Spring Security(十二):5. Java Configuration
General support for Java Configuration was added to Spring Framework in Spring 3.1. Since Spring Security 3.2 there has been Spring Security Java Configuration support which enables users to easily configure Spring Security without the use of any XML.
Spring Security provides lots of sample applications which demonstrate the use of Spring Security Java Configuration.
5.1 Hello Web Security Java Configuration
The first step is to create our Spring Security Java Configuration. The configuration creates a Servlet Filter known as the springSecurityFilterChain
which is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the log in form, etc) within your application. You can find the most basic example of a Spring Security Java Configuration below:
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.*; import org.springframework.security.config.annotation.authentication.builders.*; import org.springframework.security.config.annotation.web.configuration.*; @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public UserDetailsService userDetailsService() throws Exception { InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(); manager.createUser(User.withUsername("user").password("password").roles("USER").build()); return manager; } }
There really isn’t much to this configuration, but it does a lot. You can find a summary of the features below:
- Require authentication to every URL in your application
-
要求对应用程序中的每个URL进行身份验证
- Generate a login form for you
-
为您生成登录表单
- Allow the user with the Username user and the Password password to authenticate with form based authentication
-
允许具有Username用户和密码密码的用户使用基于表单的身份验证进行身份验证
- Allow the user to logout
-
允许用户注销
- CSRF attack prevention
-
CSRF攻击预防
- Session Fixation protection
-
会话固定保护
-
Security Header integration
-
安全标头集成
-
- HTTP Strict Transport Security for secure requests
-
用于安全请求的HTTP严格传输安全性
- X-Content-Type-Options integration
-
X-Content-Type-Options集成
- Cache Control (can be overridden later by your application to allow caching of your static resources)
-
缓存控制(稍后可由应用程序覆盖以允许缓存静态资源)
- X-XSS-Protection integration
-
X-XSS-Protection集成
- X-Frame-Options integration to help prevent Clickjacking
-
X-Frame-Options集成有助于防止Clickjacking
-
Integrate with the following Servlet API methods
-
与以下Servlet API方法集成
-
5.1.1 AbstractSecurityWebApplicationInitializer
The next step is to register the springSecurityFilterChain
with the war. This can be done in Java Configuration with Spring’s WebApplicationInitializer support in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class AbstractSecurityWebApplicationInitializer
that will ensure the springSecurityFilterChain
gets registered for you. The way in which we use AbstractSecurityWebApplicationInitializer
differs depending on if we are already using Spring or if Spring Security is the only Spring component in our application.
- Section 5.1.2, “AbstractSecurityWebApplicationInitializer without Existing Spring” - Use these instructions if you are not using Spring already
-
如果您尚未使用Spring,请使用这些说明
- Section 5.1.3, “AbstractSecurityWebApplicationInitializer with Spring MVC” - Use these instructions if you are already using Spring
-
如果您已经在使用Spring,请使用这些说明
5.1.2 AbstractSecurityWebApplicationInitializer without Existing Spring (没有现有的)
If you are not using Spring or Spring MVC, you will need to pass in the WebSecurityConfig
into the superclass to ensure the configuration is picked up. You can find an example below:
import org.springframework.security.web.context.*; public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { public SecurityWebApplicationInitializer() { super(WebSecurityConfig.class); } }
The SecurityWebApplicationInitializer
will do the following things:
- Automatically register the springSecurityFilterChain Filter for every URL in your application
-
自动为应用程序中的每个URL注册springSecurityFilterChain过滤器
- Add a ContextLoaderListener that loads the WebSecurityConfig.
-
添加一个加载WebSecurityConfig的ContextLoaderListener。
5.1.3 AbstractSecurityWebApplicationInitializer with Spring MVC
5.1.3使用Spring MVC的AbstractSecurityWebApplicationInitializer
If we were using Spring elsewhere in our application we probably already had a WebApplicationInitializer
that is loading our Spring Configuration. If we use the previous configuration we would get an error. Instead, we should register Spring Security with the existing ApplicationContext
. For example, if we were using Spring MVC our SecurityWebApplicationInitializer
would look something like the following:
WebSecurityConfig
was loaded in our existing ApplicationInitializer. For example, if we were using Spring MVC it would be added in the getRootConfigClasses()
public class MvcWebApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer { @Override protected Class<?>[] getRootConfigClasses() { return new Class[] { WebSecurityConfig.class }; } // ... other overrides ... }