Spring Security(三十七):Part IV. Web Application Security

MostSpringSecurityuserswillbeusingtheframeworkinapplicationswhichmakeuserofHTTPandtheServletAPI.Inthispart,we’lltakealookathowSpringSecurityprovidesauthenticationandaccess-controlfeaturesfortheweblayerofanapplication.We’lllookbehindthefacadeofthenamespaceandseewhichclassesandinterfacesareactuallyassembledtoprovideweb-layersecurity.Insomesituationsitisnecessarytousetraditionalbeanconfigurationtoprovidefullcontrolovertheconfiguration,sowe’llalsoseehowtoconfiguretheseclassesdirectlywithoutthenamesp...

Spring Security(三十六):12. Spring MVC Test Integration

SpringSecurityprovidescomprehensiveintegrationwith SpringMVCTestSpringSecurity提供与SpringMVCTest的全面集成InordertouseSpringSecuritywithSpringMVCTestitisnecessarytoaddtheSpringSecurity FilterChainProxy asa Filter.ItisalsonecessarytoaddSpringSecurity’s TestSecurityContextHolderPostProcessor tosupport RunningasaUserinSpringMVCTestwithAnnotations.ThiscanbedoneusingSpringSecurity’s SecurityMockMvcConfigurers.springSecurity().Forexample:为了将SpringSecuritySpringMVCTest...

Spring Security(三十五):Part III. Testing

ThissectiondescribesthetestingsupportprovidedbySpringSecurity.本节介绍SpringSecurity提供的测试支持。TousetheSpringSecuritytestsupport,youmustinclude spring-security-test-4.2.10.RELEASE.jar asadependencyofyourproject.要使用SpringSecurity测试支持,必须将spring-security-test-4.2.10.RELEASE.jar作为项目的依赖项。ThissectiondemonstrateshowtouseSpringSecurity’sTestsupporttotestmethodbasedsecurity.Wefirstintroducea MessageService thatrequirestheusertobeauthenticatedinordertoaccessit.本节演示如何使用SpringSecurityTest支持来测试...

Spring Security(三十四):10.4 Jackson Support

SpringSecurityhasaddedJacksonSupportforpersistingSpringSecurityrelatedclasses.ThiscanimprovetheperformanceofserializingSpringSecurityrelatedclasseswhenworkingwithdistributedsessions(i.e.sessionreplication,SpringSession,etc).SpringSecurity已添加JacksonSupport以保持SpringSecurity相关类的持久性。这可以提高在使用分布式会话(即会话复制,Spring会话等)时序列化SpringSecurity相关类的性能。要使用它,请将JacksonJacksonModules.getModules(ClassLoader)注册为JacksonModules。Touseit,registerthe JacksonJacksonModules.getModules(ClassLoader) as JacksonModu...

Spring Security(三十三):10.3 Password Encoding

SpringSecurity’s PasswordEncoder interfaceisusedtosupporttheuseofpasswordswhichareencodedinsomewayinpersistentstorage.Youshouldneverstorepasswordsinplaintext.Alwaysuseaone-waypasswordhashingalgorithmsuchasbcryptwhichusesabuilt-insaltvaluewhichisdifferentforeachstoredpassword.DonotuseaplainhashfunctionsuchasMD5orSHA,orevenasaltedversion.Bcryptisdeliberatelydesignedtobeslowandtohinderofflinepasswordcracking,whereasstandardhashalgorithmsarefastandcaneasilybeusedtotestthousandsofpasswordsi...

Spring Security(三十二):10. Core Services

Nowthatwehaveahigh-leveloverviewoftheSpringSecurityarchitectureanditscoreclasses,let’stakeacloserlookatoneortwoofthecoreinterfacesandtheirimplementations,inparticularthe AuthenticationManager, UserDetailsService andthe AccessDecisionManager.Thesecropupregularlythroughouttheremainderofthisdocumentsoit’simportantyouknowhowtheyareconfiguredandhowtheyoperate.现在我们对SpringSecurity体系结构及其核心类进行了高级概述,让我们仔细研究一个或两个核心接口及其实现,特别是AuthenticationManager,UserDetailsS​​ervice和AccessDecisionManage...

Spring Security(三十一):9.6 Localization(本地化)

SpringSecuritysupportslocalizationofexceptionmessagesthatendusersarelikelytosee.IfyourapplicationisdesignedforEnglish-speakingusers,youdon’tneedtodoanythingasbydefaultallSecuritymessagesareinEnglish.Ifyouneedtosupportotherlocales,everythingyouneedtoknowiscontainedinthissection.SpringSecurity支持最终用户可能看到的异常消息的本地化。如果您的应用程序是为讲英语的用户设计的,则无需执行任何操作,因为默认情况下所有安全消息均为英语。如果您需要支持其他语言环境,则需要了解的所有内容都包含在本节中。 Allexceptionmessagescanbelocalized,includingmessagesrelatedtoauthenticationfailuresandaccessbeingdenie...

Spring Security(三十):9.5 Access-Control (Authorization) in Spring Security

Themaininterfaceresponsibleformakingaccess-controldecisionsinSpringSecurityisthe AccessDecisionManager.Ithasa decide methodwhichtakesan Authentication objectrepresentingtheprincipalrequestingaccess,a"secureobject"(seebelow)andalistofsecuritymetadataattributeswhichapplyfortheobject(suchasalistofroleswhicharerequiredforaccesstobegranted).负责在SpringSecurity中进行访问控制决策的主界面是AccessDecisionManager。它有一个decision方法,它接受一个表示请求访问的主体的Authentication对象,一个“安全对象”(见下文)和一个适用于该对象的安全元数据属性列表(例如访问...

Spring Security(二十九):9.4.1 ExceptionTranslationFilter

ExceptionTranslationFilter isaSpringSecurityfilterthathasresponsibilityfordetectinganySpringSecurityexceptionsthatarethrown.Suchexceptionswillgenerallybethrownbyan AbstractSecurityInterceptor,whichisthemainproviderofauthorizationservices.Wewilldiscuss AbstractSecurityInterceptor inthenextsection,butfornowwejustneedtoknowthatitproducesJavaexceptionsandknowsnothingaboutHTTPorhowtogoaboutauthenticatingaprincipal.Insteadthe ExceptionTranslationFilter offersthisservice,w...

Spring Security(二十八):9.4 Authentication in a Web Application

Nowlet’sexplorethesituationwhereyouareusingSpringSecurityinawebapplication(without web.xml securityenabled).Howisauserauthenticatedandthesecuritycontextestablished?现在让我们来探讨在Web应用程序中使用SpringSecurity的情况(未启用web.xml安全性)。如何对用户进行身份验证并建立安全上下文? Consideratypicalwebapplication’sauthenticationprocess:考虑典型的Web应用程序的身份验证过程: Youvisitthehomepage,andclickonalink.您访问主页,然后单击链接。Arequestgoestotheserver,andtheserverdecidesthatyou’veaskedforaprotectedresource. 请求转到服务器,服务器确定您已请求受保护的资源。Asyou’ren...

Spring Security(二十七):Part II. Architecture and Implementation

Onceyouarefamiliarwithsettingupandrunningsomenamespace-configurationbasedapplications,youmaywishtodevelopmoreofanunderstandingofhowtheframeworkactuallyworksbehindthenamespacefacade.Likemostsoftware,SpringSecurityhascertaincentralinterfaces,classesandconceptualabstractionsthatarecommonlyusedthroughouttheframework.Inthispartofthereferenceguidewewilllookatsomeoftheseandseehowtheyworktogethertosupportauthenticationandaccess-controlwithinSpringSecurity.熟悉设置和运行某些基于命名空间配置的应用程序之后,您可能希望更多地了解框架在命名空间外观背后的实...

Spring Security(二十六):8. Spring Security Community

SpringSecurityusesJIRAtomanagebugreportsandenhancementrequests.Ifyoufindabug,pleaselogareportusingJIRA.Donotlogitonthesupportforum,mailinglistorbyemailingtheproject’sdevelopers.Suchapproachesaread-hocandweprefertomanagebugsusingamoreformalprocess.SpringSecurity使用JIRA来管理错误报告和增强请求。如果您发现错误,请使用JIRA记录报告。请勿将其记录在支持论坛,邮件列表或通过电子邮件发送给项目开发人员。这些方法是临时的,我们更喜欢使用更正式的流程来管理错误。 Ifpossible,inyourissuereportpleaseprovideaJUnittestthatdemonstratesanyincorrectbehaviour.Or,betteryet,provideapatchthatcorrectstheiss...

Spring Security(二十五):7. Sample Applications

Thereareseveralsamplewebapplicationsthatareavailablewiththeproject.Toavoidanoverlylargedownload,onlythe"tutorial"and"contacts"samplesareincludedinthedistributionzipfile.Theotherscanbebuiltdirectlyfromthesourcewhichyoucanobtainasdescribedin theintroduction.It’seasytobuildtheprojectyourselfandthere’smoreinformationontheprojectwebsiteat http://spring.io/spring-security/.Allpathsreferredtointhischapterarerelativetotheprojectsourcedirectory.项目提供了几个示例Web应用程序。为避免过大的下载,分发zip文件中仅包含“教程”和“联系人”示例。...

Spring Security(二十四):6.6 The Authentication Manager and the Namespace

ThemaininterfacewhichprovidesauthenticationservicesinSpringSecurityisthe AuthenticationManager.ThisisusuallyaninstanceofSpringSecurity’s ProviderManager class,whichyoumayalreadybefamiliarwithifyou’veusedtheframeworkbefore.Ifnot,itwillbecoveredlater,inthe technicaloverviewchapter.Thebeaninstanceisregisteredusingthe authentication-manager namespaceelement.Youcan’tuseacustom AuthenticationManager ifyouareusingeitherHTTPormethodsecuritythroughthenamespace,butt...

Spring Security(二十三):6.5 The Default AccessDecisionManager(默认接入策略管理)

Thissectionassumesyouhavesomeknowledgeoftheunderlyingarchitectureforaccess-controlwithinSpringSecurity.Ifyoudon’tyoucanskipitandcomebacktoitlater,asthissectionisonlyreallyrelevantforpeoplewhoneedtodosomecustomizationinordertousemorethansimplerole-basedsecurity.本节假定您已了解SpringSecurity中访问控制的基础体系结构。如果不这样做,您可以跳过它并稍后再回过头来看,因为本节仅对需要进行一些自定义以便使用简单基于角色的安全性的人员非常重要。 Whenyouuseanamespaceconfiguration,adefaultinstanceof AccessDecisionManager isautomaticallyregisteredforyouandwillbeusedformaking...
首页上一页...34567...下一页尾页