web service
Prepared by: Sea 29 April, 2018
Contents
1. The description of springsecurity. 2
1.1. What is spring security?. 2
1.2. History. 3
1.3. Spring Security New characteristics 新特性... 4
1.4. Why user springsecurity?. 5
2. filterchain filtres. 6
2.1. Authentication process. 8
3. Authentication and authorization--Login example. 10
3.1. dependencies. 10
3.2. Login form... 10
3.3. Create a class implements UserDetailsService. 11
3.4. Spring security config. 11
3.5. authentication-success && fail handler 12
28.1. validate CODE.. 13
28.2. Remeberme function. 16
1. The description of springsecurity
1.1.
What is spring security?
Spring Security provides
comprehensive security services for Java EE-based enterprise software applications.
There is a particular emphasis on supporting projects built using The Spring
Framework, which is the leading Java EE solution for enterprise software
development. If you’re not using Spring for developing enterprise applications,
we warmly encourage you to take a closer look at it. Some familiarity with
Spring - and in particular dependency injection principles - will help you get
up to speed with Spring Security more easily.
People use Spring Security for
many reasons, but most are drawn to the project after finding the security
features of Java EE’s Servlet Specification or EJB Specification lack the depth
required for typical enterprise application scenarios. Whilst mentioning these
standards, it’s important to recognise that they are not portable at a WAR or
EAR level. Therefore, if you switch server environments, it is typically a lot
of work to reconfigure your application’s security in the new target
environment. Using Spring Security overcomes these problems, and also brings
you dozens of other useful, customisable security features.
As you probably know two major
areas of application security are "authentication" and
"authorization" (or "access-control"). These are the two
main areas that Spring Security targets. "Authentication" is the process
of establishing a principal is who they claim to be (a "principal"
generally means a user, device or some other system which can perform an action
in your application)."Authorization" refers to the process of
deciding whether a principal is allowed to perform an action within your
application. To arrive at the point where an authorization decision is needed,
the identity of the principal has already been established by the
authentication process. These concepts are common, and not at all specific to Spring
Security.
At an authentication level,
Spring Security supports a wide range of authentication models. Most of these
authentication models are either provided by third parties, or are developed by
relevant standards bodies such as the Internet Engineering Task Force. In
addition, Spring Security provides its own set of authentication features.
Specifically, Spring Se curity
currently supports authentication integration with all of these technologies:
- HTTP BASIC authentication headers (an IETF
RFC-based standard) - HTTP Digest authentication headers (an IETF
RFC-based standard) - HTTP X.509 client certificate exchange (an IETF
RFC-based standard) - LDAP (a very common approach to cross-platform
authentication needs, especially in large environments) - Form-based authentication (for simple user
interface needs) - OpenID authentication
- Authentication based on pre-established request
headers (such as Computer Associates Siteminder) - Jasig Central Authentication Service (otherwise
known as CAS, which is a popular open source single sign-on system) - Transparent authentication context propagation
for Remote Method Invocation (RMI) and HttpInvoker (a Spring remoting
protocol) - Automatic "remember-me" authentication
(so you can tick a box to avoid re-authentication for a predetermined
period of time) - Anonymous authentication (allowing every
unauthenticated call to automatically assume a particular security
identity) - Run-as authentication (which is useful if one
call should proceed with a different security identity) - Java Authentication and Authorization Service
(JAAS) - Java EE container authentication (so you can
still use Container Managed Authentication if desired) - Kerberos
- Java Open Source Single Sign-On (JOSSO) *
- OpenNMS Network Management Platform *
- AppFuse *
- AndroMDA *
- Mule ESB *
- Direct Web Request (DWR) *
- Grails *
- Tapestry *
- JTrac *
- Jasypt *
- Roller *
- Elastic Path *
- Atlassian Crowd *
- Your own authentication systems (see below)
(* Denotes provided by a third
party
Many independent software
vendors (ISVs) adopt Spring Security because of this significant choice of
flexible authentication models. Doing so allows them to quickly integrate their
solutions with whatever their end clients need, without undertaking a lot of
engineering or requiring the client to change their environment. If none of the
above authentication mechanisms suit your needs, Spring Security is an open
platform and it is quite simple to write your own authentication mechanism.
Many corporate users of Spring Security need to integrate with
"legacy" systems that don’t follow any particular security standards,
and Spring Security is happy to "play nicely" with such systems.
Irrespective of the
authentication mechanism, Spring Security provides a deep set of authorization
capabilities. There are three main areas of interest: authorizing web requests,
authorizing whether methods can be invoked and authorizing access to individual
domain object instances. To help you understand the differences, consider the
authorization capabilities found in the Servlet Specification web pattern
security, EJB Container Managed Security and file system security respectively.
Spring Security provides deep capabilities in all of these important areas,
which we’ll explore later in this reference guide.
1.2.
History
Spring Security began in late
2003 as "The Acegi Security System for Spring". A question was posed
on the Spring Developers‘ mailing list asking whether there had been any
consideration given to a Spring-based security implementation. At the time the
Spring community was relatively small (especially compared with the size
today!), and indeed Spring itself had only existed as a SourceForge project
from early 2003. The response to the question was that it was a worthwhile
area, although a lack of time currently prevented its exploration.
With that in mind, a simple
security implementation was built and not released. A few weeks later another
member of the Spring community inquired about security, and at the time this
code was offered to them. Several other requests followed, and by January 2004
around twenty people were using the code. These pioneering users were joined by
others who suggested a SourceForge project was in order, which was duly
established in March 2004.
In those early days, the
project didn’t have any of its own authentication modules. Container Managed
Security was relied upon for the authentication process, with Acegi Security
instead focusing on authorization. This was suitable at first, but as more and
more users requested additional container support, the fundamental limitation
of container-specific authentication realm interfaces became clear. There was
also a related issue of adding new JARs to the container’s classpath, which was
a common source of end user confusion and misconfiguration.
Acegi Security-specific
authentication services were subsequently introduced. Around a year later,
Acegi Security became an official Spring Framework subproject. The 1.0.0 final
release was published in May 2006 - after more than two and a half years of
active use in numerous production software projects and many hundreds of
improvements and community contributions.
Acegi Security became an
official Spring Portfolio project towards the end of 2007 and was rebranded as
"Spring Security".
Today Spring Security enjoys a
strong and active open source community. There are thousands of messages about
Spring Security on the support forums. There is an active core of developers
who work on the code itself and an active community which also regularly share
patches and support their peers.
.
1.3.
Spring Security New
characteristics 新特性
Spring
Security 4.0 release
solved 175+ tickets 。
function
The
highlights of the new features of Spring Security 4 below::
- Web Socket support
- Test support
- Spring Data integration
- CSRF Token Parameter parser
https://blog.csdn.net/lion19930924/article/details/50955000
Do more security default values
The role method does not need to include ROLE_, for example, it needs to include the following contents in the XML configuration:
<intercept-url pattern="/**" access="hasRole(‘ROLE_USER‘)"/>
Now you can choose to ignore the ROLE_ prefix. We do this to eliminate repetition. Specifically, since the hasRole expression has defined a value as a role, it automatically adds a prefix if it does not exist. The following configuration is the same as the previous configuration effect:
<intercept-url pattern="/**" access="hasRole(‘USER‘)"/>
Like configuration below
@PreAuthorize("hasRole(‘ROLE_USER‘)")The simpler configuration is the same as below
@PreAuthorize("hasRole(‘USER‘)")- A lot of integration tests are added to the examples
- Abandon @EnableWebMvcSecurity - by updating the minimum Spring version, we now use @EnableWebSecurity and MVC integration by default, and still allow it to be overwritten.。
form 3.x to 4.x
Spring Security in response to the development of application vulnerabilities, as a major version, the Spring Security team took the opportunity to make some non passive changes, which is focused on:
? ensure that the default configuration is more secure
? try to avoid information disclosure as far as possible
? remove the abandoned API
1.4. Why user springsecurity?
In the Spring Security world, it is possible to distinguish
which resources can be accessed anonymously, which needs role permissions,
which pages provide login functions,
how to authenticated users, and how the user‘s password is encrypted.
Which resources must use the HTTPS protocol, and how the resources correspond to the access ports.
In other word:
提供了一套权限框架,这套框架是可行的;
提供了很多用户身份认证功能,可以节约大量开发工作;
提供了角色判断功能
提供了form-login、remember me等控制。
A framework of permission is provided, which is feasible.
It provides many user authentication functions and can save a lot of development work.
Role judgment is provided
Form-login, remember me and other controls are provided.。
Comparison between Shiro and Spring Security: https://blog.csdn.net/liyuejin/article/details/77838868
Shiro is easier to use, realize and understand most than Spring.
The only reason why Spring Security is more famous is the brand name.
"Spring" is famous for its simplicity. But ironically, many people find it difficult to install Spring Security.
However, Spring Security has better community support.
Apache Shiro has an additional module in Spring Security processing cryptography.
Spring-security is a good combination of spring, if the springmvc used in the project is very convenient to use. But if there is no spring in the project, don‘t think about it.
Shiro is powerful, simple and flexible. The project under Apache is more reliable and does not bind to any framework or container. It can run independently.
2. filterchain filtres
http://eryk.iteye.com/blog/626651
1.HttpSessionContextIntegrationFilter
Located at the top of the filterchain, the first working filter.
Function:
First, before implementing other filters, it is the first to judge whether a session exists in the user‘s SecurityContext. If it exists, take the SecurityContext out and put it in SecurityContextHolder for other parts of Spring Security. If it does not exist, create a SecurityContext or put it in SecurityContextHolder for other parts of Spring Security.
Use two, after all filter execution, clear SecurityContextHolder, because SecurityContextHolder is based on ThreadLocal, if the operation is completed after the completion of the ThreadLocal, will be affected by the server thread pool mechanism
2.LogoutFilter
Handle logout requests only, defaults to /j_spring_security_logout.
The purpose is to destroy the user session, empty the SecurityContextHolder, and then redirect it to the successful page when the user sends the cancellation request. It can be combined with mechanisms such as rememberMe to empty user cookie while logoff.
Eg:
|
<http pattern="/login/pages/login.html" security="none"></http> <http pattern="/403.html" security="none"></http> <http auto-config="true" use-expressions="true" > <logout logout-url="/logout" logout-success-url="/" invalidate-session="true" delete-cookies="JSESSIONID"/> </http> |
3.AuthenticationProcessingFilter
All the operations related to form landing are handled in the process of filtering form login.
The /j_spring_security_check request is only handled by default, which should be the user‘s submission address using the form login, and the other parameters required by form can be referred to:
The basic operation of this filter is to determine whether the user is valid by the user name and password, and if the login is successful, it jumps to the successful page (the protected page that may be accessed before the login, or the default success page), and if the login fails, it jumps to the failure page.
|
login-processing-url="/user/login" |
4.DefaultLoginPageGeneratingFilter
This filter is used to generate a default login page with the default access address of /spring_security_login. The default login page supports user input username, password, and rememberMe function, but because it is too ugly, it can only be done in the demonstration, and it can not be used directly in the actual project. In the middle.
Custom landing page
|
<http pattern="/login/pages/login.html" security="none"></http> <http pattern="/403.html" security="none"></http> <http auto-config="true" use-expressions="true" > <!-- <http auto-config="true" use-expressions="true" entry-point-ref="customEnteryPoint"> --> <csrf disabled="true" /> <!-- <intercept-url pattern="/**" access="isAuthenticated()"/> --> <intercept-url pattern="/**" access="hasRole(‘ROLE_USER‘)"/> <form-login login-page="/index.html" login-processing-url="/user/login" default-target-url="/users/pages/userlist.html" authentication-failure-url="/403.html" always-use-default-target=‘true‘/> <logout logout-url="/logout" logout-success-url="/" invalidate-session="true" delete-cookies="JSESSIONID"/> <!-- 增加一个filter,, 这个filter位于FILTER_SECURITY_INTERCEPTOR之前 --> <custom-filter ref="validateCodeFilter" before="FIRST" /> </http> |
5.BasicProcessingFilter
This filter is used for basic verification, functions similar to AuthenticationProcessingFilter, but only in different ways of verification.
Add basic authentication, remove auto-config= "true" and add <http-basic / >
<http auto-config="true">
<http-basic />
<intercept-url pattern="/admin.jsp"
access="ROLE_ADMIN" />
<intercept-url pattern="/"
access="ROLE_USER" />
</http>
6.RememberMeProcessingFilter
This filter implements the RememberMe function. When
the user cookie has the rememberMe tag, the filter automatically implements the
user login based on the tag, and creates the SecurityContext to grant the
corresponding permissions.
Using
auto-config= "true" in the configuration file will automatically
enable rememberMe.
In fact, rememberMe in Spring Security depends on
cookie, and when users choose to use rememberMe when they log in, the system
will generate a unique identity for the user after the login success, and save
the identity into cookie, and we can check the cookie in the user‘s computer
through a browser.
- 7. AnonymousProcessingFilter
In order to ensure the integrity of
operation, users can assign anonymous users‘ permission by default.
Using the auto-config= "true"
in the configuration file will enable anonymous login. After enabling anonymous
login, if we want to allow access to some resources without logging in, we can
proceed with the following configuration.
Method:1
<http auto-config=‘true‘>
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" /> //Or ROLE_ANONYMOUS
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN"
/>
<intercept-url pattern="/**"
access="ROLE_USER" />
</http>
Method:2
<http auto-config=‘true‘>
<intercept-url pattern="/" filters="none" />
<intercept-url pattern="/admin.jsp"
access="ROLE_ADMIN" />
<intercept-url pattern="/**"
access="ROLE_USER" />
</http>
Method:3
<http
auto-config=‘true‘>
<http pattern="/login/pages/login.html" security="none"></http>
<http pattern="/403.html" security="none"></http>
</http>
8.ExceptionTranslationFilter
The function of this filter is to deal
with an exception thrown
by FilterSecurityInterceptor in the process, then redirect the request to the corresponding page, or
return the corresponding response error code.
9.SessionFixationProtectionFilter
Defense session forged attack.
The solution to the problem of session
fix is very simple, as long as the user‘s current session is destroyed and a
session can be regenerated after the user‘s login is successful.。
<http auto-config=‘true‘ session-fixation-protection="none"> //migrateSession | newSession
<intercept-url pattern="/admin.jsp"
access="ROLE_ADMIN" />
<intercept-url pattern="/**"
access="ROLE_USER" />
</http>
The value of
session-fixation-protection has three choices, none, migrateSession and
newSession. The default is
migrationSession
10.FilterSecurityInterceptor
User authority control is
contained in this filter.
Function 1: if
the user has not landed, the AuthenticationCredentialsNotFoundException
"not yet authenticated exception" is thrown.
Function two:
if the user is logged in, but does not have access to the current resources,
then the AccessDeniedException "deny access exception" is thrown.
Function three:
if users are logged in and have access to the current resources, they are
released.
2.1.
Authentication process
Authentication theory
Detail process:
//看一下源码流程
3. Authentication and authorization--Login example
3.1.
dependencies
|
//<spring-security.version>4.0.2.RELEASE</spring-security.version> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring-security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring-security.version}</version> </dependency> <dependency> <groupId>org.springframework.social</groupId> <artifactId>spring-social-web</artifactId> <version>1.1.4.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring-security.version}</version> </dependency> |
3.2.
Login form
|
<form class="form-horizontal" method="POST" action="/user/login"> <div class="form-group"> <label for="username" class="col-sm-2 control-label">用户名</label> <div class="col-sm-6"> <input type="text" class="form-control" id="username" name="username" ng-model="user.username" placeholder="请输入用户名!" required> </div><span style="color: red">{{message}}</span> </div> <div class="form-group"> <label for="password" class="col-sm-2 control-label">密码</label> <div class="col-sm-6"> <input type="password" class="form-control" id="password" placeholder="请输入密码!" required> </div><span style="color: red">{{message1}}</span> </div> <div class="form-group"> <label for="validateCode" class="col-sm-2 <div class="col-sm-6"> <input type="text" class="form-control" id="validateCode" placeholder="请输入验证码!" required> </div> <div > <img id="loginform_Code" alt="验证码" src="/validate/image" onclick="javascript:document.getElementById(‘loginform_Code‘).src=‘/validate/image?‘+Math.random();" /> </div> </div> <div class="form-group"> <div class="col-sm-offset-2 col-sm-10"> <input type="submit" width="100" value="登录" style="background: url(‘../../img/login.gif‘) no-repeat scroll 0 0 rgba(0, </div> </div> </form> |
3.3.
Create a class
implements UserDetailsService
|
public class UserDetailsServiceImpl implements UserDetailsService{ @Autowired private UserRepository @Override @Transactional(readOnly = true) public //get user from db and User user = userRepository.getUserByUsername(username); Set<GrantedAuthority> grantedAuthorities = new grantedAuthorities.add(new return new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(), } } |
3.4.
Spring security config
|
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <http pattern="/**/*.css" security="none"></http> <http pattern="/**/*.jpg" security="none"></http> <http pattern="/**/*.jpeg" security="none"></http> <http pattern="/**/*.gif" security="none"></http> <http pattern="/**/*.png" security="none"></http> <http pattern="/**/*.js" security="none"></http> <http pattern="/validate/image" <http pattern="/index.html" security="none"></http> <http pattern="/login/pages/login.html" security="none"></http> <http pattern="/403.html" <http auto-config="true" use-expressions="true" <csrf disabled="true" /> <!-- <intercept-url pattern="/**" access="hasRole(‘ROLE_USER‘)"/> <form-login login-page="/index.html" login-processing-url="/user/login" default-target-url=‘/users/pages/userlist.html‘ authentication-failure-url="/403.html" always-use-default-target=‘true‘/> <logout logout-url="/logout" logout-success-url="/" invalidate-session="true" delete-cookies="JSESSIONID"/> <!—add <custom-filter ref="validateCodeFilter" before="FIRST" /> </http> <beans:bean id="validateCodeFilter" class="com.icil.filter.ValidateCodeFilter"></beans:bean> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="userDetailsServiceImpl"> <password-encoder ref="encoder"></password-encoder> </authentication-provider> </authentication-manager> <beans:bean id="userDetailsServiceImpl" class="com.icil.service.UserDetailsServiceImpl"></beans:bean> <beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"> <beans:constructor-arg name="strength" value="11"/> </beans:bean> |
3.5.
authentication-success && fail handler
//we can do what we do!
|
|
package com.icil.securityHandler; import java.io.IOException; import javax.servlet.ServletException; import import javax.servlet.http.HttpServletResponse; import import import @Component public class MyAuthenticationFailureHandler @Override public AuthenticationException // } } |
28.1.
validate CODE
imageCodeConller
|
@RestController public class ImageCodeController { public static final private @GetMapping("/validate/image") public void generateImageCode(HttpServletRequest // create a mageCode ImageCode /** * */ sessionStrategy.setAttribute(new ImageIO.write(imageCode.getImage(), } private ImageCode ImageCodeGenerate //30s late code expire return new } } |
Imagecode
|
package com.icil.imagecode;
import java.awt.image.BufferedImage; import java.time.LocalDateTime;
/** * @author sea */ public class ImageCode { private String code; private LocalDateTime expireTime; //s public boolean isExpired;
public super(); }
public super(); this.image this.code this.expireTime = }
public boolean isExpired(){ return } public return } public this.image } public return } public this.code } public return } public this.expireTime } } |
ValidateCodeFilter
|
/** * extends OncePerRequestFilter spring提供的,保证过滤器只被调用一次 * @author lenove * */ public class ValidateCodeFilter
private private @Override protected throws /*** is login request ? /user/login post*/ if(StringUtils.equals("/user/login", &&StringUtils.equalsIgnoreCase("post", // is login try { Validate(new } //validate imagecode fail //authenticationFailureHandler.onAuthenticationFailure(request, e.printStackTrace(); response.sendRedirect("/"); return } } // continue others filter filterChain.doFilter(request, } private ImageCodeimageCodeInSession=(ImageCode)sessionStrategy.getAttribute(request, //ServletRequestUtils String if(codeInRequestScope==null){ throw } if(imageCodeInSession.isExpired){ sessionStrategy.removeAttribute(request, throw } if(!StringUtils.equals(codeInRequestScope, sessionStrategy.removeAttribute(request, throw } sessionStrategy.removeAttribute(request, } public return } public this.authenticationFailureHandler } public return } public this.sessionStrategy } } |
28.2.
Remeberme function
Remeberme theory
config
|
<remember-me token-repository-ref="jdbcTokenRepositoryImpl" token-validity-seconds="300" user-service-ref="userDetailsServiceImpl"/> <beans:bean id="jdbcTokenRepositoryImpl" <beans:property name="dataSource" ref="dataSource" <!-- <beans:property </beans:bean>
|
原文地址:https://www.cnblogs.com/lshan/p/9000235.html