spring-security-4 (2)spring security 基於Java配置的搭建

時間  2019-11-26
標籤 spring security 基於 java 配置 搭建 欄目 Spring 简体版
原文   原文鏈接

1、spring security的模塊

  搭建spring security首先咱們要導入必須的jar,即maven的依賴。spring security按模塊劃分,一個模塊對應一個jar。html

  spring security分爲如下九個模塊:java

    1.Core spring-security-core.jar:核心模塊。包含核心的認證(authentication)和受權(authorization)的類和接口,遠程支持和基礎配置API。git

    2.Remoting spring-security-remoting.jar:提供與spring remoting整合的支持。github

    3.Web spring-security-web.jar:包含過濾器和相關的網絡安全的代碼。用於咱們進行web安全驗證和基於URL的訪問控制。web

    4.Config spring-security-config.jar:包含security namepace的解析代碼。spring

    5.LDAP spring-security-ldap.jar:提供LDAP驗證和配置的支持。apache

    6.ACL spring-security-acl.jar:提供對特定domain對象的ACL(訪問控制列表)實現。用來限定對特定對象的訪問api

    7.CAS sprig-security-cas.jar:提供與spring security CAS客戶端集成緩存

    8.OpenID spring-security-openid.jar:提供OpenId Web驗證支持。基於一個外部OpenId服務器對用戶進行驗證。tomcat

    9.Test spring-security-test.jar:提供spring security的測試支持。

  通常狀況下,CoreConfig模塊都是須要的,由於咱們本教程只是用於Java web應用表單的驗證登陸,因此這裏咱們還須要引入Web

  說明:本篇教程的代碼已上傳github,地址:https://github.com/wutianqi/spring_security_create

2、搭建

1.項目工程結構

2.代碼展現

2.1 pom.xml           

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.wuqi</groupId>
  <artifactId>spring_security_create</artifactId>
  <packaging>war</packaging>
  <version>0.0.1-SNAPSHOT</version>
  <name>spring_security_create Maven Webapp</name>
  <url>http://maven.apache.org</url>
  
  <properties>
      <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
      <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
      <!-- web -->
      <jsp.version>2.2</jsp.version>
      <servlet.version>3.1.0</servlet.version>
      <jstl.version>1.2</jstl.version>
      <!-- spring 和 spring security -->
      <spring-security.version>4.2.3.RELEASE</spring-security.version>
      <spring-framework.version>4.3.11.RELEASE</spring-framework.version>
      <!-- Logging -->
      <logback.version>1.0.13</logback.version>
      <slf4j.version>1.7.5</slf4j.version>
  </properties>
  
  <dependencies>
       <!-- spring -->
       <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>${spring-framework.version}</version>
     </dependency>
     <dependency>    
            <groupId>org.springframework</groupId>    
            <artifactId>spring-tx</artifactId>   
            <version>${spring-framework.version}</version> 
     </dependency>
       <!-- spring security -->
     <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>${spring-security.version}</version>
     </dependency>
     <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>${spring-security.version}</version>
     </dependency>
     <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>${spring-security.version}</version>
     </dependency>
    <!-- 其餘一些依賴 -->
    <dependency>
      <groupId>javax</groupId>
      <artifactId>javaee-web-api</artifactId>
      <version>7.0</version>
      <scope>provided</scope>
    </dependency>
    <dependency>    
        <groupId>javax.servlet</groupId>    
        <artifactId>javax.servlet-api</artifactId>    
        <version>${servlet.version}</version>    
        <scope>provided</scope>   
    </dependency>    
     <dependency>    
            <groupId>javax.servlet</groupId>    
            <artifactId>jstl</artifactId>    
            <version>${jstl.version}</version> 
     </dependency> 
     <dependency>    
            <groupId>javax.servlet.jsp</groupId>    
            <artifactId>jsp-api</artifactId>    
            <version>${jsp.version}</version> 
            <scope>provided</scope>   
     </dependency>
     <dependency>
          <groupId>com.fasterxml.jackson.dataformat</groupId>
          <artifactId>jackson-dataformat-xml</artifactId>
          <version>2.5.3</version>
     </dependency>
      <!-- 日誌 -->
    <!-- 使用SLF4J和LogBack做爲日誌 --> 
     <dependency>    
         <groupId>org.slf4j</groupId>    
         <artifactId>slf4j-api</artifactId>    
         <version>${slf4j.version}</version>    
     </dependency> 
     <dependency>    
         <groupId>log4j</groupId>    
         <artifactId>log4j</artifactId>    
         <version>1.2.16</version>    
     </dependency> 
     <dependency>    
         <groupId>org.slf4j</groupId>    
         <artifactId>jcl-over-slf4j</artifactId>    
         <version>${slf4j.version}</version>    
     </dependency>
     <!--logback日誌-->    
      <dependency>    
          <groupId>ch.qos.logback</groupId>    
          <artifactId>logback-core</artifactId>    
          <version>${logback.version}</version>    
      </dependency>    
      <!--實現slf4j接口並整合-->    
      <dependency>    
          <groupId>ch.qos.logback</groupId>    
          <artifactId>logback-classic</artifactId>    
          <version>${logback.version}</version>    
      </dependency>  
      <dependency>    
          <groupId>ch.qos.logback</groupId>    
          <artifactId>logback-access</artifactId>    
          <version>${logback.version}</version>    
      </dependency>  
  </dependencies>
  <build>
    <finalName>spring_security_create</finalName>
    <plugins>
        <!-- 配置maven的內嵌的tomcat,經過內置的tomcat啓動 -->
        <plugin>
            <groupId>org.apache.tomcat.maven</groupId>
            <artifactId>tomcat7-maven-plugin</artifactId>
            <version>2.2</version>
            <configuration>
            <uriEncoding>utf8</uriEncoding>
            <!-- 配置啓動的端口爲9090 -->
            <port>9090</port>
            <path>/</path>
            </configuration>
         </plugin>
    </plugins>
  </build>
</project>

  該pom文件除了包括了spring security的依賴外,還包括了spring、springmvc、日誌的一些依賴,除了spring security的依賴,其餘的你不必太過於糾結。直接拿過來用就能夠了。日誌我使用了logback,這個你也直接拿過來用就好了,直接將logback.xml放在你的類路徑下就能夠起做用了。並且這些知識也不是本篇教程所討論的。

 

2.2 MyWebConfig

package com.wuqi.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;
/**
 * MVC配置類
 * @author wuqi
 * @date 2018/06/13
 */
@EnableWebMvc
@Configuration
@ComponentScan("com.wuqi")
public class MyWebConfig extends WebMvcConfigurerAdapter {

    //配置mvc視圖解析器
    @Bean
    public InternalResourceViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setPrefix("/WEB-INF/classes/views/");
        viewResolver.setSuffix(".jsp");
        viewResolver.setViewClass(JstlView.class);
        return viewResolver;
    }    
}

   MyWebConfig是SpringMvc的配置類,這裏只配置了視圖解析器

 

2.3 WebInitializer 

package com.wuqi.config;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
/**
 * 替代web.xml的配置
 * @author wuqi
 * @date 2018/06/13
 */
public class WebInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return null;
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return new Class[] {MyWebConfig.class};
    }

    @Override
    protected String[] getServletMappings() {
        //將DispatcherServlet映射到 /
        return new String[] {"/"};
    }

}

  WebInitializer至關於在web.xml中註冊DispatcherServlet,以及配置Spring Mvc的配置文件

 

2.4 MySecurityConfig

package com.wuqi.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
 * spring security配置類
 * @author wuqi
 * @date 2018/06/13
 */
@EnableWebSecurity
@Configuration
public class MySecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Autowired
    public void configUser(AuthenticationManagerBuilder builder) throws Exception {
        builder
            .inMemoryAuthentication()
                //建立用戶名爲user,密碼爲password的用戶
                .withUser("user").password("password").roles("USER");
    }
    
}

  MySecurityConfig是spring security的配置類,定製spring security的一些行爲就在這裏。其中@EnableWebSecurity用於建立過濾器

 

2.5 SecurityInitializer 

package com.wuqi.config;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
/**
 * security初始化類,用戶註冊過濾器
 * @author wuqi
 * @date 2018/06/13
 */
public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer {

}

   SecurityInitializer主要就是用於註冊spring secuirty的過濾器

 

2.6 logback.xml

<?xml version="1.0" encoding="UTF-8"?>  
<configuration scan="true" scanPeriod="1 seconds">  
    <contextListener class="ch.qos.logback.classic.jul.LevelChangePropagator">
        <resetJUL>true</resetJUL>
    </contextListener>
    <jmxConfigurator />
  <appender name="console" class="ch.qos.logback.core.ConsoleAppender">  
    <encoder>
        <pattern>logbak: %d{HH:mm:ss.SSS} %logger{36} - %msg%n</pattern>
    </encoder> 
  </appender>  
  
  <logger name="org.springframework.security.web" level="DEBUG" />  
  <logger name="org.springframework.security" level="DEBUG" />  
  <logger name="org.springframework.security.config" level="DEBUG" />  
  
  <root level="INFO">  
    <appender-ref ref="console" />  
  </root>  
</configuration>

  該日誌文件就是將web、core、config模塊的日誌級別調爲debug模式。

 

3.運行展現

3.1 經過maven內置的Tomcat啓動項目(不知道的網上看下,有不少資料),訪問端口爲9090。地址欄訪問  http://localhost:9090

由此能夠看到當訪問咱們的項目時,spring security將咱們的項目保護了起來,並提供了一個默認的登陸頁面,讓咱們去登陸。咱們在MySecurityConfig中配置了一個用戶。用戶名爲"user",密碼爲"password",輸入這個用戶名和密碼,便可正常訪問咱們的項目。

3.2 輸入用戶名和密碼

3、總結

到如今爲止,咱們已經搭建了一個基於spring(spring mvc)的spring security項目。可能你會很疑惑,爲何會產生這種效果。那個輸入用戶名和密碼的頁面,咱們在項目中也沒有建立,是怎麼出來的呢?

其實這一切都是通過咱們上述的配置,咱們建立並註冊了spring security的過濾器。是這些過濾器爲咱們作到的。除此以外,spring security還爲咱們作了額外的其餘的保護。總的來講,通過咱們上述的配置後,spring security爲咱們的應用提供瞭如下默認功能:

  1.訪問應用中的每一個URL都須要進行驗證

  2.生成一個登錄表單

  3.容許用戶使用username和password來登錄

  4.容許用戶註銷

  5.CSRF攻擊攔截

  6.Session Fixation(session固定攻擊)

  7.安全Header集成

    7.1 HTTP Strict Transport Security for secure requests

    7.2 X-Content-Type-Options integration

    7.3 緩存控制 (can be overridden later by your application to allow caching of your static resources)

    7.4 X-XSS-Protection integration

    7.5 X-Frame-Options integration to help prevent Clickjacking

  8.Integrate with the following Servlet API methods

    8.1 HttpServletRequest#getRemoteUser()

    8.2 HttpServletRequest.html#getUserPrincipal()

    8.3 HttpServletRequest.html#isUserInRole(java.lang.String)

    8.4 HttpServletRequest.html#login(java.lang.String, java.lang.String)

    8.5 HttpServletRequest.html#logout()

下一節,經過spring security過濾器的建立和註冊源碼的分析,你將會了解這一切!

 

參考資料:http://www.tianshouzhi.com/api/tutorials/spring_security_4/250

     https://docs.spring.io/spring-security/site/docs/4.1.3.RELEASE/reference/htmlsingle/

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程