Spring Boot 中的 Spring 安全性
[英]Spring Security in Spring Boot
问题描述
I want to implement Spring Security in Spring Boot application.
我想在 Spring Boot 应用程序中实现 Spring Security。 I've done this earlier using my Spring 4.0 application using JavaConfig.我之前使用我的 Spring 4.0 应用程序使用 JavaConfig 完成了这项工作。 However, i am finding some differences in the style of examples given但是,我发现给出的示例风格存在一些差异
In my case, user is preauthenticated and we have our own mechanism for authorization which contains the business activity.在我的例子中,用户已经过预认证,我们有自己的授权机制,其中包含业务活动。
In my prev application, i use to configure在我的上一个应用程序中,我用来配置
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
This filter would actually enable the spring security in my application which inturn would pass the user token to further steps.这个过滤器实际上会在我的应用程序中启用 spring 安全性,这反过来会将用户令牌传递给进一步的步骤。
In the Spring Boot reference documentation, i did not get any trace of springSecurityFilterChain/DelegatingFilterProxy so i am confused on how to start the development of my module在 Spring Boot 参考文档中,我没有得到任何 springSecurityFilterChain/DelegatingFilterProxy 的痕迹,所以我对如何开始开发我的模块感到困惑
So question here is, do i need to configure it manually?所以这里的问题是,我需要手动配置它吗? or has that been taken care of in the Autoconfiguration itself?还是在自动配置本身中已经解决了这个问题?
Secondly, i will need a lot of customizations in Spring Security, so i do not need the features provided by spring boot security like basic authentication.其次,我需要在 Spring Security 中进行大量自定义,因此我不需要 Spring Boot Security 提供的功能,例如基本身份验证。 in that case just creating my own bean with @EnableWebSecurity will switch off the functionality?在那种情况下,只需使用 @EnableWebSecurity 创建我自己的 bean 就会关闭该功能?
Additional Info附加信息
4.2. 4.2. Getting Started with Security Namespace Configuration In this section, we'll look at how you can build up a namespace configuration to use some of the main features of the framework.安全命名空间配置入门 在本节中,我们将了解如何构建命名空间配置以使用框架的一些主要功能。 Let's assume you initially want to get up and running as quickly as possible and add authentication support and access control to an existing web application, with a few test logins.假设您最初希望尽快启动并运行,并向现有 Web 应用程序添加身份验证支持和访问控制,并进行一些测试登录。 Then we'll look at how to change over to authenticating against a database or other security repository.然后我们将看看如何转换为针对数据库或其他安全存储库进行身份验证。 In later sections we'll introduce more advanced namespace configuration options.在后面的部分中,我们将介绍更高级的命名空间配置选项。
4.2.1. 4.2.1。 web.xml Configuration The first thing you need to do is add the following filter declaration to your web.xml file: web.xml 配置 您需要做的第一件事是将以下过滤器声明添加到您的 web.xml 文件中:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This provides a hook into the Spring Security web infrastructure.这为 Spring Security Web 基础设施提供了一个挂钩。 DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context. DelegatingFilterProxy 是一个 Spring Framework 类,它委托给在应用程序上下文中定义为 Spring bean 的过滤器实现。 In this case, the bean is named "springSecurityFilterChain", which is an internal infrastructure bean created by the namespace to handle web security.在这种情况下,bean 被命名为“springSecurityFilterChain”,它是由命名空间创建的用于处理 Web 安全的内部基础结构 bean。 Note that you should not use this bean name yourself.请注意,您不应自己使用此 bean 名称。 Once you've added this to your web.xml, you're ready to start editing your application context file.将它添加到 web.xml 后,您就可以开始编辑应用程序上下文文件了。 Web security services are configured using the element.使用该元素配置 Web 安全服务。
1 个解决方案
解决方案1
0 2018-11-03 10:22:39
Since Spring Security 3.2 (Dec 2013), it is no longer needed to configure springSecurityFilterChain yourself, the @EnableWebSecurity annotation will do that for you, provided you include the spring-security-config module (not included by spring-security-web , but Spring Boot includes it automatically):自 Spring Security 3.2(2013 年 12 月)以来,不再需要自己配置springSecurityFilterChain ,只要您包含spring-security-config模块(不包含在spring-security-web中,但@EnableWebSecurity注释将为您完成) Spring Boot 自动包含它):
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.8.RELEASE</version>
</dependency>
The WebSecurityConfiguration configurer activates on @EnableWebSecurity and delegates to WebSecurity builder class to actually build the configuration, which at the end instantiates FilterChainProxy with a bean name "springSecurityFilterChain" . WebSecurityConfiguration配置器在@EnableWebSecurity上激活并委托给WebSecurity构建器类来实际构建配置,最后用bean 名称"springSecurityFilterChain"实例化FilterChainProxy 。
Just follow the docs to activate and configure web security.只需按照文档激活和配置网络安全。 Eg:例如:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().authorizeRequests()
.anyRequest().hasAnyRole("USER", "ADMIN");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("{noop}user").roles("USER")
.and()
.withUser("admin").password("{noop}admin").roles("ADMIN");
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.