Spring全家桶-Spring Security初探

Tony-devj

已于 2022-04-22 15:21:27 修改

阅读量707

点赞数

分类专栏： Spring Security 文章标签： java spring springsecurity security spring全家桶

于 2022-04-21 15:16:23 首次发布

本文链接：https://blog.csdn.net/qian1314520hu/article/details/124316919

版权

Spring Security 专栏收录该内容

11 篇文章 5 订阅

订阅专栏

Spring全家桶-Spring Security 初探

Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean，充分利用了Spring IoC（控制反转），DI（依赖注入）和AOP（面向切面编程）功能，为应用系统提供声明式的安全访问控制功能，减少了为企业系统安全控制编写大量重复代码的工作。

一、Spring Security初探

以下搭建是基于Spring boot进行相关的开发，并使用Spring boot的最新版本（2.6.6）。用过Spring boot的都知道，它的目的是用来简化新Spring应用的初始搭建以及开发过程。该框架使用了特定的方式来进行配置，从而使开发人员不再需要定义样板化的配置。

二、工程创建

1.使用spring官方Spring Initializr

访问地址：https://start.spring.io/
界面如下：
在这里插入图片描述

project
project声明项目的类型，可以创建maven工程或者gradle工程，可以根据自己的熟练程度进行选择，我本人使用的maven创建
language
项目的编程语言，这里支持Java，Kotlin，Groovy，相信大部分人还是选择Java，😄
springBoot：选择springboot的版本
project Metadata：项目的相关元数据，像maven的话会有group等数据和打包的方式，是jar还是war
dependencies：即相关的包依赖，我们可以点击ADD dependencies按钮进行添加相关依赖，我们这里使用spring security，所有需要添加security的依赖以及web的依赖
generate：生产相关的工程初始化代码
我们下载下来的代码中maven如下：

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.6.6</version>
		<relativePath/> <!-- lookup parent from repository -->
	</parent>
	<groupId>com.example</groupId>
	<artifactId>demo</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>demo</name>
	<description>Demo project for Spring Boot</description>
	<properties>
		<java.version>11</java.version>
	</properties>
	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-test</artifactId>
			<scope>test</scope>
		</dependency>
	</dependencies>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>
</project>

2.通过自建maven工程进行创建（推荐）

为了更清楚相关工程的依赖包，我这边是通过自建工程进行构建的。

创建maven工程（IDE进行创建）环境搭建
因为我是多module管理，因此自建的POM.xml如下：

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.tony.spring.security</groupId>
    <artifactId>spring-security-learn</artifactId>
    <version>1.0-SNAPSHOT</version>
    <modules>
    	<!--子工程-->
        <module>spring-security-ch1</module>
    </modules>
    <!-- pom 主工程-->
    <packaging>pom</packaging>

    <properties>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
        <spring.boot.version>2.6.6</spring.boot.version>
    </properties>

    <dependencyManagement>
        <dependencies>
        	<!-- spring boot的版本使用官方的-->
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-dependencies</artifactId>
                <version>${spring.boot.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

创建子工程（通过IDE）
在创建好主工程之后，点击主工程创建module，即可创建子工程，子工程的POM.xml如下：

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <parent>
        <artifactId>spring-security-learn</artifactId>
        <groupId>org.tony.spring.security</groupId>
        <version>1.0-SNAPSHOT</version>
    </parent>
    <modelVersion>4.0.0</modelVersion>

    <artifactId>spring-security-ch1</artifactId>

    <properties>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
    </dependencies>

</project>

项目结构

3.编写代码并运行

现在项目工程创建好了之后，就可以代码的Coding了。

创建应用启动类，Application.java

package org.tony.spring.security;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

/**
 * 程序入口
 * @author Tony
 */
@SpringBootApplication
public class Application {
    public static void main(String[] args) {
        SpringApplication.run(Application.class,args);
    }
}

创建Controller包

package org.tony.spring.security.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import static org.tony.spring.security.controller.Constants.HELLO_WORLD;

/**
 * index controller
 * @author Tony
 */
@RestController
public class IndexController {
    @GetMapping("/")
    public String index(){
        return HELLO_WORLD;
    }
}

创建application.yml文件

server:
  port: 8080   #默认的端口号就是8080

运行

记住上面标红的一串字符，password后面的就是默认的密码。
访问
打开浏览器访问http://localhost:8080/

用户名默认为user，源码中有，我们等会说，密码就是刚刚标记的。

证明已经成功了。

设置用户名和密码

我们使用默认的用户名和密码的话，不太智能，因为不是我们自己设置的密码，并且密码还那么长？（UUID生成的，源码），我们自己怎么设置用户名和密码呢？

修改用户名密码其实很简单。修改YML文件就可以了

spring:
  security:
    user:
      name: tony
      password: 123456

重启服务即可。

一探究竟（源码分析）

前面项目中，提到过默认的用户名是user，密码是一长串，是怎么生成的呢？我们只引入了security的包，怎么就自动访问的时候需要登陆呢？我们现在就来说说。

我们在进行引入包的时候，是引入的spring-boot-starter-security,这个自动配置是有starter进行处理的。spring-boot-starter是通过下面的包进行自动加载的。

我们看看这个包下有哪些内容？默认是通过servlet进行处理，使用servlet包下进行查看。

Security包下就是对spring-security的自动配置的相关都在这里面。我们具体看看。
SecurityProperties进行属性的解析

//加载属性解析
@ConfigurationProperties(
    prefix = "spring.security"
)
public class SecurityProperties {
    public static final int BASIC_AUTH_ORDER = 2147483642;
    public static final int IGNORED_ORDER = -2147483648;
    public static final int DEFAULT_FILTER_ORDER = -100;
    private final SecurityProperties.Filter filter = new SecurityProperties.Filter();
    private final SecurityProperties.User user = new SecurityProperties.User();

    public SecurityProperties() {
    }

    public SecurityProperties.User getUser() {
        return this.user;
    }

    public SecurityProperties.Filter getFilter() {
        return this.filter;
    }
	//创建一个静态的用户
    public static class User {
    	//默认的用户名，就是没有设置的时候
        private String name = "user";
        //设置密码，默认的密码是通过UUID生成的
        private String password = UUID.randomUUID().toString();
        private List<String> roles = new ArrayList();
        private boolean passwordGenerated = true;
        public User() {
        }
        public String getName() {
            return this.name;
        }

        public void setName(String name) {
            this.name = name;
        }

        public String getPassword() {
            return this.password;
        }

        public void setPassword(String password) {
            if (StringUtils.hasLength(password)) {
                this.passwordGenerated = false;
                this.password = password;
            }
        }

        public List<String> getRoles() {
            return this.roles;
        }

        public void setRoles(List<String> roles) {
            this.roles = new ArrayList(roles);
        }

        public boolean isPasswordGenerated() {
            return this.passwordGenerated;
        }
    }
    //默认的拦截器filter
    public static class Filter {
        private int order = -100;
        private Set<DispatcherType> dispatcherTypes;
        public Filter() {
            this.dispatcherTypes = new HashSet(Arrays.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST));
        }
        public int getOrder() {
            return this.order;
        }
        public void setOrder(int order) {
            this.order = order;
        }
        public Set<DispatcherType> getDispatcherTypes() {
            return this.dispatcherTypes;
        }
        public void setDispatcherTypes(Set<DispatcherType> dispatcherTypes) {
            this.dispatcherTypes = dispatcherTypes;
        }
    }
}

有上面属性的代码可以看出，我们在属性中设置的用户名和密码就是在这里起了作用。

UserDetailsServiceAutoConfiguration用户详情自动配置

@Configuration(
    proxyBeanMethods = false
)
@ConditionalOnClass({AuthenticationManager.class})
@ConditionalOnBean({ObjectPostProcessor.class})
@ConditionalOnMissingBean(
    value = {AuthenticationManager.class, AuthenticationProvider.class, UserDetailsService.class, AuthenticationManagerResolver.class},
    type = {"org.springframework.security.oauth2.jwt.JwtDecoder", "org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector", "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository"}
)
public class UserDetailsServiceAutoConfiguration {
    private static final String NOOP_PASSWORD_PREFIX = "{noop}";
    private static final Pattern PASSWORD_ALGORITHM_PATTERN = Pattern.compile("^\\{.+}.*$");
    private static final Log logger = LogFactory.getLog(UserDetailsServiceAutoConfiguration.class);
    public UserDetailsServiceAutoConfiguration() {
    }

    @Bean
    @Lazy
    public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties, ObjectProvider<PasswordEncoder> passwordEncoder) {
        User user = properties.getUser();
        List<String> roles = user.getRoles();
        return new InMemoryUserDetailsManager(new UserDetails[]{org.springframework.security.core.userdetails.User.withUsername(user.getName()).password(this.getOrDeducePassword(user, (PasswordEncoder)passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build()});
    }

    private String getOrDeducePassword(User user, PasswordEncoder encoder) {
        String password = user.getPassword();
        //这就是默认输出的密码的地方，通过在属性中进行获取
        if (user.isPasswordGenerated()) {
            logger.warn(String.format("%n%nUsing generated security password: %s%n%nThis generated password is for development use only. Your security configuration must be updated before running your application in production.%n", user.getPassword()));
        }
        return encoder == null && !PASSWORD_ALGORITHM_PATTERN.matcher(password).matches() ? "{noop}" + password : password;
    }
}

DefaultSecurityFilterChain（spring-security-web）默认的拦截器链

public final class DefaultSecurityFilterChain implements SecurityFilterChain {
    private static final Log logger = LogFactory.getLog(DefaultSecurityFilterChain.class);
    private final RequestMatcher requestMatcher;
    private final List<Filter> filters;
    public DefaultSecurityFilterChain(RequestMatcher requestMatcher, Filter... filters) {
        this(requestMatcher, Arrays.asList(filters));
    }
    public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) {
        if (!filters.isEmpty()) {
            logger.info(LogMessage.format("Will not secure %s", requestMatcher));
        } else {
            logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
        }

        this.requestMatcher = requestMatcher;
        this.filters = new ArrayList(filters);
    }

    public RequestMatcher getRequestMatcher() {
        return this.requestMatcher;
    }

    public List<Filter> getFilters() {
        return this.filters;
    }

    public boolean matches(HttpServletRequest request) {
        return this.requestMatcher.matches(request);
    }

    public String toString() {
        return this.getClass().getSimpleName() + " [RequestMatcher=" + this.requestMatcher + ", Filters=" + this.filters + "]";
    }
}

默认的拦截器链实现的security的拦截器SecurityFilterChain。
Security Filter是通过FilterChainProxy而不是DelegatingFilterProxy注册进SecurityFilterChain的。通过FilterChainProxy注册有很多优势：

为spring security的Servlet提供了一个起点；比如你想对Servlet做故障排查，可以在FilterChainProxy打断点。
由于FilterChainProxy是Spring Security使用的中心，它可以执行那些额外的任务。例如，它清除SecurityContext以避免内存泄漏。它还应用了Spring Security的HttpFirewall来保护应用程序免受某些类型的攻击；
FilterChainProxy在确定何时应该调用SecurityFilterChain方面提供了更大的灵活性。在Servlet容器中，仅根据URL调用过滤器。然而，FilterChainProxy可以通过利用RequestMatcher接口来决定基于HttpServletRequest中的任何调用；
FilterChainProxy可以用来决定使用哪个SecurityFilterChain，这样可以为应用程序的不同部分提供完全独立的配置

获取登陆界面

这个登陆界面是通过LoginPageGeneratingWebFilter进行创建的，代码如下：

private String formLogin(MultiValueMap<String, String> queryParams, String contextPath, String csrfTokenHtmlInput) {
        if (!this.formLoginEnabled) {
            return "";
        } else {
            boolean isError = queryParams.containsKey("error");
            boolean isLogoutSuccess = queryParams.containsKey("logout");
            StringBuilder page = new StringBuilder();
            page.append("      <form class=\"form-signin\" method=\"post\" action=\"" + contextPath + "/login\">\n");
            page.append("        <h2 class=\"form-signin-heading\">Please sign in</h2>\n");
            page.append(createError(isError));
            page.append(createLogoutSuccess(isLogoutSuccess));
            page.append("        <p>\n");
            page.append("          <label for=\"username\" class=\"sr-only\">Username</label>\n");
            page.append("          <input type=\"text\" id=\"username\" name=\"username\" class=\"form-control\" placeholder=\"Username\" required autofocus>\n");
            page.append("        </p>\n        <p>\n");
            page.append("          <label for=\"password\" class=\"sr-only\">Password</label>\n");
            page.append("          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n");
            page.append("        </p>\n");
            page.append(csrfTokenHtmlInput);
            page.append("        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n");
            page.append("      </form>\n");
            return page.toString();
        }
    }

这里判断是否为formLoginEnabled标记，这个标记我们在SpringBootWebSecurityConfiguration中可以看到

@Bean
@Order(2147483642)
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    ((HttpSecurity)((HttpSecurity)((AuthorizedUrl)http.authorizeRequests().anyRequest()).authenticated().and()).formLogin().and()).httpBasic();
    return (SecurityFilterChain)http.build();
}

通过上面的代码可以得到所使用的filter，通过HttpSecurity创建filter集合。

public HttpSecurity(ObjectPostProcessor<Object> objectPostProcessor, AuthenticationManagerBuilder authenticationBuilder, Map<Class<?>, Object> sharedObjects) {
        super(objectPostProcessor);
        this.requestMatcher = AnyRequestMatcher.INSTANCE;
        //获得拦截器
        this.filterOrders = new FilterOrderRegistration();
        Assert.notNull(authenticationBuilder, "authenticationBuilder cannot be null");
        this.setSharedObject(AuthenticationManagerBuilder.class, authenticationBuilder);
        Iterator var4 = sharedObjects.entrySet().iterator();

        while(var4.hasNext()) {
            Entry<Class<?>, Object> entry = (Entry)var4.next();
            this.setSharedObject((Class)entry.getKey(), entry.getValue());
        }

        ApplicationContext context = (ApplicationContext)sharedObjects.get(ApplicationContext.class);
        this.requestMatcherConfigurer = new HttpSecurity.RequestMatcherConfigurer(context);
    }

FilterOrderRegistration就是filter的注册

FilterOrderRegistration() {
        FilterOrderRegistration.Step order = new FilterOrderRegistration.Step(100, 100);
        this.put(ChannelProcessingFilter.class, order.next());
        order.next();
        this.put(WebAsyncManagerIntegrationFilter.class, order.next());
        this.put(SecurityContextPersistenceFilter.class, order.next());
        this.put(HeaderWriterFilter.class, order.next());
        this.put(CorsFilter.class, order.next());
        this.put(CsrfFilter.class, order.next());
        this.put(LogoutFilter.class, order.next());
        this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter", order.next());
        this.filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter", order.next());
        this.put(X509AuthenticationFilter.class, order.next());
        this.put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
        this.filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter", order.next());
        this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter", order.next());
        this.filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter", order.next());
        this.put(UsernamePasswordAuthenticationFilter.class, order.next());
        order.next();
        this.filterToOrder.put("org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());
        this.put(DefaultLoginPageGeneratingFilter.class, order.next());
        this.put(DefaultLogoutPageGeneratingFilter.class, order.next());
        this.put(ConcurrentSessionFilter.class, order.next());
        this.put(DigestAuthenticationFilter.class, order.next());
        this.filterToOrder.put("org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter", order.next());
        this.put(BasicAuthenticationFilter.class, order.next());
        this.put(RequestCacheAwareFilter.class, order.next());
        this.put(SecurityContextHolderAwareRequestFilter.class, order.next());
        this.put(JaasApiIntegrationFilter.class, order.next());
        this.put(RememberMeAuthenticationFilter.class, order.next());
        this.put(AnonymousAuthenticationFilter.class, order.next());
        this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter", order.next());
        this.put(SessionManagementFilter.class, order.next());
        this.put(ExceptionTranslationFilter.class, order.next());
        this.put(FilterSecurityInterceptor.class, order.next());
        this.put(AuthorizationFilter.class, order.next());
        this.put(SwitchUserFilter.class, order.next());
    }

Tony-devj

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
Spring全家桶-Spring Security初探

Spring全家桶-Spring Security 初探 Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean，充分利用了Spring IoC（控制反转），DI（依赖注入）和AOP（面向切面编程）功能，为应用系统提供声明式的安全访问控制功能，减少了为企业系统安全控制编写大量重复代码的工作。文章目录Spring全家桶-Spring Security 初探一、Spring Securit
复制链接

扫一扫