Introduction of Spring Secutity
Spring is a very popular and successful Java application development framework. Spring security is based on the spring framework and provides a complete solution for WEB application security. In general, the security of a WEB application includes two parts of user authentication (authentication) and user authorization (Authorization). User authentication refers to verifying that a user is a legitimate principal in the system, which means that the user can access the system. User authentication generally requires the user to provide a user name and password. The system validates the user name and password to complete the authentication process. User authorization refers to verifying that a user has permission to perform an action. In a system, different users have different permissions. For example, for a file, some users can only read, and some users may make changes. In general, the system assigns different roles to different users, and each role corresponds to a series of permissions.
The Spring Security framework is well supported for the two scenarios mentioned above. In terms of user authentication, the Spring Security framework supports mainstream authentication methods, including HTTP Basic authentication, HTTP form validation, HTTP Digest authentication, OpenID, and LDAP. In terms of user authorization, Spring Security provides role-based access control and access control List,acl, which allows fine-grained control of the domain objects in the application.
Spring security also integrates the OAuth2.0, and then we will introduce the following two uses, of course, Spring Security also integrates CAs and so on, if you want to learn more please check the official documentation, we are using the spring Boot2.0 made demo,2.0 has integrated the spring Security5.0 more than the version;
Second, basic certification
This is also our regular use of the form-based authentication, enter an account and password Click Login This, is the basic certification, we will mainly talk about the use and after 5.0 to do those upgrades;
1. Introduction of the use and some common parameters
The first step is to use MAVEN to introduce the spring Security Jia package, where we use thymeleaf as the front-end template page, and here's a place where we can explore a wave of why spring MVC is free to switch between templates, a place where we find a chance to explore together, Here first to do a simple introduction;
<dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactid>spring-boot-starter-security< ;/artifactid> </dependency> <!--front-end templates Thymeleaf---<dependency> & Lt;groupid>org.springframework.boot</groupid> <artifactid>spring-boot-starter-thymeleaf</arti Factid> </dependency> <!--safety Certification framework--<dependency> <GROUPID>ORG.S Pringframework.boot</groupid> <artifactId>spring-boot-starter-web</artifactId> </de pendency> <dependency> <groupId>org.springframework.boot</groupId> <a Rtifactid>spring-boot-starter-test</artifactid> <scope>test</scope> </dependency> <dependen Cy> <groupId>org.springframework.boot</groupId> <artifactid>spring-boot-starter -thymeleaf</artifactid> </dependency> <dependency> <groupid>org.springfra Mework.boot</groupid> <artifactId>spring-boot-starter-security</artifactId> </depen Dency> </dependencies>
View Code
The second step introduces the Java configuration Configuration scheme
Here we first use @configuration and @enablewebsecurity to the Java class configuration, do not understand what this is the reason for reference to this article, next we will inherit Websecurityconfigureradapter, On the inside of the method rewrite can be, respectively, the Authenticationmanagerbuilder,websecurity,httpsecurity method, We mainly introduce Authenticationmanagerbuilder and httpsecurity, through the two methods of rewriting the final implementation of our custom certification;
First to introduce the httpsecurity commonly used parameters, such as the use of basic can not be separated from the following methods, may be based on the authentication method has Formlogin, Openidlogin, Oauth2login, but also can do some remember account operation RememberMe, Also can be the session configuration management, also support logout loginout and so on, use up or pretty simple, we can refer to this article, or pretty detailed;
Next we look at Authenticationmanagerbuilder, we rewrite this method, can be based on memory user authentication, database authentication, LDAP authentication, can also customize User services, can also define their own authentication. Here we use the custom authentication to do demo, in addition this everyone may also have a confused point, configglobal and configure differences where, here you can refer to this article, Spring Security from the 3.2 version of the default to open the CRSF protection, here is through the token way to detect, in the landing when the Thymeleaf template will generate _CSRF tags to prevent crsf, csrf do not understand the people can see this article, This introduces some of the means of protection csrf, we can think about, my demo is just a simple shelf, in order to give you some knowledge, can expand everyone according to the knowledge of these introductions can arbitrarily expand their own want, do not rigidly adhere to a method;
Finally, I would like to introduce the way of encryption, Spring Security 4 when we commonly used encryption method is MD5 Salt, 5.0 later version can not find Md5passwordencoder, indicating that this method is not safe enough, or can be done by brute force can be solved, Maybe I can't, but can't stop some of the pros, you can look at the official support and discard some methods:
Use I do not introduce, have the interest to explore a wave, you can also refer to article I, article two, below I paste my code, talk about these can expand the place everyone I will identify in the code clearly, like hands can try, my focus is OAuth2 verification;
/*** Custom Authentication * Created by Wangt on 2018/7/29.*/@Configuration @enablewebsecurity@enableglobalmethodsecurity Public classWebsecurityconfigextendsWebsecurityconfigureradapter {/*** HTTP Resource authentication *@paramhttp *@throwsException*/@Overrideprotected voidConfigure (Httpsecurity http)throwsException {http.authorizerequests (). Antmatchers ("/", "/Home"). Permitall (). Anyrequest (). authenticated (). and (). Formlogin () . LoginPage ("/login"). Permitall (). and (). Logout (). Permitall (); } /*** Custom Authentication policy*/@Autowired Public voidConfigglobal (Authenticationmanagerbuilder auth)throwsException {auth.authenticationprovider (Authprovider ()). Erasecredentials (true); } @Bean PublicAuthprovider Authprovider () {return NewAuthprovider (); }}/*** Custom Authentication * Created by Wangt on 2018/8/18.*/ Public classAuthproviderImplementsAuthenticationprovider {Private FinalBcryptpasswordencoder bcryptpasswordencoder=NewBcryptpasswordencoder (); @Override PublicAuthentication Authenticate (authentication authentication)throwsauthenticationexception {String userName=Authentication.getname (); String Inputpassword=(String) authentication.getcredentials (); //If you want to use the Thymeleaf certified dialect, you can extend the user//Grantedauthority This is the use of dialect properties, interested in understanding the next//In fact, by using the IF to JudgeUser User =NewUser (); User.setname ("Admin"); User.setpassword ("Admin"); if(User = =NULL) { Throw NewAuthenticationcredentialsnotfoundexception ("Autherror"); } //This piece can customize some encryption methods//Try it yourself . if(true) { //There are several structures in this piece .//If you use a dialect you can use the constructor of 3 parameters return NewUsernamepasswordauthenticationtoken (User,NULL); } Throw NewBadcredentialsexception ("Autherror"); } @Override Public BooleanSupports (class<?>AClass) { return true; }}/*** Created by Wangt on 2018/8/18.*/@Configuration Public classWebmvcconfigImplementsWebmvcconfigurer {//If you use the Thymeleaf dialect in this extension@Override Public voidaddviewcontrollers (Viewcontrollerregistry registry) {Registry.addviewcontroller ("/index"). Setviewname ("index"); Registry.addviewcontroller ("/"). Setviewname ("index")); Registry.addviewcontroller ("/hello"). Setviewname ("Hello"); Registry.addviewcontroller ("/login"). Setviewname ("Login"); }}<! DOCTYPE html>Hello! Welcome to visit! <a href= "/login" > Login </a><a href= "/hello" > Restricted access to the page </a></body>Hello</body>/*** Login Controller * Created by Wangt on 2018/8/18.*/@Controller Public classLogincontroller {@GetMapping ("/login") PublicString Login () {return"/login"; }}/*** Home * Created by Wangt on 2018/7/28.*/@Controller Public classHomeController {@GetMapping ("/") PublicString Index () {return"Index"; }}/*** Hello page * Created by Wangt on 2018/8/19.*/@Controller Public classHellocontroller {@GetMapping ("/hello") PublicString Index () {return"Hello"; }}
View Code
Third, the next article to talk about
OAUTH2.0 Certified Demo I still have some not written well, and so on after we upload GitHub, then in the release of the next article, you are welcome to continue to pay attention! Welcome to add my group 438836709, pay attention to the public number:
In addition to everyone apologized, recently did the company turnover more, my side of the project received more, also need to learn some knowledge, blog update a bit slow, and recently I also want to be positive, to tidy up a wave, talk about life, I hope you understand;