一个url都需要认证)
-
Generate a login form for you(生成一个登陆的表单)
-
Allow the user with the Username user and the Password password to authenticate with form based authentication(使用 用户名为user 和 密码为password 的认证信息进行认证)
-
Allow the user to logout
-
CSRF attack prevention(防范CSRF攻击)
-
Session Fixation protection(session固化保护)
-
Security Header integration(集成Security Header)
-
HTTP Strict Transport Security for secure requests
-
X-Content-Type-Options integration
-
Cache Control (can be overridden later by your application to allow caching of your static resources)
-
X-XSS-Protection integration
-
X-Frame-Options integration to help prevent Clickjacking
-
-
Integrate with the following Servlet API methods(整合了以下这些方法的功能)
4、注册springSecurityFilterChain
- 在org.springframework.security.samples.config里再创建一个类SecurityWebApplicationInitializer.java
src/main/java/org/springframework/security/samples/config/SecurityWebApplicationInitializer.java
package org.springframework.security.samples.config; import org.springframework.security.web.context.*; public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { public SecurityWebApplicationInitializer() { super(SecurityConfig.class); } }
SecurityWebApplicationInitializer主要做下面几个事情:
-
Automatically register the springSecurityFilterChain Filter for every URL in your application(自动为每个url注册一个springSecurityFilterChain Filte)
-
Add a ContextLoaderListener that loads the SecurityConfig.(增加一个context监听器去加载SecurityConfig)
5、部署项目,并尝试登陆
- 启动server后,会看到一个登录页面,使用user和password进行登录。
- 在页面上增加登陆后的用户名信息
src/main/webapp/index.jsp
<body> <div class="container"> <h1>This is secured!</h1> <p> Hello <b><c:out value="${pageContext.request.remoteUser}"/></b> </p> </div> </body>
6、退出登陆
src/main/webapp/index.jsp
<body> <div class="container"> <h1>This is secured!</h1> <p> Hello <b><c:out value="${pageContext.request.remoteUser}"/></b> </p> <c:url var="logoutUrl" value="/logout"/> <form class="form-inline" action="${logoutUrl}" method="post"> <input type="submit" value="Log out" /> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> </form> </div> </body>
In order to help protect against CSRF attacks, by default, Spring Security Java Configuration log out requires:
-
the HTTP method must be a POST
-
the CSRF token must be added to the request You can access it on the ServletRequest using the attribute _csrf as illustrated above.
相关推荐
配置 - spring-security-config.jar 26 LDAP - spring-security-ldap.jar 26 ACL - spring-security-acl.jar 26 CAS - spring-security-cas.jar 26 OpenID - spring-security-openid.jar 26 测试 - spring-security-...
Spring-security demo
spring security helloworld 简单例子,导入即可运行。
Spring-Security-3-HelloWorld 实例简单代码
全注解 spring boot +spring security + mybatis+druid+thymeleaf+jsp+mysql+bootstrap 支持thymeleaf和jsp并存 全注解 spring boot spring security thymeleaf+jsp同时使用 mybatis druid mysql bootstrap 访问 ...
基于 spring-security 实现 RBAC 权限模型-hello-security
Spring4 HelloWorld初学Spring,java bean通过applicationContext.xml配置SpringIoC容器生成。
HelloWorld.java
这个简陋的页面是Spring Security自动生成的,一来为了演示的方便,二来避免用户自己编写登陆页面时犯错,Spring Security为了避免可能出现的风险,连测试用的登录页面都自动生成出来了。在这里我们就省去编写登陆...
HelloWorld是按照官网弄的,security里面的注释很详细,大家看这个就可以了。如果不会maven的,最好先看看maven怎样配置才再下载这个看。但大家要往数据库插入一些数据才行,这个自己试一下吧。示例中只运用了登录后...
下面是Spring的HelloWorld的程序的文件结构: C:. │ .classpath │ .project │ ├─build │ └─classes │ └─com │ ├─dineshonjava │ │ └─sdnext │ │ └─springConfig │ │ spring.xml │ │ │ ...
hello大家好,这里是X,今天这篇博文带来的是SpringBoot安全管理:SpringSecurity,讲到安全管理,不得不说几乎所有的大型项目开发必备之一,而且有了它,对项目的安全也起到了非常大的效果,可以说是项目搭建的必备...
Spring4.0从入门到精通hellospring 原版本地址http://www.tutorialspoint.com/spring/spring_hello_world_example.htm 这个是我翻译完以后的
eclipse java Spring mvc Hello World
手写Spring框架之: HelloSpring
spring-security-helloworld-annotation
HelloJava.java