Spring Security - studiofu/brain GitHub Wiki
Notes
-
need to add spring-boot-starter-security dependency,
-
https://www.jianshu.com/p/08cc28921fd0
-
in default, spring use AuthenticationManagerConfiguration.configure to build the authorization users and SecurityProperties to generate the default user
- it is able to override the users information in properties file, [security.user.name=admin security.user.password=admin]
-
to use in memory user list, it is required to create a class and extend WebSecurityConfigurerAdapter and then configure using AuthenticationManagerBuilder - protected void configure(AuthenticationManagerBuilder auth) throws Exception
- and then define the user, such as in memory user
- auth.inMemoryAuthentication().withUser(“test”).password(“123456”).roles(“USER”);
-
and to configure using HttpSecurity to for the access control and authorization
- control method authoriziation by using PreAuthorize
- @PreAuthorize(“hasRole('ADMIN')”)
- to show the username in the front end, the information could be obtained from the SecurityContextHolder
- Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
- String username = ((UserDetails)principal).getUsername();
-
-
to use database authentication
- at least design three tables
- User, UserRole, Role
- need to change the configuration by using HttpSecurity to control the authorization, for example,
- allow to access root level “/” and static resources and also the “/login” page
- http.authorizeRequests().antMatchers(“/”).permitAll()
- default success login redirect page
- .defaultSuccessUrl(“/httpapi”).permitAll().and()
- default login redirect page
- http.logout().logoutSuccessUrl(“/”)
- need to configure by using AuthenticationManagerBuilder to apply custom UserDetailsService * for example, create LightSwordUserDetailService and then implement the method loadUserByUsername to return the User Object
- if using jdbcAuthentication , need to set the query for finding the username, password and enable or not and also set the query to find the role of the user
- to configure using WebSecurity to allow static resources to be accessed.
- web.ignoring().antMatchers(“/resourcesDir/”);
Examples
Simple Spring Security - just implement the UserDetailServices
Simple Spring Security with more http custom settings and also configure the AuthenticationManager
Implement the UserDetailsService which could be used to call DAO or API to obtain UserDetails for spring security to authentiate
Implement CustomAuthenticationProvider and could be able to handle complex authentication
Restful API Authentication through HTTP POST, modify the AuthenticationEntryPoint and create custom successHandler and failureHandler
Create custom authentication filter and allow using JSON data object for the authentication, inherited and modified from UsernamePasswordAuthenticationFilter
Create a completely new custom authentication filter and not depending on the existing filters to handle the JSON object authentication, use the new custom authentication token to process the authentication
Demo authorization, such as PreAuthorize in method level and also show how to obtain username from Security Context
JWT Authentication and Authorization Sample, authentication for the Token, and then use Token for the authorization
Resources
Spring Security all in one tutorial
https://www.baeldung.com/spring-security-authentication-and-registration
Spring Boot Spring MVC Spring Security MySQL
https://medium.com/@gustavo.ponce.ch/spring-boot-spring-mvc-spring-security-mysql-a5d8545d837d
Spring Boot集成Spring Security
https://www.jianshu.com/p/08cc28921fd0
spring-security 使用AuthenticationProvider配置自定义登录选项
https://www.jianshu.com/p/c1746c09fd32
Spring Security UserDetailService
https://www.boraji.com/spring-security-5-custom-userdetailsservice-example
Spring Security Architecture
https://spring.io/guides/topicals/spring-security-architecture/
Custom Authentication Provider
https://www.baeldung.com/spring-security-authentication-provider
Abstract Authentication Processing Filter
https://www.jianshu.com/p/d8006efb1587
Custom Authentication Processing Filter Restful
https://zhuanlan.zhihu.com/p/33835975
Spring Authentication Detail Flow
http://niocoder.com/2018/01/05/Spring-Security源码分析二-Spring-Security授权过程/
Custom Authentication Details Source and the Details Object
https://www.cnblogs.com/phoenix-smile/p/5666686.html
Restful Authentication in Simple Login Form POST
https://www.baeldung.com/securing-a-restful-web-service-with-spring-security
Restful Authentication in JSON Post
https://stackoverflow.com/questions/19500332/spring-security-and-json-authentication
Basic JWT Tutorial
Restful Authentication by UUID or JWT
https://octoperf.com/blog/2018/03/08/securing-rest-api-spring-security/
https://auth0.com/blog/implementing-jwt-authentication-on-spring-boot/
https://www.jianshu.com/p/6307c89fe3fa
Restful Authentication By OAuth2
https://dzone.com/articles/secure-spring-rest-with-spring-security-and-oauth2
OAuth2 Introduction
https://blog.yorkxin.org/2013/09/30/oauth2-1-introduction
https://github.com/samzhu/ps-authservice
http://blog.didispace.com/spring-security-oauth2-xjf-1/
Authorization