SpringSecurity 2.0.x入门与高级特性解析

springsecurity

需积分: 5 29 浏览量更新于2024-07-09 收藏 442KB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

"SpringSecurity2x.pdf 是Spring Security的官方参考文档，涵盖了2.0.x版本的详细内容，包括入门指南、安全命名空间配置、高级Web特性、方法安全以及默认的访问决策和认证管理器，并提供了多个示例应用程序，如教程样本、联系人管理、LDAP和CAS认证示例。" Spring Security是一个强大的Java安全框架，用于处理应用程序的认证和授权。在2.0.x版本中，它提供了一套完善的机制来保护基于Spring的应用程序。 1. **什么是Spring Security?** Spring Security是Spring生态系统的组件，专门设计用来处理企业级应用的安全需求。它提供了全面的身份验证、授权和访问控制功能，能够保护Web应用程序免受恶意攻击，如CSRF（跨站请求伪造）和XSS（跨站脚本）。 2. **历史** Spring Security的发展历程反映了其功能的不断丰富和成熟，从早期的Acegi Security演变为现在的Spring Security。 3. **版本编号** 2.0.x的版本号表明这是该框架的一个稳定版本，可能包含一系列的维护和更新。 4. **获取源码** 能够获取到源码意味着用户可以深入理解框架的工作原理，同时也方便进行定制化开发。 5. **安全命名空间配置** Spring Security 2.0.x引入了安全命名空间配置，简化了安全相关的XML配置。这使得开发者可以更容易地设置Web应用的过滤器链、认证和授权规则。 6. **Remember-Me Authentication** 这是一种功能，允许用户在一段时间内自动登录，提高用户体验，但同时需要妥善处理安全性，防止被盗用。 7. **HTTP/HTTPS Channel Security** 通过强制特定URL使用HTTPS协议，Spring Security可以确保敏感数据传输的安全性。 8. **Concurrent Session Control** 对并发会话的控制防止了同一用户在同一时间登录多个设备，增加了安全性。 9. **OpenID Login** 支持OpenID登录，允许用户使用OpenID身份提供商进行身份验证，减少了用户管理多个账号的麻烦。 10. **自定义Filter** 开发者可以通过添加自己的过滤器扩展Spring Security的功能，以满足特定的安全需求。 11. **Session Fixation Attack Protection** 为了防止会话固定攻击，Spring Security提供了预防措施，确保新会话在认证后生成，以防止攻击者利用预先知道的会话ID。 12. **Method Security** 在方法级别实施安全控制，允许基于注解的权限检查，增强了对业务逻辑的保护。 13. **Default Access Decision Manager** 默认的访问决策管理器负责决定是否允许用户访问受保护的资源，可以自定义以适应复杂的访问策略。 14. **Customizing the Access Decision Manager** 开发者可以根据需要自定义Access Decision Manager，以实现更精细的访问控制策略。 15. **Default Authentication Manager** 默认的认证管理器处理用户的登录尝试，支持多种认证策略，包括内存中的用户、JDBC、LDAP等。 16. **Sample Applications** 文档中提供的示例应用可以帮助开发者更好地理解和应用Spring Security，包括一个教程示例、联系人管理应用、使用LDAP的认证示例以及CAS认证示例。 Spring Security 2.0.x的这些特性为开发者提供了构建安全、健壮的Web应用的坚实基础，无论是在小规模项目还是大型企业级应用中都能发挥重要作用。通过阅读这份参考文档，开发者能够深入了解如何有效地集成和配置Spring Security，以满足各种安全需求。

资源详情

资源推荐

<password-encoder> element. With SHA encoded passwords, the original authentication provider

configuration would look like this:

<authentication-provider>

<password-encoder hash="sha"/>

<user-service>

</user-service>

</authentication-provider>

When using hashed passwords, it's also a good idea to use a salt value to protect against dictionary attacks and

Spring Security supports this too. Ideally you would want to use a randomly generated salt value for each user,

but you can use any property of the UserDetails object which is loaded by your UserDetailsService. For

example, to use the username property, you would use

<password-encoder hash="sha">

<salt-source user-property="username"/>

</password-encoder>

You can use a custom password encoder bean by using the ref attribute of password-encoder. This should

contain the name of a bean in the application context which is an instance of Spring Security's

PasswordEncoder interface.

2.3. Advanced Web Features

2.3.1. Remember-Me Authentication

See the separate Remember-Me chapter for information on remember-me namespace configuration.

2.3.2. Adding HTTP/HTTPS Channel Security

If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed

over HTTPS, then this is directly supported using the requires-channel attribute on <intercept-url>:

<http>

<intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>

<intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>

...

</http>

With this configuration in place, if a user attempts to access anything matching the "/secure/**" pattern using

HTTP, they will first be redirected to an HTTPS URL. The available options are "http", "https" or "any". Using

the value "any" means that either HTTP or HTTPS can be used.

If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as

follows:

<http>

...

<port-mappings>

Security Namespace Configuration

Spring Security (2.0.x) 10

If you've used Spring Security before, you'll know that the framework maintains a chain of filters in order to

apply its services. You may want to add your own filters to the stack at particular locations or use a Spring

Security filter for which there isn't currently a namespace configuration option (CAS, for example). Or you

might want to use a customized version of a standard namespace filter, such as the

AuthenticationProcessingFilter which is created by the <form-login> element, taking advantage of some

of the extra configuration options which are available by using defining the bean directly. How can you do this

with namespace configuration, since the filter chain is not directly exposed?

The order of the filters is always strictly enforced when using the namespace. Each Spring Security filter

implements the Spring Ordered interface and the filters created by the namespace are sorted during

initialization. The standard Spring Security filters each have an alias in the namespace. The filters, aliases and

namespace elements/attributes which create the filters are shown in Table 2.1, “Standard Filter Aliases and

Ordering”.

Table 2.1. Standard Filter Aliases and Ordering

Alias Filter Class Namespace Element or Attribute

CHANNEL_FILTER ChannelProcessingFilter http/intercept-url

CONCURRENT_SESSION_FILTERConcurrentSessionFilter http/concurrent-session-control

SESSION_CONTEXT_INTEGRATION_FILTERHttpSessionContextIntegrationFilterhttp

LOGOUT_FILTER LogoutFilter http/logout

X509_FILTER X509PreAuthenticatedProcessigFilterhttp/x509

PRE_AUTH_FILTER AstractPreAuthenticatedProcessingFilter

Subclasses

N/A

CAS_PROCESSING_FILTER CasProcessingFilter N/A

AUTHENTICATION_PROCESSING_FILTERAuthenticationProcessingFilter http/form-login

BASIC_PROCESSING_FILTER BasicProcessingFilter http/http-basic

SERVLET_API_SUPPORT_FILTERSecurityContextHolderAwareRequestFilterhttp/@servlet-api-provision

REMEMBER_ME_FILTER RememberMeProcessingFilter http/remember-me

ANONYMOUS_FILTER AnonymousProcessingFilter http/anonymous

EXCEPTION_TRANSLATION_FILTERExceptionTranslationFilter http

NTLM_FILTER NtlmProcessingFilter N/A

FILTER_SECURITY_INTERCEPTORFilterSecurityInterceptor http

SWITCH_USER_FILTER SwitchUserProcessingFilter N/A

You can add your own filter to the stack, using the custom-filter element and one of these names to specify

the position your filter should appear at:

<beans:bean id="myFilter" class="com.mycompany.MySpecialAuthenticationFilter">

<custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>

</beans:bean>

Security Namespace Configuration

Spring Security (2.0.x) 12

You can also use the after or before attribtues if you want your filter to be inserted before or after another

filter in the stack. The names "FIRST" and "LAST" can be used with the position attribute to indicate that you

want your filter to appear before or after the entire stack, respectively.

Avoiding filter position conflicts

If you are inserting a custom filter which may occupy the same position as one of the standard

filters created by the namespace then it's important that you don't include the namespace versions

by mistake. Avoid using the auto-config attribute and remove any elements which create filters

whose functionality you want to replace.

Note that you can't replace filters which are created by the use of the <http> element itself -

HttpSessionContextIntegrationFilter, ExceptionTranslationFilter or

FilterSecurityInterceptor.

If you're replacing a namespace filter which requires an authentication entry point (i.e. where the authentication

process is triggered by an attempt by an unauthenticated user to access to a secured resource), you will need to

add a custom entry point bean too.

2.3.5.1. Setting a Custom AuthenticationEntryPoint

If you aren't using form login, OpenID or basic authentication through the namespace, you may want to define

an authentication filter and entry point using a traditional bean syntax and link them into the namespace, as

we've just seen. The corresponding AuthenticationEntryPoint can be set using the entry-point-ref

attribute on the <http> element.

The CAS sample application is a good example of the use of custom beans with the namespace, including this

syntax. If you aren't familiar with authentication entry points, they are discussed in the technical overview

chapter.

2.3.6. Session Fixation Attack Protection

Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by

accessing a site, then persuade another user to log in with the same session (by sending them a link containing

the session identifier as a parameter, for example). Spring Security protects against this automatically by

creating a new session when a user logs in. If you don't require this protection, or it conflicts with some other

requirement, you can control the behaviour using the session-fixation-protection attribute on <http>,

which has three options

• migrateSession - creates a new session and copies the existing session attributes to the new session. This is

the default.

• none - Don't do anything. The original session will be retained.

• newSession - Create a new "clean" session, without copying the existing session data.

2.4. Method Security

Spring Security 2.0 has improved support substantially for adding security to your service layer methods. If you

are using Java 5 or greater, then support for JSR-250 security annotations is provided, as well as the

framework's native @Secured annotation. You can apply security to a single bean, using the

Security Namespace Configuration

Spring Security (2.0.x) 13

intercept-methods element to decorate the bean declaration, or you can secure multiple beans across the

entire service layer using the AspectJ style pointcuts.

2.4.1. The <global-method-security> Element

This element is used to enable annotation-based security in your application (by setting the appropriate

attributes on the element), and also to group together security pointcut declarations which will be applied across

your entire application context. You should only declare one <global-method-security> element. The

following declaration would enable support for both Spring Security's @Secured, and JSR-250 annotations:

<global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>

Adding an annotation to a method (on an class or interface) would then limit the access to that method

accordingly. Spring Security's native annotation support defines a set of attributes for the method. These will be

passed to the AccessDecisionManager for it to make the actual decision. This example is taken from the

tutorial sample, which is a good starting point if you want to use method security in your application:

public interface BankService {

@Secured("IS_AUTHENTICATED_ANONYMOUSLY")

public Account readAccount(Long id);

@Secured("IS_AUTHENTICATED_ANONYMOUSLY")

public Account[] findAccounts();

@Secured("ROLE_TELLER")

public Account post(Account account, double amount);

}

2.4.1.1. Adding Security Pointcuts using protect-pointcut

The use of protect-pointcut is particularly powerful, as it allows you to apply security to many beans with

only a simple declaration. Consider the following example:

<global-method-security>

<protect-pointcut expression="execution(* com.mycompany.*Service.*(..))" access="ROLE_USER"/>

</global-method-security>

This will protect all methods on beans declared in the application context whose classes are in the

com.mycompany package and whose class names end in "Service". Only users with the ROLE_USER role will be

able to invoke these methods. As with URL matching, the most specific matches must come first in the list of

pointcuts, as the first matching expression will be used.

2.4.2. The intercept-methods Bean Decorator

This alternative syntax allows you to specify security for a specific bean by adding this element within the bean

itself.

<bean:bean id="target" class="com.mycompany.myapp.MyBean">

<intercept-methods>

</intercept-methods>

</bean:bean>

Security Namespace Configuration

Spring Security (2.0.x) 14

剩余106页未读，继续阅读

weixin_35052117

粉丝: 2
资源: 1

SpringSecurity 2.0.x入门与高级特性解析

Spring Security 中文教程.pdf

Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@1e86a5a7' of type [org.springframework.security.access.expression.method

spring.application.name: srm-eureka spring.profiles.active: localhost spring.security.user.name: demo spring.security.user.password: 123abcd

springsecurity6.1 http.remberme用法

Parameter 0 of method managementSecurityFilterChain in org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration required a bean of type 'org.springframework.security.config.annotation.web.builders.HttpSecurity' that could not be found.

No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

Spring Security 5.x

spring authorization server启动时Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module

org.springframework.ldap.odm.core.impl.InvalidEntryException: Missing converter from class java.lang.String to interface org.springframework.security.core.GrantedAuthority, this is needed for field authorities on Entry class

Bean 'methodSecurityMetadataSource' of type [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

springsecurity 6.x

org.springframework.security.core.context.SecurityContext;应该导入哪个jar包

spring security 6.x 系列【2】

Spring Security 6.x 中如何配置`access()`方法来限制特定角色的访问？

org.springframework.security.web.firewall.RequestRejectedException出现这种异常，如何解决

民族地区高校公共管理硕士社会保障课程教学问题研究.pdf

Object-C-在iOS上使用Object-C进行RSA算法的加密+解密实现源代码

最新资源