This is the 8th day of my participation in Gwen Challenge
The most basic use of SpringSecurity (without a deep look at the source code)
Security dependency import
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Copy the code
When you import a dependency and do nothing but run the program directly, then you visit any URL and a “need authorization” verification box will pop up, as shown in the following figure:
By default, Spring Security uses a user named: user. The password is generated at startup (see the console console).
The main process of SpringSecurity is divided into three steps: authentication, authorization, and authentication. Security mainly uses four interfaces
UserDetailsService, the AccessDecisionManager, FilterInvocationSecurityMetadataSource, WebSecurityConfigurerAdapter,
1. The UserDetailsService contains a loadUserByUsername method. This method is used to receive the login account and query the user information (role, password, etc.) from the database for later use, which is also the security verification
2, FilterInvocationSecurityMetadataSource used to intercept all requests, when I received a request from the database query can access the request, the role of returned to the security framework
AccessDecisionManager This interface is used to pass and block requests. This interface overrides the Decide, Supports method
3.1. Decide is used to decide whether the user has the right to access this path. (Personal popular understanding, return stands for pass.
4, WebSecurityConfigurerAdapter is total security configuration, rewrite the config methods corresponding to operations
4.1 the authentication used here is JWT authentication, so when you customize filters, you need to add custom filters to the configuration
The configuration of this config is quite complicated and I don’t know the details, so I can borrow the online information (only some simple methods can be used).
5. Use of some methods of Spring Security
5.1, SessionCreationPolicy. STATELESS STATELESS Session mechanism (that is, the Spring does not use the HTTPSession), for all request permission to check, Spring Security’s interceptor will then determine if any requests have an “X-Auth-Token” on the Header. For abnormal situation (i.e., when the Spring Security found no), Spring will enable an authentication entry: new RestAuthenticationEntryPoint, in our scenario, the entrance is simply returns a 401 can:
5.2. You can also configure the handling of login failures and successful operations
AuthorizeRequests () is used for authorization. This method is required if you need to add URL filters
Spring provides FilterRegistrationBean, which provides sorting for filters. You can set sorting values for filters.
Having Spring sort web Filters before registering them and then register them in turn implements Spring’s cross-domain requests
6.1. This class provides the setOrder method, which sets the sorting value for the filter so that Spring sorts the Web filter before registering it and then registers it. The smaller the order, the earlier the execution
Config. addAllowedOrigin(“http://localhost”) This method is used to set the access source address, “*” stands for all. ** indicates to adapt all interfaces.
The addAllowedOrigin(String Origin) method appends access to the source address. If asterisk (*) is not used, multiple access sources can be configured.
Config. addAllowedHeader(“*”) sets the access source request header,
Config.addallowedmethod (“*”) sets the access source request method,
Source. RegisterCorsConfiguration (” / * *, “config) cross-domain interface configuration Settings