一、Spring Security简介
Spring Security是为基于Spring的应用程序提供声明式安全保护的安全性框架。Spring Security提供了完整的安全性解决方案,它能够在Web请求级别和方法调用级别处理身份认证和授权。因为基于Spring框架,所以Spring Security充分利用了依赖注入(dependency injection,DI)和面向切面的技术。
二、Spring Security详情
2.1.实现
Spring Security从两个角度来解决安全性问题:使用Servlet规范中的Filter保护Web请求并限制URL级别的访问;使用Spring AOP保护方法调用——借助于对象代理和使用通知,能够确保只有具备适当权限的用户才能访问安全保护的方法。
对于Spring Security来说主要提供的两个安全服务是指:认证(Authentication)和 授权(Authorization);认证是用来确定当前用户,授权是判断一个用户是否有访问某个安全对象的权限。
2.2.Spring Security模块
下面常用的模块包括:配置(config)、核心(core)和Web是必须要的;标签库也是常用的模块。
Spring Security标签库支持的标签包括:
2.3.Spring Security用户认证
Spring Security中提供了多种的用户认证策略,常用的认证策略包括(认证将在后面详细说明过程):
1.基于内存的用户存储(下面第一个Demo就是基于内存的用户存储)
2.基于数据库表进行认证(将在后面展示Demo)
3.基于LDAP进行用户认证(将在后面展示Demo)
三、示例
下面示例展示了通过JavaConfig的方式集成spring-security安全框架
1,实现AbstractSecurityWebApplicationInitializer,只用写好一个实现类就可以了,Spring系统会发现他,并用他在web容器中注册DelegetingFilterProxy。DelegetingFilterProxy会拦截发往应用中的请求。并将请求委托给一个ID为springSecurityFilterChain的bean,该bean可以连接一个或任意多个Filter,Spring security就是依赖着一系列servlet filter来提供不同的安全特性。这些细节我们不用管,当启用web安全性时,会自动创建这些filter。
package com.cc.test.security;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer {
}
2,创建SecurityConfig
package com.cc.test.config;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.StandardPasswordEncoder;
import com.halfworlders.idat.security.IdatUserDetailsService;
import com.halfworlders.idat.service.Userservice;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// @Autowired
// private DataSource dataSource;
@Autowired
private Userservice userservice;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
/*
* 可以通过内存设置的方式,来做用户登录验证,此种方式比较适合开发和测试阶段使用
*/
/*auth
.inMemoryAuthentication()
.withUser("admin")
.password("admin")
.roles("ADMIN");*/
/*
* 可以通过数据源设置的方式,直接基于数据库的验证,还可以设置密码加密,
* 但此种方式要求数据库的用户表结构必须符合spring-security的要求
* 一下配上sql
*/
/*auth
.jdbcAuthentication()
.dataSource(dataSource)
.passwordEncoder(new StandardPasswordEncoder("idatpwd"));*/
/*
* 最好的是基于UserDetailService的接口方式,这样spring-security并不知道系统通过什么样的方式来实现用户数据验证
* 开发人员可以在接口内以任意方式实现,增加了系统的灵活性
*/
auth.userDetailsService(new IdatUserDetailsService(userservice));
}
}
3,在TilesWebConfig中导入配置
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com.halfworlders.idat.controller")
@Import(SecurityConfig.class)
public class TilesWebConfig extends WebMvcConfigurerAdapter {
。。。。。
}
只需这三步,就能轻松的启用了Spring security安全框架
另外再需要实现UserDetailsService
package com.cc.test.security;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import com.halfworlders.idat.service.Userservice;
public class IdatUserDetailsService implements UserDetailsService{
private final Userservice userservice;
public IdatUserDetailsService(Userservice userservice) {
this.userservice = userservice;
}
@Override
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
User user = userservice.findUserByName(userName);
if (null != user) {
return user;
}
throw new UsernameNotFoundException("User name" + userName + "not find");
}
}
UserService
package com.cc.test.service;
import org.springframework.security.core.userdetails.User;
public interface Userservice {
User findUserByName(String userName);
}
package com.cc.test.service.impl;
import java.util.ArrayList;
import java.util.List;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Service;
import com.halfworlders.idat.service.Userservice;
@Service
public class UserServiceImpl implements Userservice {
@Override
public User findUserByName(String userName) {
List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
return new User(userName, "admin", grantedAuthorities);
}
}
mysql-sql
SET FOREIGN_KEY_CHECKS=0;
-- ----------------------------
-- Table structure for authorities
-- ----------------------------
DROP TABLE IF EXISTS `authorities`;
CREATE TABLE `authorities` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(20) DEFAULT NULL,
`authority` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
-- ----------------------------
-- Table structure for groups
-- ----------------------------
DROP TABLE IF EXISTS `groups`;
CREATE TABLE `groups` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`groupName` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
-- ----------------------------
-- Table structure for group_authorities
-- ----------------------------
DROP TABLE IF EXISTS `group_authorities`;
CREATE TABLE `group_authorities` (
`group_Id` int(11) NOT NULL AUTO_INCREMENT,
`authority` varchar(50) DEFAULT NULL,
PRIMARY KEY (`group_Id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
-- ----------------------------
-- Table structure for group_members
-- ----------------------------
DROP TABLE IF EXISTS `group_members`;
CREATE TABLE `group_members` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`userName` varchar(20) DEFAULT NULL,
`group_Id` int(11) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
-- ----------------------------
-- Table structure for users
-- ----------------------------
DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
`id` int(8) NOT NULL AUTO_INCREMENT,
`userName` varchar(20) DEFAULT NULL,
`password` varchar(50) DEFAULT NULL,
`enabled` tinyint(4) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
四、参考
《Spring In Action(第四版)》
https://blog.csdn.net/u013468915/article/details/81347063
http://www.cnblogs.com/wutianqi/p/9185266.html
http://www.cnblogs.com/wutianqi/p/9186645.html
https://www.cnblogs.com/jaylon/p/4905769.html
https://www.cnblogs.com/guoziyi/p/6001085.html
https://www.cnblogs.com/xz816111/p/8528896.html
https://blog.csdn.net/elim168/article/details/72869685
https://blog.csdn.net/kaikai8552/article/details/3930747
https://blog.csdn.net/lbqssss/article/details/78971037
https://blog.csdn.net/lifeifei2010/article/details/78787558
https://blog.csdn.net/marvel__dead/article/details/77094848