Spring Security Basics (2-2) How spring Security Works 2

Source: Internet
Author: User
Tags auth csrf attack

Java Configuration and Form login

Therefore, using Java code to configure spring security is primarily the two steps:
1. Create filters
2, register the filter.

1. Creating filters
This configuration creates a servlet filter:springsecurityfilterchain, which is responsible for all the security in the application,
Including:
Protect your app's URLs,
Verify the submitted username and password,
Redirect to the login page, and so on.

Use the following code to see the basic case for using Java to configure Spring security:

@EnableWebSecurity
public class Securityconfig extends websecurityconfigureradapter{
@Autowired
public void Configureglobal (Authenticationmanagerbuilder auth) throws Exception {
Auth.inmemoryauthentication (). Withuser ("user"). Password ("password"). Roles ("User");
}
}

Method name Configureglobal is irrelevant,
It is important to inject authenticationmanagerbuilder into a class that adds @EnableWebSecurity annotations.
This code is very small, but in fact has done a lot of default security verification, including:
1. Every URL in the app needs to be verified
2. Generate a login form
3, allow users to use username and password to login
4. Allow users to log off
5. CSRF attack interception
6. Session Fixation attack
7. Security Header Integration

1. [Email protected]
When we add an annotation @enablewebsecurity on any of the classes, we can create a filter named Springsecurityfilterchain.
We added this annotation to a custom securityconfig class.
The Securityconfig class also inherits the Websecurityconfigureradapter class,
However, it is important to note that the creation of this filter is done through @enablewebsecurity, regardless of whether it inherits the class.

The implementation of the source code of Enablewebsecurity added @configuration, @EnableGlobalAuthentication, @Import three annotations,
So using @enablewebsecurity is the equivalent of adding these three annotations at the same time.

Summarize:
The role of the @EnableWebSecurity is actually to create a spring bean,bean of type filter, named Springsecurityfilterchain.
As long as we guarantee that the custom Secuirtyconfig class, which can be scanned by spring, will help us to create this filter.

What is the type of 1.2 springsecurityfilterchain filter?
The creation of the filter is done through the build method of the Websecurity object,
Websecurity created by Websecurityconfiguration,
And Websecurity's role is to create a filter of type Filterchainproxy,
Filterchainproxy is a subclass of filter,
What we're talking about is creating a filter named Springsecurityfilterchain,
Actually, the exact type of filter is filterchainproxy.

2. Registering filters
The next step is to register Springsecurityfilterchain. This can be done with the Webapplicationinitializer introduced by Spring3.1.
Springsecurity provides a base class Abstractsecuritywebapplicationinitializer to ensure that Springsecurityfilterchain is registered.

SPRINGMVC has been used in the project
If spring is already in use in our application, there may already be a webapplicationinitializer in our application to load our configuration,
If we also use the previous code, an error will occur.
At this point we should register Spring Security in the applicationcontext that already exists.
For example, if we have used SPRINGMVC, then our code should look like this:

Import org.springframework.security.web.context.*;
public class Securitywebapplicationinitializer
Extends Abstractsecuritywebapplicationinitializer {
}

Spring Security Basics (2-2) How spring Security Works 2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.