Spring Security protects Web resources by using filters
AOP–Filter uses the difference between filters and interceptors
Security configuration
- Inheritance WebSecurityConfigurerAdapter
- The Spring Security Security configuration provides user authentication. To authenticate users, you need to customize UserDeatailService
- @EnableWebSecurity
- In non-springboot Spring Web MVC applications, the @enablewebsecurity annotation needs to be introduced by the developer himself to EnableWebSecurity. And based on the Springboot Spring Web MVC application, the developer is not necessary to reference the comments again, Springboot automatic configuration mechanism WebSecurityEnablerConfiguration have introduced the annotation
- Spring Security Config: annotation EnableWebSecurity Enables WebSecurity
- Security configuration consists of three parts:
- Configure the service for querying user information
- Configure the security interception mechanism
- Configure the cipher encoder to define the way to compare passwords entered by users with passwords in the database
The certification process
- Request/request/token, if the configuration support allowFormAuthenticationForClients, And I have the url client_id and client_secret ClientCredentialsTokenEndpointFilter will go, loading populated UserDetails ClientDetailsUserDetailsService
- Request/request/token, if there is no support allowFormAuthenticationForClients or support but not in the url client_id and client_secret, basic authentication
- Client detail certification (walk AuthorizationServerSecurityConfigurer configuration) after successful, if it is a password mode, to go to the user account password authentication
- Walk the password is to use the configuration in the AuthorizationServerEndpointsConfigurer userDetailsService for certification