Spring Security Learning Summary (2) ongoing updates

From one of the simplest spring Security Java Configuration looks

@Configuration @enablewebsecuritypublic class Securityconfig extends Websecurityconfigureradapter {@Autowired public void Configureglobal (Authenticationmanagerbuilder auth) throws Exception {auth. inmemoryauthentication    (). Withuser ("user"). Password ("password"). Roles ("User"); }}

Configglobal The name is not important, it is important to annotate the @EnableWebSecurity or @enablewebmvcsecurity or

Configure Authenticationmanagerbuilder in a class @EnableGlobalMethodSecurity or @EnableGlobalAuthentication.

It seems that this code does not do a lot of configuration, actually doing a lot:

• Require authentication for access to each URL

• Generate a login form

• Allow user, password password login as user

• Allow users to log out
  

• Prevent CSRF attacks

• Integrated Security Header (HTTP Strict Transport Security, X_content-type-options, Cache-control, X-xss-protection, X-frame-options)

• Integration with Servlet API methods (Getremoteuser (), Getuserprincipal (), etc.)

  
  

A talk about Httpsecurity

The securityconfig contains how to authenticate the user. But how does spring Security know that we need to authenticate all of our users? How does Spring Security know that we need to support form-based authentication?

The answer is that spring Security's Websecurityconfigureradapter provides a default configuration method: Configure (Httpsecurity http)

protected void Configure (Httpsecurity http) throws Exception {http. authorizerequests (). Anyrequest ( ). Authenticated (). and (). Formlogin (). and (). Httpbasic ();

Spring Security Learning Summary (2) ongoing updates