Shulou(Shulou.com)06/03 Report--

The main content of this article is to explain "Why to add a Spring Security depends on all interfaces can not be accessed", interested friends might as well take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "Why do you add a Spring Security that depends on all interfaces that cannot be accessed?"

Text

When we add the Spring Security dependency to the project, it will intercept all requests by default, even without any configuration.

To change the default behavior of Spring Security, we need to do some configuration, that is, by overriding the configure (HttpSecurity http) method of WebSecurityConfigurerAdapter.

So the question is, why can you intercept requests with just a Spring Security dependency?

The answer naturally has something to do with the automatic assembly of Springboot.

SecurityAutoConfiguration assembly class

Through the @ Import annotation, you can find the SpringBootWebSecurityConfiguration class

@ Configuration (proxyBeanMethods = false) @ ConditionalOnClass (DefaultAuthenticationEventPublisher.class) @ EnableConfigurationProperties (SecurityProperties.class) @ Import ({SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class}) public class SecurityAutoConfiguration {@ Bean @ ConditionalOnMissingBean (AuthenticationEventPublisher.class) public DefaultAuthenticationEventPublisher authenticationEventPublisher (ApplicationEventPublisher publisher) {return new DefaultAuthenticationEventPublisher (publisher);}} SpringBootWebSecurityConfiguration class

As you can see from @ ConditionalOnMissingBean (WebSecurityConfigurerAdapter.class), this configuration class takes effect only when WebSecurityConfigurerAdapter is not configured in the project.

When this configuration class takes effect, it will help us configure a default WebSecurityConfigurerAdapter

As can be seen from the previous, the interception mode can be defined by configuring WebSecurityConfigurerAdapter.

@ Configuration (proxyBeanMethods = false) @ ConditionalOnClass (WebSecurityConfigurerAdapter.class) @ ConditionalOnMissingBean (WebSecurityConfigurerAdapter.class) @ ConditionalOnWebApplication (type = Type.SERVLET) public class SpringBootWebSecurityConfiguration {@ Configuration (proxyBeanMethods = false) @ Order (SecurityProperties.BASIC_AUTH_ORDER) static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {}} WebSecurityConfigurerAdapter default behavior

As you can see from the default configuration below, the default configuration is that all requests require login authentication.

Protected void configure (HttpSecurity http) throws Exception {http .authorizeRequests () / key .anyRequest (). Authenticated () and () .formLogin (). And () .httpBasic ();} Summary

When our Springboot project introduced Spring Security dependency, the security mechanism in the project was turned on.

Because according to the automatic assembly principle of Spring boot, when loading the SecurityAutoConfiguration configuration class, the SpringBootWebSecurityConfiguration configuration class will be loaded again.

In the SpringBootWebSecurityConfiguration class, a WebSecurityConfigurerAdapter class is initialized for us by default.

One of the functions of WebSecurityConfigurerAdapter is to configure the permissions required for access requests.

If the configure (HttpSecurity http) method of this class is not overridden, its default behavior is to require login authentication for all requests.

At this point, I believe you have a deeper understanding of "why you add a Spring Security that depends on all interfaces are inaccessible". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.