SpringSecurity快速搭建

1.添加Maven依赖

核心包

        <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>${spring-framework-security.version}</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${spring-framework-security.version}</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${spring-framework-security.version}</version>
        </dependency>

2.编写Java配置

2.1 安全配置

  继承WebSecurityConfigureAdapter,并添加@EnableWebSecurity。下面的代码是最简配置

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

}

上面的代码看起来很好,却做了许多的事情。

  • 访问每个URL都需要验证
  • 生成了一个默认登陆表单
  • 允许用户通过username 和 password 登陆
  • 退出
  • CSRF防范 (表单需要添加一个隐藏的_csrf)
  • 会话固定攻击
  • 头部攻击

2.2 注册 springSecurityFilterChain

  只要继承AbstractSecurityWebApplicationInitializer

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

}

AbstractSecurityWebApplicationInitializer实现了WebApplictionInitializer,因此Spring会发现它,并用它在Web容器中注册springSecurityFilterChain。

2.3 配置WebSecurityConfig到SpringMVC

方式1

在WebAppInitializer的getRootConfigClasses()中声明。

  

public class MvcWebApplicationInitializer extends
        AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[] { WebSecurityConfig.class };
    }

    // ... other overrides ...
}

方式2

添加@Configuration注解,被扫描

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

}
@Configuration
@ComponentScan(basePackages = { "com.mcs.Sgin.config" })
public class RootConfig {

}

注意

Be sure to have security configuration in the root web application context, not in a servlet application context. 

posted @ 2018-06-03 14:30  mcsLix  阅读(200)  评论(0)    收藏  举报