Spring Framework: Spring security

In traditional Web development, the security code is scattered in the various modules, which is not easy to manage, and sometimes may miss a place leading to security vulnerabilities. To solve this problem, someone invented spring Security. Its role is to move all the security-related code in the business logic into a single module for centralized management. is essentially a subset of AOP.

Filter URLs

To filter the URL, first add a filter to the Web. Xml. Filter-name cannot be filled out, because it is the same as the name of another bean.

<filter>  <filter-name>springSecurityFilterChain</filter-name>  <filter-class> Org.springframework.web.filter.delegatingfilterproxy</filter-class></filter>

The purpose of the following configuration is to intercept all requests.

<security:http auto-config= "true" >  <intercept-url pattern= "/**" access= "ROLE_VIP"/></security: Http>

The role of auto-config is equivalent to <form-login/>

In the example above, the spring framework automatically generates a landing page, but it's not very beautiful. Therefore, we need to define our own landing page.

The code for the custom landing page is as follows. The form of J_username, J_password, _spring_security_remember_me These names are the framework has been determined to die, you can not arbitrarily change.
<spring:url var= "AuthUrl" value= "/static/j_spring_security_check"/><form method= "post" action= "${AUTHURL} ">  <input name=" J_username "type=" text "/>  <input name=" J_password "type=" password "/>  <input name= "_spring_security_remember_me" type= "checkbox"/>  <input type= "Submit"/></form>

An authentication expression. The above example uses the access= "ROLE_VIP" to restrict access to VIP users, which is not enough, you can fill in access with complex spring expressions to achieve more powerful features. For example, the following:
Note Be sure to turn on use-expression=true.

The functions supported in the authentication expression are: Denyall, Hasanyrole, Hasrole, hasipaddress, Isanonymouse, isauthenticated, isfullyauthenticated, Isrememberme, Permitall, supported variables are autentication, principal.

HTTPS interception. Some special URLs must be securely connected with HTTPS. The wording is as follows.
<intercept-url pattern= "/admin" requires-channel= "https"/><intercept-url pattern= "/public" Requires-channel= "http"/>

Protecting views
The JSP file accesses the variables related to authentication, or displays different content depending on the visitor's identity.

Access authentication details. such as access to login user name.
<sec:authentication property= "Principal.username"/>

Different content is displayed depending on the identity. Take a look at the example below.
<sec:authorize access= "Hasrole (' Role_vip ')" > You is  vip.</sec:authorize>

Authentication method
Spring supports the following authentication methods: XML-based configuration, JDBC-based, LDAP-based, OpenID, CAS, X509, JAAS.

Based on the XML configuration. Write the user name and password in the configuration file.
<security:user-service id= "UserService" >  <user name= "root" password= "123456" authorities= "ROLE_VIP, Role_admin "/>  <user name=" test "password=" test "authorities=" ROLE_VIP "/></security:user-service ><security:authentication-manager>  <authentication-provider user-service-ref= "UserService"/> </security:authentication-manager>

Based on JDBC.
<security:jdbc-user-service id= "UserService" data-source-ref= "DataSource" users-by-username-query= "Select username,password,enabled from user where username=? ' authorities-by-username-query= ' Select username,authoritiy from User_auth "/>

Based on LDAP.
<security:authentication-manager alias= "AuthenticationManager" >  <security: Ldap-authentication-provider user-search-filter= "(uid={0})" Group-search-filter= "member={0}" >    < Security:password-compare hash= "MD5"/>        <security:ldap-server url= "Ldap://example.com/dc=test"/>  </security:ldap-authentication-provider></security:authentication-manager>

Remember to log in
Myvipkey is the token key name in the cookie, and the expiration time, user name, and token key are saved in the token.

Intercept method calls
Enable secure interception of annotation methods.
<global-method-security secured-annotations= "Enabled"/>

Intercept according to identity.
@Secured ("ROLE_VIP") public void Test () {}

Filter the return value.
@PostFilter ("FilterObject.user.username = = principal.name") public list<user> getuserlist () {}

Cross-cutting authorization
<global-method-security>  <protect-pointcut access= "ROLE_VIP" expression= "Execution (@ Com.example.User * * * * (String)) "/></global-method-security>
Spring Framework: Spring security