Spring Security 3.0.5.RELEASE：参考文档

需积分: 10 151 浏览量更新于2024-07-30 收藏 731KB PDF 举报

“Spring Security是Java开发中的一个安全框架，提供了全面的权限管理和访问控制功能。这份文档详细介绍了Spring Security的各个模块、配置方法以及高级特性。” Spring Security是Spring生态系统中的核心组件之一，专用于应用程序的安全性和访问控制。它提供了一整套强大的工具，帮助开发者实现用户认证（Authentication）和授权（Authorization）功能，从而保护Web应用程序免受攻击。 1. 什么是Spring Security？ Spring Security是一个灵活且可扩展的安全框架，旨在解决企业级应用的安全需求。它不仅处理了用户登录、权限分配等基础功能，还支持更复杂的场景，如基于角色的访问控制（RBAC）、会话管理、跨站请求伪造（CSRF）防护、HTTP通道安全等。 2. 项目模块 Spring Security由多个模块组成，包括： - spring-security-core.jar：核心模块，包含认证和授权的基本机制。 - spring-security-web.jar：Web安全模块，处理HTTP请求和响应的安全性。 - spring-security-config.jar：配置模块，提供XML和注解方式的配置选项。 - spring-security-ldap.jar：与LDAP服务器集成，支持目录服务认证。 - spring-security-acl.jar：访问控制列表（ACL），实现细粒度的权限控制。 - spring-security-cas-client.jar：CAS客户端支持，实现单点登录（SSO）功能。 - spring-security-openid.jar：OpenID集成，支持使用OpenID进行身份验证。 3. 安全命名空间配置 Spring Security提供了名为`security`的命名空间，简化了XML配置。设计上，这个命名空间允许开发者通过声明式的方式设置安全策略。例如，可以通过`web.xml`配置文件开启安全过滤器链： ```xml <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ``` 基本的`http`配置可以设定自动配置，如登录页面、基本认证和密码编码器： ```xml <http auto-config="true"> ... </http> ``` 可以添加多种认证提供者，比如数据库或LDAP，以及密码编码器，以增强安全性： ```xml <authentication-manager> <authentication-provider> <password-encoder hash="bcrypt" /> </authentication-provider> </authentication-manager> ``` 4. 高级Web特性 Spring Security还支持一些高级功能，如： - 记住我（Remember-Me）认证：允许用户在一段时间内自动登录，提高用户体验。 - HTTP/HTTPS通道安全：强制特定URL路径使用HTTPS协议，保障敏感数据传输的安全。 - 会话管理：可配置会话超时、会话固定攻击防护等策略。以上内容只是Spring Security参考文档的一小部分，完整的文档涵盖了更广泛的议题，如过滤器链的自定义、表达式语言、访问决策管理、异常处理等。学习和掌握Spring Security将有助于构建安全、健壮的Java应用。

Spring Security

3.0.5.RELEASE 5

1.4 Getting Spring Security

You can get hold of Spring Security in several ways. You can download a packaged distribution from

the main Spring download page [http://www.springsource.com/download/community?project=Spring

%20Security], download individual jars (and sample WAR files) from the Maven Central repository (or

a SpringSource Maven repository for snapshot and milestone releases) or, alternatively, you can build

the project from source yourself. See the project web site for more details.

Project Modules

In Spring Security 3.0, the codebase has been sub-divided into separate jars which more clearly separate

different functionaltiy areas and third-party dependencies. If you are using Maven to build your project,

then these are the modules you will add to your pom.xml. Even if you're not using Maven, we'd

recommend that you consult the pom.xml files to get an idea of third-party dependencies and versions.

Alternatively, a good idea is to examine the libraries that are included in the sample applications.

Core - spring-security-core.jar

Contains core authentication and access-contol classes and interfaces, remoting support and basic

provisioning APIs. Required by any application which uses Spring Security. Supports standalone

applications, remote clients, method (service layer) security and JDBC user provisioning. Contains the

top-level packages:

• org.springframework.security.core

• org.springframework.security.access

• org.springframework.security.authentication

• org.springframework.security.provisioning

• org.springframework.security.remoting

Web - spring-security-web.jar

Contains filters and related web-security infrastructure code. Anything with a servlet API dependency.

You'll need it if you require Spring Security web authentication services and URL-based access-control.

The main package is org.springframework.security.web.

Config - spring-security-config.jar

Contains the security namespace parsing code (and hence nothing that you are likely yo use directly in

your application). You need it if you are using the Spring Security XML namespace for configuration.

The main package is org.springframework.security.config.

LDAP - spring-security-ldap.jar

LDAP authentication and provisioning code. Required if you need to use LDAP authentication or

manage LDAP user entries. The top-level package is org.springframework.security.ldap.

Spring Security

3.0.5.RELEASE 7

2.1 Introduction

Namespace configuration has been available since version 2.0 of the Spring framework.

It allows you to supplement the traditional Spring beans application context syntax

with elements from additional XML schema. You can find more information in the

Spring Reference Documentation [http://static.springsource.org/spring/docs/3.0.x/spring-framework-

reference/htmlsingle/spring-framework-reference.htm]. A namespace element can be used simply to

allow a more concise way of configuring an individual bean or, more powerfully, to define an alternative

configuration syntax which more closely matches the problem domain and hides the underlying

complexity from the user. A simple element may conceal the fact that multiple beans and processing

steps are being added to the application context. For example, adding the following element from the

security namespace to an application context will start up an embedded LDAP server for testing use

within the application:

<security:ldap-server />

This is much simpler than wiring up the equivalent Apache Directory Server beans. The most common

alternative configuration requirements are supported by attributes on the ldap-server element and

the user is isolated from worrying about which beans they need to create and what the bean property

names are.

. Use of a good XML editor while editing the application context file should provide

information on the attributes and elements that are available. We would recommend that you try out

the SpringSource Tool Suite [http://www.springsource.com/products/sts] as it has special features for

working with standard Spring namespaces.

To start using the security namespace in your application context, you first need to make sure that the

spring-security-config jar is on your classpath. Then all you need to do is add the schema

declaration to your application context file:

<beans xmlns="http://www.springframework.org/schema/beans"

xmlns:security="http://www.springframework.org/schema/security"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

...

</beans>

In many of the examples you will see (and in the sample) applications, we will often use "security"

as the default namespace rather than "beans", which means we can omit the prefix on all the security

namespace elements, making the content easier to read. You may also want to do this if you have your

application context divided up into separate files and have most of your security configuration in one

of them. Your security application context file would then start like this

You can find out more about the use of the ldap-server element in the chapter on LDAP.

Spring Security

3.0.5.RELEASE 8

<beans:beans xmlns="http://www.springframework.org/schema/security"

xmlns:beans="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

...

</beans:beans>

We'll assume this syntax is being used from now on in this chapter.

Design of the Namespace

The namespace is designed to capture the most common uses of the framework and provide a simplified

and concise syntax for enabling them within an application. The design is based around the large-scale

dependencies within the framework, and can be divided up into the following areas:

• Web/HTTP Security - the most complex part. Sets up the filters and related service beans used to

apply the framework authentication mechanisms, to secure URLs, render login and error pages and

much more.

• Business Object (Method) Security - options for securing the service layer.

• AuthenticationManager - handles authentication requests from other parts of the framework.

• AccessDecisionManager - provides access decisions for web and method security. A default one will

be registered, but you can also choose to use a custom one, declared using normal Spring bean syntax.

• AuthenticationProviders - mechanisms against which the authentication manager authenticates users.

The namespace provides supports for several standard options and also a means of adding custom

beans declared using a traditional syntax.

• UserDetailsService - closely related to authentication providers, but often also required by other

beans.

We'll see how to configure these in the following sections.

2.2 Getting Started with Security Namespace

Configuration

In this section, we'll look at how you can build up a namespace configuration to use some of the main

features of the framework. Let's assume you initially want to get up and running as quickly as possible

and add authentication support and access control to an existing web application, with a few test logins.

Then we'll look at how to change over to authenticating against a database or other security repository.

In later sections we'll introduce more advanced namespace configuration options.

web.xml Configuration

The first thing you need to do is add the following filter declaration to your web.xml file:

Spring Security

3.0.5.RELEASE 9

<filter-name>springSecurityFilterChain</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

</filter>

<filter-mapping>

<filter-name>springSecurityFilterChain</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

This provides a hook into the Spring Security web infrastructure. DelegatingFilterProxy is a

Spring Framework class which delegates to a filter implementation which is defined as a Spring bean

in your application context. In this case, the bean is named “springSecurityFilterChain”, which is an

internal infrastructure bean created by the namespace to handle web security. Note that you should not

use this bean name yourself. Once you've added this to your web.xml, you're ready to start editing

your application context file. Web security services are configured using the <http> element.

A Minimal <http> Configuration

All you need to enable web security to begin with is

<intercept-url pattern="/**" access="ROLE_USER" />

</http>

Which says that we want all URLs within our application to be secured, requiring the role ROLE_USER

to access them. The <http> element is the parent for all web-related namespace functionality. The

<intercept-url> element defines a pattern which is matched against the URLs of incoming

requests using an ant path style syntax

. The access attribute defines the access requirements for

requests matching the given pattern. With the default configuration, this is typically a comma-separated

list of roles, one of which a user must have to be allowed to make the request. The prefix “ROLE_” is

a marker which indicates that a simple comparison with the user's authorities should be made. In other

words, a normal role-based check should be used. Access-control in Spring Security is not limited to

the use of simple roles (hence the use of the prefix to differentiate between different types of security

attributes). We'll see later how the interpretation can vary

Note

You can use multiple <intercept-url> elements to define different access

requirements for different sets of URLs, but they will be evaluated in the order listed and

the first match will be used. So you must put the most specific matches at the top. You

can also add a method attribute to limit the match to a particular HTTP method (GET,

POST, PUT etc.). If a request matches multiple patterns, the method-specific match will

take precedence regardless of ordering.

To add some users, you can define a set of test data directly in the namespace:

See the section on Request Matching in the Web Application Infrastructure chapter for more details on how matches are actually

performed.

The interpretation of the comma-separated values in the access attribute depends on the implementation of the

AccessDecisionManager which is used. In Spring Security 3.0, the attribute can also be populated with an EL expression.

剩余132页未读，继续阅读

almtalmt

粉丝: 0
资源: 31

Spring Security 3.0.5.RELEASE：参考文档

spring security详解

spring security 4.0.1

spring security 的一些资料----下载不扣分，回帖加1分，童叟无欺，欢迎下载

Spring Security

springsecurity

springSecurity

SpringSecurity

036GraphTheory(图论) matlab代码.rar

026SVM用于分类时的参数优化，粒子群优化算法，用于优化核函数的c,g两个参数(SVM PSO)Matlab代码.rar

药店管理-JAVA-基于springBoot的药店管理系统的设计与实现（毕业论文+开题）

最新资源