漫谈Spring Security 在Spring Boot 2.x endpoints中的应用
Posted aboruo
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了漫谈Spring Security 在Spring Boot 2.x endpoints中的应用相关的知识,希望对你有一定的参考价值。
Spring Boot 2.x极大简化了默认的安全配置,并不是说有很多安全相关的配置,现在你只需要提供一个WebSecurityConfigurerAdapter继承类这样一个简单的操作,Spring Boot就可以规避很多安全问题。
Actuator 不再有各自单独的安全配置(management.security.*配置已被取消),每个endpoint的sensitive 标志也会被取消,这样使得安全配置更加明确了。
比如说:你有如下配置
endpoints:
info:
sensitive: false
mappings:
sensitive: true
management:
security:
roles: MY_ADMIN
now,you can do it like this:
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /** * name: TestWebSecurityConfigureAdapter * * @author aboruo * @Description an example on adding our custom WebSecurityConfigurerAdapter * @Date create in 2019/9/9 20:50. */ @EnableWebSecurity public class TestWebSecurityConfigureAdapter extends WebSecurityConfigurerAdapter @Override protected void configure(HttpSecurity http) throws Exception http.csrf().disable().authorizeRequests() .antMatchers("/actuator/health","/actuator/info") .permitAll() .antMatchers("/actuator/**") .hasRole("MY_ADMIN") .and().httpBasic();
请注意,在2.x中,默认情况下 health 和info 是可以被访问的,(默认情况下 health 的详细信息不能被访问显示)。 为了与这些新的默认值保持一致,health 已被添加到首要的mather中。
Spring boot 2.x 不引入Spring Security时,endpoint实现(未完待续)
1. 先在spring-boot-autoconfigure的spring.factories文件找到autoconfiguration类
查看此类
/** * @link EnableAutoConfiguration Auto-configuration for Spring Security. * * @author Dave Syer * @author Andy Wilkinson * @author Madhura Bhave * @since 1.0.0 */ @Configuration @ConditionalOnClass(DefaultAuthenticationEventPublisher.class) @EnableConfigurationProperties(SecurityProperties.class) @Import( SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class ) public class SecurityAutoConfiguration @Bean @ConditionalOnMissingBean(AuthenticationEventPublisher.class) public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) return new DefaultAuthenticationEventPublisher(publisher);
DefaultAuthenticationEventPublisher: 默认使用的权限授权事件publisher
SecurityProperties: 安全设置相关属性配置文件,以:spring.security开头
通过 SecurityAutoConfiguration 又引入了几个关键的配置类
① SpringBootWebSecurityConfiguration
/** * The default configuration for web security. It relies on Spring Security‘s * content-negotiation strategy to determine what sort of authentication to use. If the * user specifies their own @link WebSecurityConfigurerAdapter, this will back-off * completely and the users should specify all the bits that they want to configure as * part of the custom security configuration. * * @author Madhura Bhave * @since 2.0.0 */ @Configuration @ConditionalOnClass(WebSecurityConfigurerAdapter.class) @ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class) @ConditionalOnWebApplication(type = Type.SERVLET) public class SpringBootWebSecurityConfiguration @Configuration @Order(SecurityProperties.BASIC_AUTH_ORDER) static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter
这是spring boot 默认的安全配置类,它依赖于Spring安全的*内容协商策略来确定使用哪种身份验证。通过代码,我们可以看到:
- 当用户定义了自己的WebSecurityConfigurerAdapter类时,SpringBootWebSecurityConfiguration将不会生效;
- 当应用是web应用且类型是SERVLET类型时才会生效
② WebSecurityEnablerConfiguration
这是一个确认配置类,顾名思义:当applicationContext中存在WebSecurityConfigureAdapter类型的bean时,它才会生效,它的职责是这类bean加@EnableWebSecurity注解。
/** * If there is a bean of type WebSecurityConfigurerAdapter, this adds the * @link EnableWebSecurity annotation. This will make sure that the annotation is * present with default security auto-configuration and also if the user adds custom * security and forgets to add the annotation. If @link EnableWebSecurity has already * been added or if a bean with name @value BeanIds#SPRING_SECURITY_FILTER_CHAIN has * been configured by the user, this will back-off. * * @author Madhura Bhave * @since 2.0.0 */ @Configuration @ConditionalOnBean(WebSecurityConfigurerAdapter.class) @ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN) @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET) @EnableWebSecurity public class WebSecurityEnablerConfiguration
③ SecurityDataConfiguration
当应用环境中存在SecurityEvaluationContextExtension类时,自动添加带有Spring Data 的 spring security 集成。
/** * Automatically adds Spring Security‘s integration with Spring Data. * * @author Rob Winch * @since 1.3.0 */ @Configuration @ConditionalOnClass(SecurityEvaluationContextExtension.class) public class SecurityDataConfiguration @Bean @ConditionalOnMissingBean public SecurityEvaluationContextExtension securityEvaluationContextExtension() return new SecurityEvaluationContextExtension();
后续我们会对
SecurityRequestMatcherProviderAutoConfiguration
UserDetailsServiceAutoConfiguration
SecurityFilterAutoConfiguration
OAuth2ClientAutoConfiguration
OAuth2ResourceServerAutoConfiguration
这几个类逐一进行介绍,从而来了解它的工作原理。
以上是关于漫谈Spring Security 在Spring Boot 2.x endpoints中的应用的主要内容,如果未能解决你的问题,请参考以下文章
Spring Framework,Spring Security - 可以在没有 Spring Framework 的情况下使用 Spring Security?
Spring Cloud Alibaba - 01漫谈传统架构和微服务架构