漫谈Spring Security 在Spring Boot 2.x endpoints中的应用

Posted aboruo

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了漫谈Spring Security 在Spring Boot 2.x endpoints中的应用相关的知识,希望对你有一定的参考价值。

    Spring Boot 2.x极大简化了默认的安全配置,并不是说有很多安全相关的配置,现在你只需要提供一个WebSecurityConfigurerAdapter继承类这样一个简单的操作,Spring Boot就可以规避很多安全问题。

Actuator 不再有各自单独的安全配置(management.security.*配置已被取消),每个endpoint的sensitive 标志也会被取消,这样使得安全配置更加明确了。

比如说:你有如下配置

endpoints:
    info:
        sensitive: false
    mappings:
        sensitive: true
management:
    security:
        roles: MY_ADMIN
now,you can do it like this:
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * name: TestWebSecurityConfigureAdapter
 *
 * @author aboruo
 * @Description an example on adding our custom WebSecurityConfigurerAdapter
 * @Date create in 2019/9/9 20:50.
 */
@EnableWebSecurity
public class TestWebSecurityConfigureAdapter extends WebSecurityConfigurerAdapter 
    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http.csrf().disable().authorizeRequests()
                .antMatchers("/actuator/health","/actuator/info")
                .permitAll()
                .antMatchers("/actuator/**")
                .hasRole("MY_ADMIN")
                .and().httpBasic();
    

 

请注意,在2.x中,默认情况下 health 和info 是可以被访问的,(默认情况下 health 的详细信息不能被访问显示)。 为了与这些新的默认值保持一致,health 已被添加到首要的mather中。

Spring boot 2.x 不引入Spring Security时,endpoint实现(未完待续)

1. 先在spring-boot-autoconfigure的spring.factories文件找到autoconfiguration类

技术图片

 

 查看此类

/**
 * @link EnableAutoConfiguration Auto-configuration for Spring Security.
 *
 * @author Dave Syer
 * @author Andy Wilkinson
 * @author Madhura Bhave
 * @since 1.0.0
 */
@Configuration
@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
@EnableConfigurationProperties(SecurityProperties.class)
@Import( SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
        SecurityDataConfiguration.class )
public class SecurityAutoConfiguration 

    @Bean
    @ConditionalOnMissingBean(AuthenticationEventPublisher.class)
    public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) 
        return new DefaultAuthenticationEventPublisher(publisher);
    

DefaultAuthenticationEventPublisher: 默认使用的权限授权事件publisher
SecurityProperties: 安全设置相关属性配置文件,以:spring.security开头
通过
SecurityAutoConfiguration 又引入了几个关键的配置类
① SpringBootWebSecurityConfiguration
/**
 * The default configuration for web security. It relies on Spring Security‘s
 * content-negotiation strategy to determine what sort of authentication to use. If the
 * user specifies their own @link WebSecurityConfigurerAdapter, this will back-off
 * completely and the users should specify all the bits that they want to configure as
 * part of the custom security configuration.
 *
 * @author Madhura Bhave
 * @since 2.0.0
 */
@Configuration
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration 

    @Configuration
    @Order(SecurityProperties.BASIC_AUTH_ORDER)
    static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter 

    

 

这是spring boot 默认的安全配置类,它依赖于Spring安全的*内容协商策略来确定使用哪种身份验证。通过代码,我们可以看到:
  • 当用户定义了自己的WebSecurityConfigurerAdapter类时,SpringBootWebSecurityConfiguration将不会生效;
  • 当应用是web应用且类型是SERVLET类型时才会生效
WebSecurityEnablerConfiguration
这是一个确认配置类,顾名思义:当applicationContext中存在WebSecurityConfigureAdapter类型的bean时,它才会生效,它的职责是这类bean加@EnableWebSecurity注解。
/**
 * If there is a bean of type WebSecurityConfigurerAdapter, this adds the
 * @link EnableWebSecurity annotation. This will make sure that the annotation is
 * present with default security auto-configuration and also if the user adds custom
 * security and forgets to add the annotation. If @link EnableWebSecurity has already
 * been added or if a bean with name @value BeanIds#SPRING_SECURITY_FILTER_CHAIN has
 * been configured by the user, this will back-off.
 *
 * @author Madhura Bhave
 * @since 2.0.0
 */
@Configuration
@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@EnableWebSecurity
public class WebSecurityEnablerConfiguration 

 


③ SecurityDataConfiguration
当应用环境中存在SecurityEvaluationContextExtension类时,自动添加带有Spring Data 的 spring security 集成。
/**
 * Automatically adds Spring Security‘s integration with Spring Data.
 *
 * @author Rob Winch
 * @since 1.3.0
 */
@Configuration
@ConditionalOnClass(SecurityEvaluationContextExtension.class)
public class SecurityDataConfiguration 

    @Bean
    @ConditionalOnMissingBean
    public SecurityEvaluationContextExtension securityEvaluationContextExtension() 
        return new SecurityEvaluationContextExtension();
    

 

后续我们会对
SecurityRequestMatcherProviderAutoConfiguration
UserDetailsServiceAutoConfiguration
SecurityFilterAutoConfiguration
OAuth2ClientAutoConfiguration
OAuth2ResourceServerAutoConfiguration
这几个类逐一进行介绍,从而来了解它的工作原理。

以上是关于漫谈Spring Security 在Spring Boot 2.x endpoints中的应用的主要内容,如果未能解决你的问题,请参考以下文章

漫谈设计模式在 Spring 框架中的良好实践

漫谈设计模式在Spring框架中的良好实践

Spring Framework,Spring Security - 可以在没有 Spring Framework 的情况下使用 Spring Security?

Spring Cloud Alibaba - 01漫谈传统架构和微服务架构

在运行时延迟初始化 Spring Security + 重新加载 Spring Security 配置

Spring security:Spring security 如何在 SessionRegistry 中注册新会话?