Shulou(Shulou.com)06/03 Report--

This article focuses on "how to understand java programming SpringSecurity", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to understand java programming SpringSecurity.

Catalogue

1. Brief introduction of SpringSecurity framework

1.1 Summary

1.2 composition and comparison of the same product (shiro)

1.2.1 Spring Security

1.2.2 Shiro

1.3 module division

1.4 basic principles of SpringSecurity

1.5.UserDetailsService interface explanation

2.SpringSecurity Web permission scheme

2.1 set the account password for logging in to the system (three ways)

Design database tables

Create a springboot project and check the corresponding dependencies

Complete pom.xml

Database configuration

Create the corresponding entity class

Create a service layer

Configure spring security

Security configuration class description

3. Implementation of security-remember me-

4. Implementation of user logout function

5. About CSRF

Summary of 6.spring security principle

1. Introduction to the SpringSecurity Framework 1.1 Summary

As you may know, the two main areas about security are "authentication" and "authorization" (or access control). Generally speaking, the security of Web applications includes two parts: user authentication (Authentication) and user authorization (Authorization), which are also important core functions of Spring Security.

(1) user authentication refers to verifying whether a user is a legitimate principal in the system, that is, whether the user can access the system. User authentication generally requires the user to provide a user name and password. The system completes the authentication process by verifying the user name and password. To put it popularly, it means whether the system thinks that the user can log in.

(2) user authorization refers to verifying whether a user has permission to perform an operation. In a system, different users have different permissions. For example, for a file, some users can only read it, while others can modify it. In general, the system assigns different roles to different users, and each role corresponds to a series of permissions. The popular point is that the system determines whether the user has the authority to do something.

1.2 composition and comparison of the same product (shiro) to 1.2.1 Spring Security

SpringSecurity features:

Seamless integration with Spring.

Comprehensive access control.

Specially designed for Web development.

The old version cannot be used without the Web environment.

The new version extracts the whole framework into core module and Web module. The introduction of core modules alone can break away from the Web environment.

Heavyweight.

1.2.2 Shiro

Apache's lightweight access control framework.

Features:

Lightweight. The idea advocated by Shiro is to make complex things simple. It has better performance for Internet applications with higher performance requirements.

Versatility.

Benefits: not limited to the Web environment, can be used outside the Web environment.

Defect: some specific requirements in the Web environment need to be manually written and customized.

Spring Security is a security management framework in the Spring family. In fact, Spring Security has been developed for many years before the emergence of Spring Boot, but it is not used much. The field of security management has always been dominated by Shiro.

Compared to Shiro, integrating SpringSecurity in SSM is a troublesome operation, so although SpringSecurity is more powerful than Shiro, it is not as useful as Shiro (Shiro is not as functional as SpringSecurity, but Shiro is sufficient for most projects).

Since the advent of Spring Boot, Spring Boot has provided an automated configuration scheme for Spring Security, allowing you to use Spring Security with fewer configurations.

Therefore, in general, the common combination of security management technology stacks is as follows:

SSM + Shiro

Spring Boot/Spring Cloud + Spring Security

The above is only a recommended combination, if purely from a technical point of view, no matter how the combination, can be run.

1.3 module division

1.4 basic principles of SpringSecurity

SpringSecurity is essentially a filter chain: the filter chain can be obtained from startup:

The underlying flow of the code: focus on three filters:

FilterSecurityInterceptor: is a method-level permission filter, basically at the bottom of the filter chain.

1.5.UserDetailsService interface explanation

When nothing is configured, the account and password are generated by the Spring Security definition. And in the actual project,

The account number and password are queried from the database. So we need to control the authentication logic through custom logic.

If you need custom logic, you only need to implement the userDetailsService API, which is defined as follows:

2.SpringSecurity Web permission Scheme 2.1 set the account password to log in to the system (three ways)

One: self-configuration in application.xml

Spring.security.user.name = xxx

Spring.security.user.password = xxx

Two: write classes to implement interfaces

Third, implement database authentication to complete user login.

Here's an example to complete authentication and authorization.

Design database tables

Create a springboot project and check the corresponding dependencies

Full pom.xml 4.0.0 org.springframework.boot spring-boot-starter-parent 2.3.1.RELEASE com.example demo 0.0.1-SNAPSHOT demo Demo project for Spring Boot 1.8 com.alibaba druid 1.1.9 Org.springframework.boot spring-boot-starter-security org.springframework.boot spring-boot-starter-web org.mybatis.spring.boot mybatis-spring-boot-starter 2.1.3 mysql mysql-connector-java Runtime org.springframework.boot spring-boot-starter-test test org.junit.vintage junit-vintage-engine org.springframework.security spring-security -test test org.springframework.boot spring-boot-maven-plugin database configuration

Spring: datasource: type: com.alibaba.druid.pool.DruidDataSource username: root password: xxxxxx url: jdbc:mysql://xxxxxxxxxx / / fill in to create the corresponding entity class package com.example.demo.domain;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.SimpleGrantedAuthority;import org.springframework.security.core.userdetails.UserDetails;import java.util.ArrayList;import java.util.Collection;import java.util.List according to your own situation Public class User implements UserDetails {private Integer id; private String username; private String password; private Boolean enabled; private Boolean locked; private List roles; @ Override / / entity classes and SpringSecurity conversion public Collection

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.