Spring Security Framework Introductory article

First, Spring security related concepts

1.1., Spring Security Introduction:

Spring security is a secure framework that provides declarative security access control solutions for spring-based enterprise applications (simply Control access permissions). It provides a set of beans that can be configured in the context of the spring application, taking full advantage of the spring Ioc,di (control inversion inversion of controls, di:dependency injection Dependency injection) and AOP (aspect-oriented programming) capabilities. It provides declarative security access control for application systems, and reduces the effort to write large amounts of repetitive code for enterprise system security control.

1.2, Spring Security Implementation principle:

Spring Security's support for Web security relies heavily on servlet filters. Use these filters to intercept incoming requests and infer whether they are authenticated and have access to the appropriate request.

To complete the interview control. Spring security requires at least the following four interceptors (scheduler, authentication manager, Permission Resource Association, Access decider) to complete the match:

<!--Mysecurityinterceptor Here we'll name it the scheduler.<!--must include Authenticationmanager,securitymetadatasource,accessdecisionmanager three properties --   <!--All our controls will be implemented in these three classes-- <!--It inherits the Abstractsecurityinterceptor class and implements the filter interface -- <bean id= "mysecurityinterceptor" class=" Com.luo.Filter.MySecurityInterceptor ">      <b:property name= "AuthenticationManager" ref=" AuthenticationManager " />      <b:property name= "securitymetadatasource" ref=" Securitymetadatasource " />      <b:property name= "Accessdecisionmanager" ref=" Accessdecisionmanager " />  </Bean>  <!--authentication Manager for user authentication Entry---  <Authentication-manager alias="AuthenticationManager">      <authentication-provider user-service-ref="Myuserdetailservice" />   </Authentication-manager>  <!--in this class, you can read the user's password from the database. Role information, etc. --  <!--The main implementation of the Userdetailsservice interface, and then return the user data--  <bean id= "myuserdetailservice" class=" Com.luo.Filter.MyUserDetailService " />  <!--Rights Resource Association. Set up the appropriate relationships for all resources and permissions, that is, define which roles a resource can be interviewed by  <!--It implements the Filterinvocationsecuritymetadatasource interface --  <bean id= "securitymetadatasource" class=" Com.luo.Filter.MyFilterInvocationSecurityMetadataSource " /> <!--access to the decision maker. Determines whether a user has a role and has sufficient permissions to access a resource-- <!--It implements the Accessdecisionmanager interface -- <bean id= "Accessdecisionmanager" class=" Com.luo.Filter.MyAccessDecisionManager ">

Read the configuration above. may not be entirely clear. Let us further explain below.

(1) First we define a filter (scheduler). Here we are named Mysecurityinterceptor), this filter inherits the Abstractsecurityinterceptor class (this is explained here, where the class or interface that is not defined by itself is provided by spring security, No need to delve into it). It includes at least authenticationmanager,accessdecisionmanager,securitymetadatasource three properties, and all of our controls will be implemented in these three classes.

(2) Login verification: Define class Myuserdetailservice to implement Userdetailsservice interface and its Loaduserbyusername method, which is based on the username of user input, From the database to obtain the user's full permissions fine information (collectively referred to as user information). Spring Security's Authenticationprocessingfilter interceptor calls AuthenticationManager, and class Myuserdetailservice gets the user's information, AuthenticationManager against the user's password (that is, authenticated users), if passed, then the equivalent of passing the Authenticationprocessingfilter interceptor, that is, login verification passed.

(3) Resource access control: Mysecurityinterceptor inherit Abstractsecurityinterceptor, implement filter is necessary. Once logged in, every access to the resource is intercepted by the Mysecurityinterceptor interceptor, It first calls the GetAttributes method of the Myfilterinvocationsecuritymetadatasource class to get the permissions required to intercept the URL. The Myaccessdecisionmanager class decide method is invoked to infer whether the user is sufficiently privileged.

Perhaps the descriptive narrative is still more abstract. The example should give you a clearer idea of how it works.

Add a note:

The role of Userdetailsservice in identity authentication:

The AuthenticationManager interface, which is authenticated in Spring security, is a default implementation of Providermanager, but it is not used to process identity authentication. Instead, it is entrusted to a well-configured authenticationprovider. Each authenticationprovider will take turns checking for identity verification.

After checking or returning an authentication object or throwing an exception.

Verifying identity is the userdetails of loading the response to see if the user entered the account, password, permissions and other information to match.

This step is handled by the Daoauthenticationprovider that implements Authenticationprovider (which uses Userdetailsservice authentication username, password, and authorization).

Therefore, login authentication can actually not implement Userdetailsservice, but implement Authenticationprovider, It is also possible to obtain user input username and password in Authenticationprovider. or use them together.

The following recommendations are used together in a way http://blog.sina.com.cn/s/blog_4adc4b090102uy2f.html

In addition, the only way to implement Authenticationprovider without implementing Userdetailsservice is to rewrite the Authenticationprovider Authenticate method code:

@Override PublicAuthentication Authenticate (authentication authentication) throws Authenticationexception {String inputLoginId = authe Ntication.getname ();//Get user input for usernameString inputpasswd = Authentication.getcredentials (). toString (); /get user input for password logger.info ("User {} login", Inputloginid);Try{//Query This user informationMyUser MyUser =NULL;//Based on username to the database to query user data        if(MyUser = =NULL) {Throw New Exception("The account you entered does not exist."); }if(Myuser.getuserstatus () = = userstatus.locked) {Throw New Exception("Your account has been locked"); } String Encodedpassword = myuser.getloginpasswd ();//Verify password is correctBoolean authenticated = VerifyPassword (inputpasswd, Encodedpassword);if(authenticated) {//Certification successfully processedUpdatelogininfo (Myuser.getloginid (),0,NULL); }Else{//Authentication failure handlingAuthenticateerrorprocess (Portaluser); }List<GrantedAuthority> grantedauths =NewArraylist<grantedauthority> (); for(Myrole myRole:myUser.allRoleList ()) {Grantedauths.add (NewSimplegrantedauthority (Myrole.getrolecode ())); } Myauthuser Authuser =NewPortalauthuser (Inputloginid, INPUTPASSWD,true,true,true,true, grantedauths); Authuser.setportaluser (Portaluser);return NewUsernamepasswordauthenticationtoken (Authuser,NULL, Authuser.getauthorities ()); }Catch(Exceptione) {Logger.warn ("User logon Failed", e);Throw New Exception("Please confirm username or password is correct"; }}

Second, Spring security example specific instructions

This instance environment: Eclipse + Maven
Key technologies used in this example: Spring + SPRINGMVC + Spring security

Time limited here only to its access to the control principle of the explanation, the sample is then added, just about the example recommended Kauboven: http://blog.csdn.net/u012367513/article/details/38866465, this article is written very specific!

！

。

This is the last blog post before the Spring Festival. There is another study plan coming back from the Spring Festival. Perhaps the todo of this example is a little distant ... haha

Spring Security Framework Introductory article