Maven设置,当前的版本是2.0.0-RC1:
由于不是release版本,加上spring的repository。
1、web.xml设置:
在 web.xml 中, 每个应用程序需要一个 Spring Security filter,使用 FilterChainProxy.
2、设置filterChainProxy:
在内部,Spring Security 将使用 PropertyEditor转换XML中的字符串注入到FilterInvocationDefinitionSource对象中。这一阶段,重要的是设置的这一系列的filter将被运行,每个filter对应到应用上下文中定义的 <bean id> 。
in our case some extra beans will also appear in the application context, and they'll be named httpSessionContextIntegrationFilter, logoutFilter and so on. The order that the filters should appear is discussed in the filters section of the reference guide - although they are correct in the above example.
例中有[b]AuthenticationProcessingFilter[/b]和[b]BasicProcessingFilter[/b]被使用。这些"认证机制"分别对应到基于form-based认证和BASIC HTTP header-based认证(we discussed the role of authentication mechanisms earlier in this reference guide)。如果你不使用form或BASIC认证, 这些beans就不需要定义。你可以另外定义filters来应用到你需要的认证环境,例如DigestProcessingFilter或CasProcessingFilter。 Refer to the individual chapters of this part of the reference guide to learn how to configure each of these authentication mechanisms.
Recall that [b]HttpSessionContextIntegrationFilter[/b] keeps the contents of the SecurityContext between invocations inside an HTTP线程。这意味着这个认证机制仅仅会被使用一次,当第一次试着初始化认证时。The rest of the time the authentication mechanisms sit there and silently pass the request through to the next filter in the chain. That is a practical requirement due to the fact that few authentication approaches present credentials on each and every call (BASIC authentication being a notable exception), but what happens if a principal's account gets cancelled or disabled or otherwise changed (eg an increase or decrease in GrantedAuthority[]s) after the initial authentication step? Let's look at how that is handled now.
The major authorization provider for secure objects has previously been introduced as AbstractSecurityInterceptor. This class needs to have access to an AuthenticationManager. It also has configurable settings to indicate whether an Authentication object should be re-authenticated on each secure object invocation. By default it just accepts any Authentication inside the SecurityContextHolder is authenticated if Authentication.isAuthenticated() returns true. This is great for performance, but not ideal if you want to ensure up-to-the-moment authentication validity. For such cases you'll probably want to set the AbstractSecurityInterceptor.alwaysReauthenticate property to true.
6、认证并发线程的控制:
控制web应用接受认证的线程数量,避免攻击。
在web.xml加入:
在spring设置中加入:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>2.0.0-RC1</version>
</dependency>
<repository>
<id>spring-milestone</id>
<name>Spring Portfolio Milestone Repository</name>
<url>http://s3.amazonaws.com/maven.springframework.org/milestone/</url>
</repository>
由于不是release版本,加上spring的repository。
1、web.xml设置:
在 web.xml 中, 每个应用程序需要一个 Spring Security filter,使用 FilterChainProxy.
<filter>
<filter-name>filterChainProxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>filterChainProxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2、设置filterChainProxy:
<bean id="filterChainProxy"
class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter
</value>
</property>
</bean>
在内部,Spring Security 将使用 PropertyEditor转换XML中的字符串注入到FilterInvocationDefinitionSource对象中。这一阶段,重要的是设置的这一系列的filter将被运行,每个filter对应到应用上下文中定义的 <bean id> 。
in our case some extra beans will also appear in the application context, and they'll be named httpSessionContextIntegrationFilter, logoutFilter and so on. The order that the filters should appear is discussed in the filters section of the reference guide - although they are correct in the above example.
例中有[b]AuthenticationProcessingFilter[/b]和[b]BasicProcessingFilter[/b]被使用。这些"认证机制"分别对应到基于form-based认证和BASIC HTTP header-based认证(we discussed the role of authentication mechanisms earlier in this reference guide)。如果你不使用form或BASIC认证, 这些beans就不需要定义。你可以另外定义filters来应用到你需要的认证环境,例如DigestProcessingFilter或CasProcessingFilter。 Refer to the individual chapters of this part of the reference guide to learn how to configure each of these authentication mechanisms.
Recall that [b]HttpSessionContextIntegrationFilter[/b] keeps the contents of the SecurityContext between invocations inside an HTTP线程。这意味着这个认证机制仅仅会被使用一次,当第一次试着初始化认证时。The rest of the time the authentication mechanisms sit there and silently pass the request through to the next filter in the chain. That is a practical requirement due to the fact that few authentication approaches present credentials on each and every call (BASIC authentication being a notable exception), but what happens if a principal's account gets cancelled or disabled or otherwise changed (eg an increase or decrease in GrantedAuthority[]s) after the initial authentication step? Let's look at how that is handled now.
The major authorization provider for secure objects has previously been introduced as AbstractSecurityInterceptor. This class needs to have access to an AuthenticationManager. It also has configurable settings to indicate whether an Authentication object should be re-authenticated on each secure object invocation. By default it just accepts any Authentication inside the SecurityContextHolder is authenticated if Authentication.isAuthenticated() returns true. This is great for performance, but not ideal if you want to ensure up-to-the-moment authentication validity. For such cases you'll probably want to set the AbstractSecurityInterceptor.alwaysReauthenticate property to true.
6、认证并发线程的控制:
控制web应用接受认证的线程数量,避免攻击。
在web.xml加入:
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
在spring设置中加入:
<bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<!-- your providers go here -->
</property>
<property name="sessionController">
<ref bean="concurrentSessionController"/>
</property>
</bean>
<bean id="concurrentSessionController" class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
<property name="maximumSessions"><value>1</value></property>
<property name="sessionRegistry"><ref local="sessionRegistry"/></property>
</bean>
<bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl"/>
扫一扫
298
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
