6.1 Introduction

Namespace configuration has been available since version 2.0 of the Spring Framework. It allows you to supplement the traditional Spring beans application context syntax with elements from additional XML schema. You can find more information in the Spring Reference Documentation. A namespace element can be used simply to allow a more concise way of configuring an individual bean or, more powerfully, to define an alternative configuration syntax which more closely matches the problem domain and hides the underlying complexity from the user.

自Spring Framework 2.0版以来,命名空间配置已经可用。它允许您使用其他XML模式中的元素来补充传统的Spring bean应用程序上下文语法。您可以在Spring Reference Documentation中找到更多信息。命名空间元素可以简单地用于允许更简洁的方式来配置单个bean,或者更有力地用于定义替代配置语法,该语法更紧密地匹配问题域并且隐藏用户的底层复杂性。
 
 A simple element may conceal the fact that multiple beans and processing steps are being added to the application context. For example, adding the following element from the security namespace to an application context will start up an embedded LDAP server for testing use within the application:
一个简单的元素可能会隐藏多个bean和处理步骤被添加到应用程序上下文的事实。例如,将以下元素从安全名称空间添加到应用程序上下文将启动嵌入式LDAP服务器,以便在应用程序中测试使用:
<security:ldap-server />

This is much simpler than wiring up the equivalent Apache Directory Server beans. The most common alternative configuration requirements are supported by attributes on the ldap-server element and the user is isolated from worrying about which beans they need to create and what the bean property names are. [1]. Use of a good XML editor while editing the application context file should provide information on the attributes and elements that are available. We would recommend that you try out the Spring Tool Suite as it has special features for working with standard Spring namespaces.

这比连接等效的Apache Directory Server bean简单得多。 ldap-server元素上的属性支持最常见的备用配置要求,并且用户可以避免担心需要创建哪些bean以及bean属性名称是什么。 [1]。在编辑应用程序上下文文件时使用良好的XML编辑器应该提供有关可用属性和元素的信息。我们建议您试用Spring Tool Suite,因为它具有处理标准Spring命名空间的特殊功能。
 
To start using the security namespace in your application context, you need to have the spring-security-config jar on your classpath. Then all you need to do is add the schema declaration to your application context file:
要在应用程序上下文中开始使用安全命名空间,您需要在类路径上安装spring-security-config jar。然后,您需要做的就是将架构声明添加到应用程序上下文文件中:
 
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
...
</beans>

In many of the examples you will see (and in the sample applications), we will often use "security" as the default namespace rather than "beans", which means we can omit the prefix on all the security namespace elements, making the content easier to read. You may also want to do this if you have your application context divided up into separate files and have most of your security configuration in one of them. Your security application context file would then start like this

在您将看到的许多示例中(以及示例应用程序中),我们经常使用“security”作为默认命名空间而不是“beans”,这意味着我们可以在所有安全命名空间元素上省略前缀,从而制作内容更容易阅读。如果您将应用程序上下文划分为单独的文件并在其中一个文件中包含大部分安全配置,则可能还需要执行此操作。然后,您的安全应用程序上下文文件将如下所示
 
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
...
</beans:beans>

We’ll assume this syntax is being used from now on in this chapter.

我们假设从现在开始在本章中使用了这种语法。

6.1.1 Design of the Namespace

The namespace is designed to capture the most common uses of the framework and provide a simplified and concise syntax for enabling them within an application. The design is based around the large-scale dependencies within the framework, and can be divided up into the following areas:

命名空间旨在捕获框架的最常见用法,并提供简化和简洁的语法,以便在应用程序中启用它们。该设计基于框架内的大规模依赖性,可分为以下几个方面:
 
  • Web/HTTP Security - the most complex part. Sets up the filters and related service beans used to apply the framework authentication mechanisms, to secure URLs, render login and error pages and much more.
  • Web / HTTP安全 - 最复杂的部分。设置用于应用框架身份验证机制的过滤器和相关服务bean,保护URL,呈现登录和错误页面等等。
  • Business Object (Method) Security - options for securing the service layer.
  • 业务对象(方法)安全性 - 保护服务层的选项。
  • AuthenticationManager - handles authentication requests from other parts of the framework.
  • AuthenticationManager - 处理来自框架其他部分的身份验证请求。
  • AccessDecisionManager - provides access decisions for web and method security. A default one will be registered, but you can also choose to use a custom one, declared using normal Spring bean syntax.
  • AccessDecisionManager - 提供Web和方法安全性的访问决策。将注册一个默认值,但您也可以选择使用自定义Spring bean语法声明的自定义。
  • AuthenticationProviders - mechanisms against which the authentication manager authenticates users. The namespace provides supports for several standard options and also a means of adding custom beans declared using a traditional syntax.
  • AuthenticationProviders - 身份验证管理器对用户进行身份验证的机制。命名空间提供了对多个标准选项的支持,也提供了添加使用传统语法声明的自定义bean的方法。
  • UserDetailsService - closely related to authentication providers, but often also required by other beans.
  • UserDetailsS​​ervice - 与身份验证提供程序密切相关,但通常也需要其他bean。

We’ll see how to configure these in the following sections.

我们将在以下部分中看到如何配置它们。
 

6.2 Getting Started with Security Namespace Configuration

In this section, we’ll look at how you can build up a namespace configuration to use some of the main features of the framework. Let’s assume you initially want to get up and running as quickly as possible and add authentication support and access control to an existing web application, with a few test logins. Then we’ll look at how to change over to authenticating against a database or other security repository. In later sections we’ll introduce more advanced namespace configuration options.

在本节中,我们将介绍如何构建命名空间配置以使用框架的一些主要功能。假设您最初希望尽快启动并运行,并通过一些测试登录将身份验证支持和访问控制添加到现有Web应用程序。然后,我们将了解如何更改以对数据库或其他安全存储库进行身份验证。在后面的部分中,我们将介绍更高级的命名空间配置选项。
 

6.2.1 web.xml Configuration

The first thing you need to do is add the following filter declaration to your web.xml file:

您需要做的第一件事是将以下过滤器声明添加到您的web.xml文件中:
 
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter> <filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

This provides a hook into the Spring Security web infrastructure. DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context. In this case, the bean is named "springSecurityFilterChain", which is an internal infrastructure bean created by the namespace to handle web security. Note that you should not use this bean name yourself. Once you’ve added this to your web.xml, you’re ready to start editing your application context file. Web security services are configured using the <http> element.

这为Spring Security Web基础结构提供了一个钩子。 DelegatingFilterProxy是一个Spring Framework类,它委托给一个过滤器实现,该实现在应用程序上下文中定义为一个Spring bean。在这种情况下,bean被命名为“springSecurityFilterChain”,它是由命名空间创建的内部基础结构bean,用于处理Web安全性。请注意,您不应自己使用此bean名称。将此文件添加到web.xml后,即可开始编辑应用程序上下文文件。使用<http>元素配置Web安全服务。
 

6.2.2 A Minimal <http> Configuration

All you need to enable web security to begin with is

启用Web安全性所需的只是
<http>
<intercept-url pattern="/**" access="hasRole('USER')" />
<form-login />
<logout />
</http>

Which says that we want all URLs within our application to be secured, requiring the role ROLE_USER to access them, we want to log in to the application using a form with username and password, and that we want a logout URL registered which will allow us to log out of the application. <http> element is the parent for all web-related namespace functionality. The <intercept-url> element defines a pattern which is matched against the URLs of incoming requests using an ant path style syntax [2].

这说明我们希望应用程序中的所有URL都是安全的,需要角色ROLE_USER来访问它们,我们希望使用带有用户名和密码的表单登录应用程序,并且我们希望注册的注销URL允许我们退出应用程序。 <http>元素是所有与Web相关的命名空间功能的父元素。 <intercept-url>元素定义了一个模式,该模式使用ant路径样式语法[2]与传入请求的URL匹配。
 
You can also use regular-expression matching as an alternative (see the namespace appendix for more details). The access attribute defines the access requirements for requests matching the given pattern. With the default configuration, this is typically a comma-separated list of roles, one of which a user must have to be allowed to make the request. 
您还可以使用正则表达式匹配作为替代方法(有关详细信息,请参阅命名空间附录)。 access属性定义与给定模式匹配的请求的访问要求。使用默认配置时,这通常是以逗号分隔的角色列表,其中一个角色必须允许用户发出请求。
 
The prefix"ROLE_" is a marker which indicates that a simple comparison with the user’s authorities should be made. In other words, a normal role-based check should be used. Access-control in Spring Security is not limited to the use of simple roles (hence the use of the prefix to differentiate between different types of security attributes). We’ll see later how the interpretation can vary footnote:[The interpretation of the comma-separated values in the access attribute depends on the implementation of the –1— which is used. In Spring Security 3.0, the attribute can also be populated with an –2—.
前缀“ROLE_”是一个标记,表示应该与用户的权限进行简单比较。换句话说,应该使用正常的基于角色的检查。 Spring Security中的访问控制不仅限于使用简单角色(因此使用前缀来区分不同类型的安全属性)。稍后我们将看到解释如何变化脚注:[访问属性中逗号分隔值的解释取决于所使用的-1的实现。在Spring Security 3.0中,该属性也可以用-2-填充。
 
You can use multiple <intercept-url> elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top. You can also add a method attribute to limit the match to a particular HTTP method (GETPOSTPUT etc.).
您可以使用多个<intercept-url>元素为不同的URL集定义不同的访问要求,但它们将按列出的顺序进行评估,并将使用第一个匹配项。所以你必须把最具体的比赛放在最上面。您还可以添加方法属性以限制与特定HTTP方法(GET,POST,PUT等)的匹配。
 
To add some users, you can define a set of test data directly in the namespace:
要添加一些用户,您可以直接在命名空间中定义一组测试数据:
 
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>

If you are familiar with pre-namespace versions of the framework, you can probably already guess roughly what’s going on here. The <http> element is responsible for creating a FilterChainProxy and the filter beans which it uses. Common problems like incorrect filter ordering are no longer an issue as the filter positions are predefined.

如果您熟悉框架的命名空间前版本,那么您可能已经大致猜测了这里发生了什么。 <http>元素负责创建FilterChainProxy及其使用的过滤器bean。由于过滤器位置是预定义的,因此不正确的过滤器排序等常见问题不再是问题。
 
The <authentication-provider> element creates a DaoAuthenticationProvider bean and the <user-service> element creates an InMemoryDaoImpl. All authentication-provider elements must be children of the <authentication-manager> element, which creates a ProviderManager and registers the authentication providers with it. You can find more detailed information on the beans that are created in the namespace appendix. It’s worth cross-checking this if you want to start understanding what the important classes in the framework are and how they are used, particularly if you want to customise things later.
<authentication-provider>元素创建一个DaoAuthenticationProvider bean,<user-service>元素创建一个InMemoryDaoImpl。所有身份验证提供程序元素都必须是<authentication-manager>元素的子元素,这会创建一个ProviderManager并向其注册身份验证提供程序。您可以在命名空间附录中找到有关bean创建的更多详细信息。如果您想要开始了解框架中的重要类以及它们的使用方式,特别是如果您想稍后自定义内容,则值得交叉检查。
 
The configuration above defines two users, their passwords and their roles within the application (which will be used for access control). It is also possible to load user information from a standard properties file using the properties attribute on user-service. See the section on in-memory authentication for more details on the file format. Using the <authentication-provider> element means that the user information will be used by the authentication manager to process authentication requests. You can have multiple <authentication-provider> elements to define different authentication sources and each will be consulted in turn.
上面的配置定义了两个用户,他们的密码和他们在应用程序中的角色(将用于访问控制)。还可以使用user-service上的properties属性从标准属性文件加载用户信息。有关文件格式的更多详细信息,请参阅内存中身份验证部分。使用<authentication-provider>元素意味着身份验证管理器将使用用户信息来处理身份验证请求。您可以使用多个<authentication-provider>元素来定义不同的身份验证源,并依次查阅每个身份验证源。
 
At this point you should be able to start up your application and you will be required to log in to proceed. Try it out, or try experimenting with the "tutorial" sample application that comes with the project.
此时,您应该可以启动应用程序,并且您将需要登录才能继续。尝试一下,或尝试尝试项目附带的“教程”示例应用程序。

Spring Security(十九):6. Security Namespace Configuration的更多相关文章

  1. spring Boot(十九):使用Spring Boot Actuator监控应用

    spring Boot(十九):使用Spring Boot Actuator监控应用 微服务的特点决定了功能模块的部署是分布式的,大部分功能模块都是运行在不同的机器上,彼此通过服务调用进行交互,前后台 ...

  2. Spring(十九):Spring AOP(三):切面的优先级、重复使用切入点表达式

    背景: 1)指定切面优先级示例:有的时候需要对一个方法指定多个切面,而这多个切面有时又需要按照不同顺序执行,因此,切面执行优先级别指定功能就变得很实用. 2)重复使用切入点表达式:上一篇文章中,定义前 ...

  3. (转)Spring Boot (十九):使用 Spring Boot Actuator 监控应用

    http://www.ityouknow.com/springboot/2018/02/06/spring-boot-actuator.html 微服务的特点决定了功能模块的部署是分布式的,大部分功能 ...

  4. Spring学习(十九)----- Spring与WEB容器整合

    首先可以肯定的是,加载顺序与它们在 web.xml 文件中的先后顺序无关.即不会因为 filter 写在 listener 的前面而会先加载 filter.最终得出的结论是:listener -> ...

  5. spring学习十九 常用注解

    1. @Component 创建类对象,相当于配置<bean/>2. @Service 与@Component 功能相同. 2.1 写在 ServiceImpl 类上.3. @Reposi ...

  6. Spring学习(十九)----- Spring的五种事务配置详解

    前段时间对Spring的事务配置做了比较深入的研究,在此之间对Spring的事务配置虽说也配置过,但是一直没有一个清楚的认识.通过这次的学习发觉Spring的事务配置只要把思路理清,还是比较好掌握的. ...

  7. spring boot / cloud (十九) 并发消费消息,如何保证入库的数据是最新的?

    spring boot / cloud (十九) 并发消费消息,如何保证入库的数据是最新的? 消息中间件在解决异步处理,模块间解耦和,和高流量场景的削峰,等情况下有着很广泛的应用 . 本文将跟大家一起 ...

  8. Spring Boot 2.X(十九):集成 mybatis-plus 高效开发

    前言 之前介绍了 SpringBoot 整合 Mybatis 实现数据库的增删改查操作,分别给出了 xml 和注解两种实现 mapper 接口的方式:虽然注解方式干掉了 xml 文件,但是使用起来并不 ...

  9. Spring MVC 项目搭建 -6- spring security 使用自定义Filter实现验证扩展资源验证,使用数据库进行配置

    Spring MVC 项目搭建 -6- spring security使用自定义Filter实现验证扩展url验证,使用数据库进行配置 实现的主要流程 1.创建一个Filter 继承 Abstract ...

随机推荐

  1. margin:0 auto是什么意思

    一.margin设置对象外边距 二.margin后面如果只有两个参数的话,第一个表示top和bottom,第二个表示left和right 因为0 auto

  2. 洛谷P1337 [JSOI2004]平衡点 / 吊打XXX(模拟退火)

    题目描述 如图:有n个重物,每个重物系在一条足够长的绳子上.每条绳子自上而下穿过桌面上的洞,然后系在一起.图中X处就是公共的绳结.假设绳子是完全弹性的(不会造成能量损失),桌子足够高(因而重物不会垂到 ...

  3. Python 利用Python操作excel表格之openyxl介绍Part1

    利用Python操作excel表格之openyxl介绍 by:授客 QQ:1033553122 欢迎加入全国软件测试交流qq群(群号:7156436),免费获取以下性能监控工具(类似Nmon精简版) ...

  4. Android为TV端助力 遥控器的映射

    第一编写kl文件时先在盒子上输入getevent -v查看设备信息,设备信息里有vendor.product.version, 假如分别是xxxx,yyyy,zzzz,那么你的文件名就要命名为Vend ...

  5. Jump Flood Algorithms for Centroidal Voronoi Tessellation

    Brief Implemented both CPU and GPU version, you could consider this as the basic playground to imple ...

  6. 在Xshell 6开NumLock时按小键盘上的数字键并不能输入数字

    小键盘问题 在Xshell 6上用vi的时候,开NumLock时按小键盘上的数字键并不能输入数字,而是出现一个字母然后换行(实际上是命令模式上对应上下左右的键).解决方法 选项Terminal-> ...

  7. Cas 服务器 下载、编译及部署

    一直想把公司运营的项目的各个子项的认证及授权统一到Cas上,从有想法到现在快一年的时间了.现在才正式着手,有兴趣的朋友一起交流学习一下.具体项目的细节不便透露,整合的大体思路为:1.开发部署Cas服务 ...

  8. sqlserver waitfor time 延迟函数的用法

    SQL有定时执行的语句 WaitFor,可以写到一个存储过程中再执行一次 语法:WaitFor{Delay 'time'|Time 'time} Delay后面的时间为延迟多少时间执行 Time后面的 ...

  9. AspNet mvc的一个bug

    [HttpPost] public ActionResult updateLoan(TuWenMilitaryRank entity) 使用mvc绑定表单 每次绑定的对象都为null,查看Reques ...

  10. iOS 指纹解锁 验证TouchID

    iOS指纹解锁 1.首先,引入依赖框架 LocalAuthentication.framework #import <LocalAuthentication/LocalAuthenticatio ...