【SpringBoot】Spring Security

官网:

https://docs.spring.io/spring-security/site/docs/5.3.2.RELEASE/reference/html5/

Spring Security provides comprehensive support for authentication, authorization, and protection against common exploits. It also provides integration with other libraries to simplify its usage.

https://github.com/spring-projects/spring-security/tree/5.3.2.RELEASE/samples

https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#exploits  章节5.2

小马哥视频: springBoot  security视频

一、Demo

1、默认弹框提示

pom.xml 中的 Spring Security 依赖:

 

  只要加入依赖,项目的所有接口都会被自动保护起来;登录弹框

 

 密码出处:在启动时,控制台打印(用户名user

Using generated security password: 8e557245-73e2-4286-969a-ff57fe326336

背后的源码:SecurityProperties.java

 

 2、定制登录用户名/密码三种方式

  1 application.properties 中进行配置

spring.security.user.name=tester
spring.security.user.password=123

2)通过Java代码指定

Spring5 开始,强制要求密码要加密,如果非不想加密,可以使用一个过期的 PasswordEncoder 的实例 NoOpPasswordEncoder,但是不建议这么做,毕竟不安全。

Spring Security 中提供了 BCryptPasswordEncoder 密码编码工具,可以非常方便的实现密码的加密加盐,相同明文加密出来的结果总是不同,这样就不需要用户去额外保存盐的字段了,这一点比 Shiro 要方便很多。 

3登录配置派生WebSecurityConfigurerAdapter)

 如果是前后端分离开发的话,登录成功后返回 JSON 即可,同理,failureHandler 方法中配置登录失败的回调,logoutSuccessHandler 中则配置注销成功的回调。 

4、忽略拦截

二、关键知识点-- 核心类

 1、抽象类:WebSecurityConfigurerAdapter

 

HTTP安全响应头:

1、Security Default Header

Spring Security provides a default set of security related HTTP response headers to provide secure defaults.

The default for Spring Security is to include the following headers:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains    // only added on HTTPS requests
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

2、Cache-Control

Spring Security’s default is to disable caching to protect user’s content.

If a user authenticates to view sensitive information and then logs out, we don’t want a malicious user to be able to click the back button to view the sensitive information

Default Cache Control HTTP Response Headers

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0

3、Content Type Controls

posted @ 2020-08-17 23:47  飞翔在天  阅读(293)  评论(0编辑  收藏  举报