Springboot security management

Posted by iceman2g on Fri, 18 Feb 2022 17:32:41 +0100

Introduction to safety management

In the actual development, some applications usually need to consider the security problem. For example, for some important operations, some requests can be executed only after the user verifies his identity, and some requests can be executed only after the user has specific permissions. The significance of this can not only be used to protect the security of the project, but also control the access effect of the project.

Tip: the following is the main content of this article. The following cases can be used for reference

1, Spring Security

• Spring Security is based on the Spring ecosystem and is a framework for providing secure access control solutions.

• the security management of Spring Security has two important concepts: Authentication and Authorization.

Spring Boot integrates the security management functions implemented by Spring Security:

MVC Security is the security management of Web applications built by Spring Boot integrating Spring MVC framework.

WebFlux Security is the security management of Web applications built by Spring Boot integrating the Spring WebFlux framework.

OAuth2 is a security management framework for large projects, which can realize the functions of third-party authentication, single sign on and so on.

Actor security is used to provide security monitoring for some operating environments of the project, such as Health information, Info operation information, etc. it is mainly used as a system indicator for the operation and maintenance personnel to view the operation of the management system.
Several common problems of official default secure login
1. There is only one default login user, the password is randomly generated and too exposed, and the login page and error prompt page are not what we want.

2, Introduction to MVC Security configuration

The project introduces spring boot starter security dependent initiator, and the MVC Security management function will take effect automatically. Its default security configuration is implemented in SecurityAutoConfiguration and UserDetailsServiceAutoConfiguration.

• SecurityAutoConfiguration: • import and automate configuration to start Web security management

• UserDetailsServiceAutoConfiguration: • used to configure user identity information

How to turn off the default security configuration of Web application provided by Sercurity

1. To completely close the default Security configuration of Web application provided by Security, you can customize the Bean component of WebSecurityConfigurerAdapter type and the Bean component of UserDetailsService, AuthenticationProvider or AuthenticationManager type.

2. In addition, you can override the default access rules by customizing the Bean component of WebSecurityConfigurerAdapter type.

Main methods and descriptions of WebSecurityConfigurerAdapter class
methoddescribe
configure(AuthenticationManagerBuilder auth)Customize the user authentication manager to realize user authentication
configure(HttpSecurity http)Customize user access control based on HTTP request

Dependencies used this time

<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <!-- Spring Data JPA Operation database  -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <!-- Redis Cache initiator-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-redis</artifactId>
        </dependency>
        <!-- JDBC Database connection initiator -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-jdbc</artifactId>
        </dependency>
        <!-- MySQL Data connection driven -->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>

Custom user authentication

Step 1: create a WebSecurityConfigurerAdapter configuration class in the config package

@EnableWebSecurity annotation is a composite annotation, mainly including @ Configuration annotation: declare the current class as Configuration class

@Import({WebSecurityConfiguration.class, SpringWebMvcImportSelector.class}) annotation: according to POM Automatically configure the web template and security template imported from XML

@EnableGlobalAuthentication annotation: enables customized global authentication

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@EnableWebSecurity//Enable MVCSecurity security support (this is a combined annotation, including @ Configuration annotation, @ Import({WebSecurityConfiguration.class, SpringWebMvcImportSelector.class}) annotation and @ EnableGlobalAuthentication annotation)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
}

Use memory for authentication

Override the configure(AuthenticationManagerBuilder auth) method in the SecurityConfig class, and customize the authenticated user information by using memory authentication in this method. When defining user authentication information, two user names, passwords and corresponding role information are set.

@EnableWebSecurity//Enable MVCSecurity security support (this is a combined annotation, including @ Configuration annotation, @ Import({WebSecurityConfiguration.class, SpringWebMvcImportSelector.class}) annotation and @ EnableGlobalAuthentication annotation)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
          @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
           //Set password encoder
            BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
            //Simulation test user
            auth.inMemoryAuthentication().passwordEncoder(encoder)
                    .withUser("user1").password(encoder.encode("123456")).roles("common")
                    .and()
                    .withUser("user2").password(encoder.encode("123456")).roles("vip");
        }}

Spring Security provides a variety of password encoders, including BcryptPasswordEncoder, Pbkdf2PasswordEncoder,ScryptPasswordEncoder and other password settings, which are not limited to the BcryptPasswordEncoder in this example
Multiple user information can be stored in memory And connection

Topics: Java Spring Boot