httpsecurity
類似于spring security的xml配置文件命名空間配置中的<http>元素。它允許對特定的http請求基于安全考慮進(jìn)行配置。默認(rèn)情況下,適用于所有的請求,但可以使用requestmatcher(requestmatcher)或者其它相似的方法進(jìn)行限制。
使用示例:
最基本的基于表單的配置如下。該配置將所有的url訪問權(quán)限設(shè)定為角色名稱為"role_user".同時也定義了內(nèi)存認(rèn)證模式:使用用戶名"user"和密碼“password”,角色"role_user"來認(rèn)證。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
@configuration@enablewebsecuritypublic class formloginsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/").hasrole("user") .and() .formlogin(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); }} |
配置基于openid的認(rèn)證方式
basic示例,不使用attribute exchange
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
@configuration@enablewebsecuritypublic class openidloginconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) { http .authorizerequests() .antmatchers("/").hasrole("user") .and() .openidlogin() .permitall(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() // the username must match the openid of the user you are // logging in with .withuser("https://www.google.com/accounts/o8/id?id=lmkcn9xzpdsxvwg7pjymudgnndasfmobnkcrpawu") .password("password") .roles("user"); }} |
下面展示一個更高級的示例,使用attribute exchange
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
@configuration@enablewebsecuritypublic class openidloginconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) { http .authorizerequests() .antmatchers("/").hasrole("user") .and() .openidlogin() .loginpage("/login") .permitall() .authenticationuserdetailsservice(new autoprovisioninguserdetailsservice()) .attributeexchange("https://www.google.com/.") .attribute("email") .type("http://axschema.org/contact/email") .required(true) .and() .attribute("firstname") .type("http://axschema.org/nameperson/first") .required(true) .and() .attribute("lastname") .type("http://axschema.org/nameperson/last") .required(true) .and() .and() .attributeexchange(".yahoo.com.") .attribute("email") .type("http://schema.openid.net/contact/email") .required(true) .and() .attribute("fullname") .type("http://axschema.org/nameperson") .required(true) .and() .and() .attributeexchange(".myopenid.com.") .attribute("email") .type("http://schema.openid.net/contact/email") .required(true) .and() .attribute("fullname") .type("http://schema.openid.net/nameperson") .required(true); }}public class autoprovisioninguserdetailsservice implements authenticationuserdetailsservice<openidauthenticationtoken> { public userdetails loaduserdetails(openidauthenticationtoken token) throws usernamenotfoundexception { return new user(token.getname(), "notused", authorityutils.createauthoritylist("role_user")); }} |
增加響應(yīng)安全報文頭
默認(rèn)情況下當(dāng)使用websecuirtyconfigadapter的默認(rèn)構(gòu)造函數(shù)時激活。
僅觸發(fā)headers()方法而不觸發(fā)其它方法或者接受websecurityconfigureeradater默認(rèn)的,等同于:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
@configuration @enablewebsecurity public class csrfsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .headers() .contenttypeoptions(); .xssprotection() .cachecontrol() .httpstricttransportsecurity() .frameoptions() .and() ...; } } |
取消安全報文頭,如下:
|
1
2
3
4
5
6
7
8
9
10
11
|
@configuration@enablewebsecuritypublic class csrfsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .headers().disable() ...; }} |
使用部分安全報文頭
觸發(fā)headers()方法的返回結(jié)果,例如,只使用headerconfigurer的cachecontroll()方法和headersconfigurer的frameoptions()方法.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
@configuration@enablewebsecuritypublic class csrfsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .headers() .cachecontrol() .frameoptions() .and() ...; }} |
配置session管理
下面的配置展示了只允許認(rèn)證用戶在同一時間只有一個實例是如何配置的。若一個用戶使用用戶名為"user"認(rèn)證并且沒有退出,同一個名為“user”的試圖再次認(rèn)證時,第一個用戶的session將會強制銷毀,并設(shè)置到"/login?expired"的url。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
@configuration@enablewebsecuritypublic class sessionmanagementsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .anyrequest().hasrole("user") .and() .formlogin() .permitall() .and() .sessionmanagement() .maximumsessions(1) .expiredurl("/login?expired"); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth. inmemoryauthentication() .withuser("user") .password("password") .roles("user"); }} |
當(dāng)使用sessionmanagementconfigurer的maximumsessio(int)時不用忘記為應(yīng)用配置httpsessioneventpublisher,這樣能保證過期的session能夠被清除。
在web.xml中可以這樣配置:
|
1
2
3
|
<listener> <listener-class>org.springframework.security.web.session.httpsessioneventpublisher</listener-class>;</listener> |
配置portmapper
允許配置一個從httpsecurity的getsharedobject(class)方法中獲取的portmapper。當(dāng)http請求跳轉(zhuǎn)到https或者h(yuǎn)ttps請求跳轉(zhuǎn)到http請求時(例如我們和requireschanenl一起使用時),別的提供的securityconfigurer對象使用p誒賬戶的portmapper作為默認(rèn)的portmapper。默認(rèn)情況下,spring security使用portmapperimpl來映射http端口8080到https端口8443,并且將http端口的80映射到https的端口443.
配置示例如下,下面的配置將確保在spring security中的http請求端口9090跳轉(zhuǎn)到https端口9443 并且將http端口80跳轉(zhuǎn)到https443端口。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
@configuration@enablewebsecuritypublic class portmappersecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/").hasrole("user") .and() .formlogin() .permitall() .and() // example portmapper() configuration .portmapper() .http(9090).mapsto(9443) .http(80).mapsto(443); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); }} |
配置基于容器的預(yù)認(rèn)證
在這個場景中,servlet容器管理認(rèn)證。
配置示例:
下面的配置使用httpservletrequest中的principal,若用戶的角色是“role_user”或者"role_admin",將會返回authentication結(jié)果。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
@configuration @enablewebsecurity public class jeesecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/").hasrole("user") .and() // example jee() configuration .jee() .mappableroles("role_user", "role_admin"); } } |
開發(fā)者希望使用基于容器預(yù)認(rèn)證時,需要在web.xml中配置安全限制。例如:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
<login-config> <auth-method>form</auth-method> <form-login-config> <form-login-page>/login</form-login-page> <form-error-page>/login?error</form-error-page> </form-login-config> </login-config> <security-role> <role-name>role_user</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>public</web-resource-name> <description>matches unconstrained pages</description> <url-pattern>/login</url-pattern> <url-pattern>/logout</url-pattern> <url-pattern>/resources/</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>secured areas</web-resource-name> <url-pattern>/</url-pattern> </web-resource-collection> <auth-constraint> <role-name>role_user</role-name> </auth-constraint> </security-constraint> |
配置基于x509的預(yù)認(rèn)證
配置示例,下面的配置試圖從x509證書中提取用戶名,注意,為完成這個工作,客戶端請求證書需要配置到servlet容器中。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
@configuration@enablewebsecuritypublic class x509securityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/").hasrole("user") .and() // example x509() configuration .x509(); }} |
配置remember-me服務(wù)
配置示例,下面的配置展示了如何允許基于token的remember-me的認(rèn)證。若http參數(shù)中包含一個名為“remember-me”的參數(shù),不管session是否過期,用戶記錄將會被記保存下來。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
@configuration @enablewebsecurity public class remembermesecurityconfig extends websecurityconfigureradapter { @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); } @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/").hasrole("user") .and() .formlogin() .permitall() .and() // example remember me configuration .rememberme(); } } |
限制httpservletrequest的請求訪問
配置示例,最基本的示例是配置所有的url訪問都需要角色"role_user".下面的配置要求每一個url的訪問都需要認(rèn)證,并且授權(quán)訪問權(quán)限給用戶"admin"和"user".
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
@configuration @enablewebsecurity public class authorizeurlssecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/").hasrole("user") .and() .formlogin(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user") .and() .withuser("adminr") .password("password") .roles("admin","user"); } } |
同樣,也可以配置多個url。下面的配置要求以/admin/開始的url訪問權(quán)限為“admin”用戶。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
@configuration @enablewebsecurity public class authorizeurlssecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/admin/**").hasrole("admin") .antmatchers("/**").hasrole("user") .and() .formlogin(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user") .and() .withuser("adminr") .password("password") .roles("admin","user"); } } |
注意:匹配起效是按照順序來的。因此如果下面的配置是無效的,因為滿足第一個規(guī)則后將不會檢查第二條規(guī)則:
|
1
2
3
4
|
http .authorizerequests() .antmatchers("/**").hasrole("user") .antmatchers("/admin/**").hasrole("admin") |
增加csrf支持
默認(rèn)情況下,當(dāng)使用websecurityconfigureradapter時的默認(rèn)構(gòu)造方法時csrf是激活的。你可以使用如下方法關(guān)閉它:
|
1
2
3
4
5
6
7
8
9
10
11
|
@configuration@enablewebsecuritypublic class csrfsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .csrf().disable() ...; }} |
增加logout支持
默認(rèn)支持,當(dāng)使用websecurityconfigureradapter時logout是支持的。當(dāng)用戶發(fā)出“/logout”請求時,系統(tǒng)將會銷毀session并且清空配置的rememberme()認(rèn)證,然后清除securitycontextholder,最后跳向logout成功頁面或者登陸頁面。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
@configuration @enablewebsecurity public class logoutsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/").hasrole("user") .and() .formlogin() .and() // sample logout customization .logout() .logout() .deletecookies("remove") .invalidatehttpsession(false) .logouturl("/custom-logout") .logoutsuccessurl("/logout-success"); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); } } |
匿名用戶控制
使用websecurityconfigureradapter時自動綁定。默認(rèn)情況下,匿名用戶有一個anonymousauthenticationtoken標(biāo)示,包含角色"role_anonymous"。
下面的配置展示了如何指定匿名用戶應(yīng)該包含"role_anon".
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
@configuration@enablewebsecuritypublic class anononymoussecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/").hasrole("user") .and() .formlogin() .and() // sample anonymous customization .anonymous() .authorities("role_anon"); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); }} |
基于表單的認(rèn)證
若formloginconfigurer的loginpage(string)沒有指定,將會產(chǎn)生一個默認(rèn)的login頁面。
示例配置:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
@configuration @enablewebsecurity public class formloginsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/**").hasrole("user") .and() .formlogin(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); } } |
下面的示例展示了自定義的表單認(rèn)證:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
@configuration @enablewebsecurity public class formloginsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/").hasrole("user") .and() .formlogin() .usernameparameter("j_username") // default is username .passwordparameter("j_password") // default is password .loginpage("/authentication/login") // default is /login with an http get .failureurl("/authentication/login?failed") // default is /login?error .loginprocessingurl("/authentication/login/process"); // default is /login with an http post } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); } } |
配置安全通道
為使配置生效,需至少配置一個通道的映射。
配置示例:
下面例子展示了如何將每個請求都使用https通道。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
@configuration @enablewebsecurity public class channelsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/**").hasrole("user") .and() .formlogin() .and() .channelsecurity() .anyrequest().requiressecure(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); } } |
配置http 基本認(rèn)證
配置示例:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
@configuration @enablewebsecurity public class httpbasicsecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .authorizerequests() .antmatchers("/**").hasrole("user").and() .httpbasic(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); } } |
配置要觸發(fā)的httprequest
重寫requestmatcher方法、antmatcher()z、regexmatcher()等。
配置示例
下面的配置使httpsecurity接收以"/api/","/oauth/"開頭請求。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
@configuration @enablewebsecurity public class requestmatcherssecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .requestmatchers() .antmatchers("/api/**","/oauth/**") .and() .authorizerequests() .antmatchers("/**").hasrole("user").and() .httpbasic(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); } } |
下面的配置和上面的相同:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
@configuration @enablewebsecurity public class requestmatcherssecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .requestmatchers() .antmatchers("/api/**") .antmatchers("/oauth/**") .and() .authorizerequests() .antmatchers("/**").hasrole("user").and() .httpbasic(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); } } |
同樣也可以這樣使用:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
@configuration @enablewebsecurity public class requestmatcherssecurityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .requestmatchers() .antmatchers("/api/**") .and() .requestmatchers() .antmatchers("/oauth/**") .and() .authorizerequests() .antmatchers("/**").hasrole("user").and() .httpbasic(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("user") .password("password") .roles("user"); } } |
小結(jié):
本文是從httpsecurity代碼中整理得來的,有助于對spring security的全面理解。
以上就是本文的全部內(nèi)容,希望對大家的學(xué)習(xí)有所幫助,也希望大家多多支持服務(wù)器之家。
原文鏈接:https://www.cnblogs.com/davidwang456/p/4549344.html
