Spring Security(十九):6. Security Namespace Configuration
6.1 Introduction
Namespace configuration has been available since version 2.0 of the Spring Framework. It allows you to supplement the traditional Spring beans application context syntax with elements from additional XML schema. You can find more information in the Spring Reference Documentation. A namespace element can be used simply to allow a more concise way of configuring an individual bean or, more powerfully, to define an alternative configuration syntax which more closely matches the problem domain and hides the underlying complexity from the user.
<security:ldap-server />
This is much simpler than wiring up the equivalent Apache Directory Server beans. The most common alternative configuration requirements are supported by attributes on the ldap-server
element and the user is isolated from worrying about which beans they need to create and what the bean property names are. [1]. Use of a good XML editor while editing the application context file should provide information on the attributes and elements that are available. We would recommend that you try out the Spring Tool Suite as it has special features for working with standard Spring namespaces.
spring-security-config
jar on your classpath. Then all you need to do is add the schema declaration to your application context file:<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
...
</beans>
In many of the examples you will see (and in the sample applications), we will often use "security" as the default namespace rather than "beans", which means we can omit the prefix on all the security namespace elements, making the content easier to read. You may also want to do this if you have your application context divided up into separate files and have most of your security configuration in one of them. Your security application context file would then start like this
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
...
</beans:beans>
We’ll assume this syntax is being used from now on in this chapter.
6.1.1 Design of the Namespace
The namespace is designed to capture the most common uses of the framework and provide a simplified and concise syntax for enabling them within an application. The design is based around the large-scale dependencies within the framework, and can be divided up into the following areas:
- Web/HTTP Security - the most complex part. Sets up the filters and related service beans used to apply the framework authentication mechanisms, to secure URLs, render login and error pages and much more.
- Web / HTTP安全 - 最复杂的部分。设置用于应用框架身份验证机制的过滤器和相关服务bean,保护URL,呈现登录和错误页面等等。
- Business Object (Method) Security - options for securing the service layer.
- 业务对象(方法)安全性 - 保护服务层的选项。
- AuthenticationManager - handles authentication requests from other parts of the framework.
- AuthenticationManager - 处理来自框架其他部分的身份验证请求。
- AccessDecisionManager - provides access decisions for web and method security. A default one will be registered, but you can also choose to use a custom one, declared using normal Spring bean syntax.
- AccessDecisionManager - 提供Web和方法安全性的访问决策。将注册一个默认值,但您也可以选择使用自定义Spring bean语法声明的自定义。
- AuthenticationProviders - mechanisms against which the authentication manager authenticates users. The namespace provides supports for several standard options and also a means of adding custom beans declared using a traditional syntax.
- AuthenticationProviders - 身份验证管理器对用户进行身份验证的机制。命名空间提供了对多个标准选项的支持,也提供了添加使用传统语法声明的自定义bean的方法。
- UserDetailsService - closely related to authentication providers, but often also required by other beans.
- UserDetailsService - 与身份验证提供程序密切相关,但通常也需要其他bean。
We’ll see how to configure these in the following sections.
6.2 Getting Started with Security Namespace Configuration
In this section, we’ll look at how you can build up a namespace configuration to use some of the main features of the framework. Let’s assume you initially want to get up and running as quickly as possible and add authentication support and access control to an existing web application, with a few test logins. Then we’ll look at how to change over to authenticating against a database or other security repository. In later sections we’ll introduce more advanced namespace configuration options.
6.2.1 web.xml Configuration
The first thing you need to do is add the following filter declaration to your web.xml
file:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter> <filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This provides a hook into the Spring Security web infrastructure. DelegatingFilterProxy
is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context. In this case, the bean is named "springSecurityFilterChain", which is an internal infrastructure bean created by the namespace to handle web security. Note that you should not use this bean name yourself. Once you’ve added this to your web.xml
, you’re ready to start editing your application context file. Web security services are configured using the <http>
element.
6.2.2 A Minimal <http> Configuration
All you need to enable web security to begin with is
<http>
<intercept-url pattern="/**" access="hasRole('USER')" />
<form-login />
<logout />
</http>
Which says that we want all URLs within our application to be secured, requiring the role ROLE_USER
to access them, we want to log in to the application using a form with username and password, and that we want a logout URL registered which will allow us to log out of the application. <http>
element is the parent for all web-related namespace functionality. The <intercept-url>
element defines a pattern
which is matched against the URLs of incoming requests using an ant path style syntax [2].
access
attribute defines the access requirements for requests matching the given pattern. With the default configuration, this is typically a comma-separated list of roles, one of which a user must have to be allowed to make the request. access
attribute depends on the implementation of the –1— which is used. In Spring Security 3.0, the attribute can also be populated with an –2—.<intercept-url>
elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top. You can also add a method
attribute to limit the match to a particular HTTP method (GET
, POST
, PUT
etc.).<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
If you are familiar with pre-namespace versions of the framework, you can probably already guess roughly what’s going on here. The <http>
element is responsible for creating a FilterChainProxy
and the filter beans which it uses. Common problems like incorrect filter ordering are no longer an issue as the filter positions are predefined.
<authentication-provider>
element creates a DaoAuthenticationProvider
bean and the <user-service>
element creates an InMemoryDaoImpl
. All authentication-provider
elements must be children of the <authentication-manager>
element, which creates a ProviderManager
and registers the authentication providers with it. You can find more detailed information on the beans that are created in the namespace appendix. It’s worth cross-checking this if you want to start understanding what the important classes in the framework are and how they are used, particularly if you want to customise things later.properties
attribute on user-service
. See the section on in-memory authentication for more details on the file format. Using the <authentication-provider>
element means that the user information will be used by the authentication manager to process authentication requests. You can have multiple <authentication-provider>
elements to define different authentication sources and each will be consulted in turn.Spring Security(十九):6. Security Namespace Configuration的更多相关文章
- spring Boot(十九):使用Spring Boot Actuator监控应用
spring Boot(十九):使用Spring Boot Actuator监控应用 微服务的特点决定了功能模块的部署是分布式的,大部分功能模块都是运行在不同的机器上,彼此通过服务调用进行交互,前后台 ...
- Spring(十九):Spring AOP(三):切面的优先级、重复使用切入点表达式
背景: 1)指定切面优先级示例:有的时候需要对一个方法指定多个切面,而这多个切面有时又需要按照不同顺序执行,因此,切面执行优先级别指定功能就变得很实用. 2)重复使用切入点表达式:上一篇文章中,定义前 ...
- (转)Spring Boot (十九):使用 Spring Boot Actuator 监控应用
http://www.ityouknow.com/springboot/2018/02/06/spring-boot-actuator.html 微服务的特点决定了功能模块的部署是分布式的,大部分功能 ...
- Spring学习(十九)----- Spring与WEB容器整合
首先可以肯定的是,加载顺序与它们在 web.xml 文件中的先后顺序无关.即不会因为 filter 写在 listener 的前面而会先加载 filter.最终得出的结论是:listener -> ...
- spring学习十九 常用注解
1. @Component 创建类对象,相当于配置<bean/>2. @Service 与@Component 功能相同. 2.1 写在 ServiceImpl 类上.3. @Reposi ...
- Spring学习(十九)----- Spring的五种事务配置详解
前段时间对Spring的事务配置做了比较深入的研究,在此之间对Spring的事务配置虽说也配置过,但是一直没有一个清楚的认识.通过这次的学习发觉Spring的事务配置只要把思路理清,还是比较好掌握的. ...
- spring boot / cloud (十九) 并发消费消息,如何保证入库的数据是最新的?
spring boot / cloud (十九) 并发消费消息,如何保证入库的数据是最新的? 消息中间件在解决异步处理,模块间解耦和,和高流量场景的削峰,等情况下有着很广泛的应用 . 本文将跟大家一起 ...
- Spring Boot 2.X(十九):集成 mybatis-plus 高效开发
前言 之前介绍了 SpringBoot 整合 Mybatis 实现数据库的增删改查操作,分别给出了 xml 和注解两种实现 mapper 接口的方式:虽然注解方式干掉了 xml 文件,但是使用起来并不 ...
- Spring MVC 项目搭建 -6- spring security 使用自定义Filter实现验证扩展资源验证,使用数据库进行配置
Spring MVC 项目搭建 -6- spring security使用自定义Filter实现验证扩展url验证,使用数据库进行配置 实现的主要流程 1.创建一个Filter 继承 Abstract ...
随机推荐
- margin:0 auto是什么意思
一.margin设置对象外边距 二.margin后面如果只有两个参数的话,第一个表示top和bottom,第二个表示left和right 因为0 auto
- 洛谷P1337 [JSOI2004]平衡点 / 吊打XXX(模拟退火)
题目描述 如图:有n个重物,每个重物系在一条足够长的绳子上.每条绳子自上而下穿过桌面上的洞,然后系在一起.图中X处就是公共的绳结.假设绳子是完全弹性的(不会造成能量损失),桌子足够高(因而重物不会垂到 ...
- Python 利用Python操作excel表格之openyxl介绍Part1
利用Python操作excel表格之openyxl介绍 by:授客 QQ:1033553122 欢迎加入全国软件测试交流qq群(群号:7156436),免费获取以下性能监控工具(类似Nmon精简版) ...
- Android为TV端助力 遥控器的映射
第一编写kl文件时先在盒子上输入getevent -v查看设备信息,设备信息里有vendor.product.version, 假如分别是xxxx,yyyy,zzzz,那么你的文件名就要命名为Vend ...
- Jump Flood Algorithms for Centroidal Voronoi Tessellation
Brief Implemented both CPU and GPU version, you could consider this as the basic playground to imple ...
- 在Xshell 6开NumLock时按小键盘上的数字键并不能输入数字
小键盘问题 在Xshell 6上用vi的时候,开NumLock时按小键盘上的数字键并不能输入数字,而是出现一个字母然后换行(实际上是命令模式上对应上下左右的键).解决方法 选项Terminal-> ...
- Cas 服务器 下载、编译及部署
一直想把公司运营的项目的各个子项的认证及授权统一到Cas上,从有想法到现在快一年的时间了.现在才正式着手,有兴趣的朋友一起交流学习一下.具体项目的细节不便透露,整合的大体思路为:1.开发部署Cas服务 ...
- sqlserver waitfor time 延迟函数的用法
SQL有定时执行的语句 WaitFor,可以写到一个存储过程中再执行一次 语法:WaitFor{Delay 'time'|Time 'time} Delay后面的时间为延迟多少时间执行 Time后面的 ...
- AspNet mvc的一个bug
[HttpPost] public ActionResult updateLoan(TuWenMilitaryRank entity) 使用mvc绑定表单 每次绑定的对象都为null,查看Reques ...
- iOS 指纹解锁 验证TouchID
iOS指纹解锁 1.首先,引入依赖框架 LocalAuthentication.framework #import <LocalAuthentication/LocalAuthenticatio ...