Spring Security 5.1.1 英文参考文档：最新功能与集成指南

需积分: 13 96 浏览量更新于2024-07-18 收藏 3.68MB PDF 举报

Spring Security 最新版英文文档 (5.1.1) 是由 Ben Alex、Luke Taylor、Rob Winch、Gunnar Hillert、Joe Grandja 和 Jay Bryant 等多位作者共同编撰的一份权威指南。该文档发布于2018年10月19日，遵循Apache 2.0许可证，允许用户在个人使用和非商业性分享的前提下复制，但必须保留版权声明。文档的 Preface 部分介绍了Spring Security社区的支持方式，包括获取帮助的途径（如官方论坛和社交媒体）、如何参与到Spring Security的开发和改进，以及访问源代码的相关信息。此外，文档还提及了Spring Security社区的活跃度和社交平台的存在。章节"2. What's New in Spring Security 5.1"关注了Spring Security 5.1版本的主要更新，涵盖了Servlet和WebFlux框架的集成优化，以及与其他技术栈的整合增强。这表明新版对Web应用开发中的异步处理和现代架构支持更加深入。 "3. Getting Spring Security"部分详细介绍了如何在项目中集成Spring Security。这部分包括了版本号命名规则，以及与Maven和Gradle构建工具的兼容性指导。对于Spring Boot用户，有专门的步骤说明如何在项目中轻松引入Spring Security，无论是通过Maven的依赖管理还是Gradle。此外，文档提供了常用的Maven和Gradle仓库地址。 "4. Project Modules"列出了核心模块，如spring-security-core.jar和针对远程通信的spring-security-remoting模块，这对于理解Spring Security的内部结构和功能划分非常关键。开发人员可以根据项目需求选择和配置相应的模块。总结来说，Spring Security 5.1.1英文文档是开发人员深入了解和利用Spring Security进行Web应用程序安全保护的重要参考，它不仅包含了最新的特性和功能，而且提供了详细的集成方法和项目模块划分，有助于提升开发效率和保障应用的安全性。

2018/10/19 Spring Security Reference

https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/ 16/223

In Spring Security 3.0, the codebase has been sub-divided into separate jars which more clearly separate different functionality areas and third-

party dependencies. If you are using Maven to build your project, then these are the modules you will add to your pom.xml . Even if you’re not

using Maven, we’d recommend that you consult the pom.xml files to get an idea of third-party dependencies and versions. Alternatively, a

good idea is to examine the libraries that are included in the sample applications.

4.1 Core - spring-security-core.jar

Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning APIs. Required by any

application which uses Spring Security. Supports standalone applications, remote clients, method (service layer) security and JDBC user

provisioning. Contains the top-level packages:

org.springframework.security.core

org.springframework.security.access

org.springframework.security.authentication

org.springframework.security.provisioning

4.2 Remoting - spring-security-remoting.jar

Provides intergration with Spring Remoting. You don’t need this unless you are writing a remote client which uses Spring Remoting. The main

package is org.springframework.security.remoting .

4.3 Web - spring-security-web.jar

Contains filters and related web-security infrastructure code. Anything with a servlet API dependency. You’ll need it if you require Spring

Security web authentication services and URL-based access-control. The main package is org.springframework.security.web .

4.4 Config - spring-security-config.jar

Contains the security namespace parsing code & Java configuration code. You need it if you are using the Spring Security XML namespace for

configuration or Spring Security’s Java Configuration support. The main package is org.springframework.security.config . None of the

classes are intended for direct use in an application.

4.5 LDAP - spring-security-ldap.jar

LDAP authentication and provisioning code. Required if you need to use LDAP authentication or manage LDAP user entries. The top-level

package is org.springframework.security.ldap .

4.6 OAuth 2.0 Core - spring-security-oauth2-core.jar

spring-security-oauth2-core.jar contains core classes and interfaces that provide support for the OAuth 2.0 Authorization Framework

and for OpenID Connect Core 1.0. It is required by applications that use OAuth 2.0 or OpenID Connect Core 1.0, such as Client, Resource

Server, and Authorization Server. The top-level package is org.springframework.security.oauth2.core .

4.7 OAuth 2.0 Client - spring-security-oauth2-client.jar

spring-security-oauth2-client.jar is Spring Security’s client support for OAuth 2.0 Authorization Framework and OpenID Connect Core

1.0. Required by applications leveraging OAuth 2.0 Login and/or OAuth Client support. The top-level package is

org.springframework.security.oauth2.client .

4.8 OAuth 2.0 JOSE - spring-security-oauth2-jose.jar

spring-security-oauth2-jose.jar contains Spring Security’s support for the JOSE (Javascript Object Signing and Encryption) framework.

The JOSE framework is intended to provide a method to securely transfer claims between parties. It is built from a collection of specifications:

JSON Web Token (JWT)

JSON Web Signature (JWS)

JSON Web Encryption (JWE)

JSON Web Key (JWK)

2018/10/19 Spring Security Reference

https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/ 17/223

It contains the top-level packages:

org.springframework.security.oauth2.jwt

org.springframework.security.oauth2.jose

4.9 ACL - spring-security-acl.jar

Specialized domain object ACL implementation. Used to apply security to specific domain object instances within your application. The top-

level package is org.springframework.security.acls .

4.10 CAS - spring-security-cas.jar

Spring Security’s CAS client integration. If you want to use Spring Security web authentication with a CAS single sign-on server. The top-level

package is org.springframework.security.cas .

4.11 OpenID - spring-security-openid.jar

OpenID web authentication support. Used to authenticate users against an external OpenID server.

org.springframework.security.openid . Requires OpenID4Java.

4.12 Test - spring-security-test.jar

Support for testing with Spring Security.

5. Sample Applications

There are several sample web applications that are available with the project. To avoid an overly large download, only the "tutorial" and

"contacts" samples are included in the distribution zip file. The others can be built directly from the source which you can obtain as described in

the introduction. It’s easy to build the project yourself and there’s more information on the project web site at http://spring.io/spring-security/. All

paths referred to in this chapter are relative to the project source directory.

5.1 Tutorial Sample

The tutorial sample is a nice basic example to get you started. It uses simple namespace configuration throughout. The compiled application is

included in the distribution zip file, ready to be deployed into your web container ( spring-security-samples-tutorial-3.1.x.war ). The

form-based authentication mechanism is used in combination with the commonly-used remember-me authentication provider to automatically

remember the login using cookies.

We recommend you start with the tutorial sample, as the XML is minimal and easy to follow. Most importantly, you can easily add this one XML

file (and its corresponding web.xml entries) to your existing application. Only when this basic integration is achieved do we suggest you

attempt adding in method authorization or domain object security.

5.2 Contacts

The Contacts Sample is an advanced example in that it illustrates the more powerful features of domain object access control lists (ACLs) in

addition to basic application security. The application provides an interface with which the users are able to administer a simple database of

contacts (the domain objects).

To deploy, simply copy the WAR file from Spring Security distribution into your container’s webapps directory. The war should be called

spring-security-samples-contacts-3.1.x.war (the appended version number will vary depending on what release you are using).

After starting your container, check the application can load. Visit http://localhost:8080/contacts (or whichever URL is appropriate for your web

container and the WAR you deployed).

Next, click "Debug". You will be prompted to authenticate, and a series of usernames and passwords are suggested on that page. Simply

authenticate with any of these and view the resulting page. It should contain a success message similar to the following:

Security Debug Information

Authentication object is of type:

org.springframework.security.authentication.UsernamePasswordAuthenticationToken

2018/10/19 Spring Security Reference

https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/ 18/223

Authentication object as a String:

org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1f127853:

Principal: org.springframework.security.core.userdetails.User@b07ed00: Username: rod; \

Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;

credentialsNonExpired: true; AccountNonLocked: true; \

Granted Authorities: ROLE_SUPERVISOR, ROLE_USER; \

Password: [PROTECTED]; Authenticated: true; \

Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: \

RemoteIpAddress: 127.0.0.1; SessionId: 8fkp8t83ohar; \

Granted Authorities: ROLE_SUPERVISOR, ROLE_USER

Authentication object holds the following granted authorities:

ROLE_SUPERVISOR (getAuthority(): ROLE_SUPERVISOR)

ROLE_USER (getAuthority(): ROLE_USER)

Success! Your web filters appear to be properly configured!

Once you successfully receive the above message, return to the sample application’s home page and click "Manage". You can then try out the

application. Notice that only the contacts available to the currently logged on user are displayed, and only users with ROLE_SUPERVISOR are

granted access to delete their contacts. Behind the scenes, the MethodSecurityInterceptor is securing the business objects.

The application allows you to modify the access control lists associated with different contacts. Be sure to give this a try and understand how it

works by reviewing the application context XML files.

5.3 LDAP Sample

The LDAP sample application provides a basic configuration and sets up both a namespace configuration and an equivalent configuration

using traditional beans, both in the same application context file. This means there are actually two identical authentication providers configured

in this application.

5.4 OpenID Sample

The OpenID sample demonstrates how to use the namespace to configure OpenID and how to set up attribute exchange configurations for

Google, Yahoo and MyOpenID identity providers (you can experiment with adding others if you wish). It uses the JQuery-based openid-selector

project to provide a user-friendly login page which allows the user to easily select a provider, rather than typing in the full OpenID identifier.

The application differs from normal authentication scenarios in that it allows any user to access the site (provided their OpenID authentication is

successful). The first time you login, you will get a "Welcome [your name]"" message. If you logout and log back in (with the same OpenID

identity) then this should change to "Welcome Back". This is achieved by using a custom UserDetailsService which assigns a standard role

to any user and stores the identities internally in a map. Obviously a real application would use a database instead. Have a look at the source

form more information. This class also takes into account the fact that different attributes may be returned from different providers and builds

the name with which it addresses the user accordingly.

5.5 CAS Sample

The CAS sample requires that you run both a CAS server and CAS client. It isn’t included in the distribution so you should check out the project

code as described in the introduction. You’ll find the relevant files under the sample/cas directory. There’s also a Readme.txt file in there

which explains how to run both the server and the client directly from the source tree, complete with SSL support.

5.6 JAAS Sample

The JAAS sample is very simple example of how to use a JAAS LoginModule with Spring Security. The provided LoginModule will successfully

authenticate a user if the username equals the password otherwise a LoginException is thrown. The AuthorityGranter used in this example

always grants the role ROLE_USER. The sample application also demonstrates how to run as the JAAS Subject returned by the LoginModule

by setting jaas-api-provision equal to "true".

5.7 Pre-Authentication Sample

This sample application demonstrates how to wire up beans from the pre-authentication framework to make use of login information from a

Java EE container. The user name and roles are those setup by the container.

The code is in samples/preauth .

2018/10/19 Spring Security Reference

https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/ 19/223

Part II. Servlet Applications

6. Java Configuration

General support for Java Configuration was added to Spring Framework in Spring 3.1. Since Spring Security 3.2 there has been Spring

Security Java Configuration support which enables users to easily configure Spring Security without the use of any XML.

If you are familiar with the Chapter 7, Security Namespace Configuration then you should find quite a few similarities between it and the

Security Java Configuration support.

Spring Security provides lots of sample applications which demonstrate the use of Spring Security Java Configuration.

6.1 Hello Web Security Java Configuration

The first step is to create our Spring Security Java Configuration. The configuration creates a Servlet Filter known as the

springSecurityFilterChain which is responsible for all the security (protecting the application URLs, validating submitted username and

passwords, redirecting to the log in form, etc) within your application. You can find the most basic example of a Spring Security Java

Configuration below:

There really isn’t much to this configuration, but it does a lot. You can find a summary of the features below:

Require authentication to every URL in your application

Generate a login form for you

Allow the user with the Username user and the Password password to authenticate with form based authentication

Allow the user to logout

CSRF attack prevention

Session Fixation protection

Security Header integration

HTTP Strict Transport Security for secure requests

X-Content-Type-Options integration

Cache Control (can be overridden later by your application to allow caching of your static resources)

X-XSS-Protection integration

X-Frame-Options integration to help prevent Clickjacking

Integrate with the following Servlet API methods

HttpServletRequest#getRemoteUser()

HttpServletRequest.html#getUserPrincipal()

HttpServletRequest.html#isUserInRole(java.lang.String)

HttpServletRequest.html#login(java.lang.String, java.lang.String)

HttpServletRequest.html#logout()

6.1.1 AbstractSecurityWebApplicationInitializer

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.context.annotation.*;

import org.springframework.security.config.annotation.authentication.builders.*;

import org.springframework.security.config.annotation.web.configuration.*;

@EnableWebSecurity

public class WebSecurityConfig implements WebMvcConfigurer {

@Bean

public UserDetailsService userDetailsService() throws Exception {

InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();

manager.createUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build());

return manager;

}

2018/10/19 Spring Security Reference

https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/ 20/223

The next step is to register the springSecurityFilterChain with the war. This can be done in Java Configuration with Spring’s

WebApplicationInitializer support in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class

AbstractSecurityWebApplicationInitializer that will ensure the springSecurityFilterChain gets registered for you. The way in

which we use AbstractSecurityWebApplicationInitializer differs depending on if we are already using Spring or if Spring Security is

the only Spring component in our application.

Section 6.1.2, “AbstractSecurityWebApplicationInitializer without Existing Spring” - Use these instructions if you are not using Spring

already

Section 6.1.3, “AbstractSecurityWebApplicationInitializer with Spring MVC” - Use these instructions if you are already using Spring

6.1.2 AbstractSecurityWebApplicationInitializer without Existing Spring

If you are not using Spring or Spring MVC, you will need to pass in the WebSecurityConfig into the superclass to ensure the configuration is

picked up. You can find an example below:

import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer

extends AbstractSecurityWebApplicationInitializer {

public SecurityWebApplicationInitializer() {

super(WebSecurityConfig.class);

}

The SecurityWebApplicationInitializer will do the following things:

Automatically register the springSecurityFilterChain Filter for every URL in your application

Add a ContextLoaderListener that loads the WebSecurityConfig.

6.1.3 AbstractSecurityWebApplicationInitializer with Spring MVC

If we were using Spring elsewhere in our application we probably already had a WebApplicationInitializer that is loading our Spring

Configuration. If we use the previous configuration we would get an error. Instead, we should register Spring Security with the existing

ApplicationContext . For example, if we were using Spring MVC our SecurityWebApplicationInitializer would look something like

the following:

import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer

extends AbstractSecurityWebApplicationInitializer {

}

This would simply only register the springSecurityFilterChain Filter for every URL in your application. After that we would ensure that

WebSecurityConfig was loaded in our existing ApplicationInitializer. For example, if we were using Spring MVC it would be added in the

getRootConfigClasses()

public class MvcWebApplicationInitializer extends

AbstractAnnotationConfigDispatcherServletInitializer {

@Override

protected Class<?>[] getRootConfigClasses() {

return new Class[] { WebSecurityConfig.class };

}

// ... other overrides ...

}

6.2 HttpSecurity

Thus far our WebSecurityConfig only contains information about how to authenticate our users. How does Spring Security know that we want to

require all users to be authenticated? How does Spring Security know we want to support form based authentication? The reason for this is that

the WebSecurityConfigurerAdapter provides a default configuration in the configure(HttpSecurity http) method that looks like:

protected void configure(HttpSecurity http) throws Exception {

http

剩余222页未读，继续阅读

回不到的未来

粉丝: 24
资源: 1

Spring Security 5.1.1 英文参考文档：最新功能与集成指南

Spring Security 5.1 中文 参考手册 中文文档

springsecurity

spring security 参考手册中文版

spring参考文档及SpringSecurity参考文档

Spring Security API（Spring Security 开发文档）.CHM

Spring Security 参考文档

spring security 官方文档

Spring Security参考文档

springsecurity官方文档3.2

Spring Security 文档

最新资源

Spring Security 5.1 中文参考手册中文文档