Learning records of Spring Security authorization and certification

Keywords: Spring Shiro

Official Spring Security documentation

Spring Security and Shiro are both security frameworks, which contain a lot of content. This article mainly records the part of authorization and authentication that I understand. I hope it can be expressed as succinctly and completely as possible. Welcome to exchange.

formlogin main process

Among them, the authentication related Filter is responsible for building Token entity (not authenticated), and hand it to the AuthenticationProvider to verify Token and rebuild Token entity (authenticated). For details, see the source code of org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.

It also includes other authentication processes such as basic authentication filter and digest authentication filter. The official formlogin is a set of processes related to UsernamePasswordAuthenticationFilter. If you are interested, you can see the source code of formlogin, which contains a lot of content. The main record here is authentication and authorization.

Configuration description

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
 /**
  * Configure authentication related information, customize AuthenticationProvider, UserDetailsService, etc
  * @param auth
  * @return void
  * @author mjm
  * @date 2020/1/20 16:08
  */

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  super.configure(auth);
 }

 /**
  * Overall setting, exception handling, url to be ignored, etc
  * @param web
  * @return void
  * @author mjm
  * @date 2019/12/30 14:07
  */
 @Override
 public void configure(WebSecurity web) {
  web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**")
    .antMatchers("/css/**", "/fonts/**",
      "/img/**", "/js/**", "/plugins/**");
 }
 /**
  * Request process related configuration, formlogin, permission verification, cors, custom filter, etc
  * @author mjm
  * @date 2020/1/20 16:13
 * @param http
  * @return void
  */
 @Override
 protected void configure(HttpSecurity http) throws Exception {
  http.cors().disable().csrf().disable().headers().frameOptions().disable();
  http.formLogin();
  http.authorizeRequests().antMatchers("/**").access("@sysAuthorize.check(authentication,request)");
 }
}

HttpSecurity Description:

1. The order of matching URLs is from top to bottom

  1. access is the user-defined right key. For details, please refer to the section "Referring to Beans in Web Security Expressions" on the official website. The only parameters that can be passed are authentication and request

  2. Custom filters can be added through http.addFilterXXXX to specify the order of filters

  3. If formlogin spring security is configured, a complete set of authentication processes, including pages, will be implemented through default configuration, but UserDetailsService needs to be implemented

Here are three configurations that I think are important. For details, please refer to the source code

Other

1. How to handle the user-defined authentication process

Inherit AbstractAuthenticationProcessingFilter

public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) {
    //   token = xxx  
    return this.getAuthenticationManager().authenticate(token);
}

Posted by trrobnett on Mon, 20 Jan 2020 02:40:08 -0800

Hot Keywords

©2024 Programmer Group