Spring Security Learning Summary

Spring Security

Spring security is a security framework that provides declarative security based on spring. Spring Security provides a complete security solution to handle identity authentication and authorization at the Web request level and at the method invocation level.

Spring security addresses security issues from two perspectives:

1. Use the filter in the Servlet specification to secure Web requests and restrict URL-level access;
2. Use the spring AOP protection method invocation--with dynamic proxies and usage notifications, to ensure that only users with appropriate permissions can access the security method.

Spring security is divided into 11 modules:

supports providing security for domain objects through access control lists (ACLs)

module	description
ACL (Access control list)
Facets (aspects)	when using spring security annotations, ASPECTJ-based facets are used instead of the standard a OP
CAS (central authentication Service) client	provides functionality to integrate with JASIG's center certification services (CAS)
Configuration (configuratiion) *	contains feature support for configuring spring security through XML and Java
Core   *	provides the spring security base library
Encryption (cryptography)	provides the ability to encrypt and password-encode
LDAP	supports authentication based on LDAP
OpenID	supports centralized authentication using OpenID
Remoting	provides support for spring Remoting
Tag Library	Spring Security's JSP tag library
Web	provides spring security filter-based Web Security support

Filtering Web Requests

Spring security is based on the filtering capabilities that Delegatingfilterproxy implements for its security needs. Delegatingfilterproxy is a special servlet Filter that primarily delegates work to a Javax.servlet.Filter implementation class, which is registered as a bean in the context of the spring application.

Java configuration mode, configuration delegatingfilterproxy:

 Public class extends                   Abstractsecuritywebapplicationinitializer {}    

  Webapplicationinitializer, so it will be delegatingfilterproxy by the spring container and registered. An implementation class can overload the Appendfilters () or Insertfilters () method in an abstract class to register its own selected filter, but you do not need to overload any methods if you are simply registering delegatingfilterproxy.
  When the configuration Delegatingfilterproxy is complete, it intercepts requests destined for the app and delegates the request to the bean with the ID springsecurityfilterchain.

  The Springsecurityfilterchain itself is another special filter, also called Filterchainproxy. It can link any one or more of the other filter. Spring security relies on a series of servlet filter to provide different security features. In real-world development, you only need to explicitly declare springsecurityfilterchain and the filter that it links to. When you start Web security, it is created automatically.    

  Simple Security Configuration--based on Java configuration
　

@Configuration @enablewebsecurity//Enable Web security Public classSecurityconfigextendsWebsecurityconfigureradapter {/*** Simple Default configuration: Specifies how the HTTP request is secured *@paramhttp *@throwsException*/    protected voidConfigure (Httpsecurity http)throwsException {http. authorizerequests (). Anyrequest (). Authenticated ()    . and (). Formlogin (). and (). Httpbasic (); }}

@EnableWebSecurity annotations will enable the Web security feature, ps:spring security must be configured in a bean that implements Websecurityconfigurer, or the extension Websecurityconfigureradapter.

Specific Web security details will be implemented by overriding one or more of the methods in Websecurityconfigureradapter, such as three of the Configure () methods to configure Web security, specifically by passing parameters to set the behavior.

overriding Websecurityconfigureradapter's Configure () method

Method	Describe
Configure (Websecurity)	By rewriting, configure the spring security filter chain
Configure (Httpsecurity)	By overriding, configure how the request is protected through the interceptor
Configure (Authenticationmanagerbuilder)	By overriding, configure the User-detail service

  The sample code has a simple default configuration that specifies how the HTTP request is secured and the client authenticates the user's scenario. Calling Authorizerequests () and Anyrequest (). authenticated () will require authentication for all HTTP requests that enter the application. Formlogin () and Httpbasic () Configure support for form login and HTTP basic mode.
  Note: Because there is no overriding configure (Authenticationmanagerbuilder) method, there is no user store to support the authentication process. All requests are then certified and no one can log on successfully.
  The following configuration is required:

1. Configure User Storage
2. Specify requests and required permissions for specific authentication requirements
3. Provide custom landing page
4. Set up to selectively display specific content on a Web view based on security restrictions

User-detail Service * *

Advantage: A variety of common user storage scenarios, such as memory, relational databases, and LDAP, are built in to authenticate users based on a variety of data stores.
　　

Spring Security Learning Summary