|
此版本仍在开发中,尚未被视为稳定版本。对于最新的稳定版本,请使用 Spring Security 6.4.3! |
Spring MVC 集成
Spring Security 提供了许多与 Spring MVC 的可选集成。 本节将更详细地介绍集成。
@EnableWebMvcSecurity
|
从 Spring Security 4.0 开始, |
要启用 Spring Security 与 Spring MVC 的集成,请添加@EnableWebSecurity注释添加到您的配置中。
|
Spring Security 使用 Spring MVC 的 |
MvcRequestMatcher
Spring Security 提供了与 Spring MVC 在 URL 上的匹配方式的深度集成MvcRequestMatcher.
这有助于确保您的 Security 规则与用于处理请求的逻辑匹配。
要使用MvcRequestMatcher,则必须将 Spring Security Configuration 放在ApplicationContext作为您的DispatcherServlet.
这是必要的,因为 Spring Security 的MvcRequestMatcher期望HandlerMappingIntrospectorbean 的名称为mvcHandlerMappingIntrospector由用于执行匹配的 Spring MVC 配置注册。
对于web.xml文件中,这意味着您应该将配置放在DispatcherServlet.xml:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- All Spring Configuration (both MVC and Security) are in /WEB-INF/spring/ -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/*.xml</param-value>
</context-param>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<!-- Load from the ContextLoaderListener -->
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>以下内容WebSecurityConfigurationin 放置在ApplicationContext的DispatcherServlet.
-
Java
-
Kotlin
public class SecurityInitializer extends
AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return null;
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[] { RootConfiguration.class,
WebMvcConfiguration.class };
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
}class SecurityInitializer : AbstractAnnotationConfigDispatcherServletInitializer() {
override fun getRootConfigClasses(): Array<Class<*>>? {
return null
}
override fun getServletConfigClasses(): Array<Class<*>> {
return arrayOf(
RootConfiguration::class.java,
WebMvcConfiguration::class.java
)
}
override fun getServletMappings(): Array<String> {
return arrayOf("/")
}
}|
我们始终建议您通过在 |
考虑一个映射如下的控制器:
-
Java
-
Kotlin
@RequestMapping("/admin")
public String admin() {
// ...
}@RequestMapping("/admin")
fun admin(): String {
// ...
}要将此控制器方法的访问权限限制为管理员用户,您可以通过匹配HttpServletRequest替换为以下内容:
-
Java
-
Kotlin
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/admin").hasRole("ADMIN")
);
return http.build();
}@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize("/admin", hasRole("ADMIN"))
}
}
return http.build()
}下面的清单在 XML 中执行相同的作:
<http>
<intercept-url pattern="/admin" access="hasRole('ADMIN')"/>
</http>无论使用哪种配置,/adminURL 要求经过身份验证的用户是 admin 用户。
但是,根据我们的 Spring MVC 配置,/admin.htmlURL 也会映射到我们的admin()方法。
此外,根据我们的 Spring MVC 配置,/adminURL 也会映射到我们的admin()方法。
问题在于,我们的安全规则只保护/admin.
我们可以为 Spring MVC 的所有排列添加额外的规则,但这将非常冗长和乏味。
幸运的是,在使用requestMatchersDSL 方法,Spring Security 会自动创建一个MvcRequestMatcher如果它检测到 Spring MVC 在 Classpath 中可用。
因此,它将通过使用 Spring MVC 匹配 URL 来保护 Spring MVC 将匹配的相同 URL。
使用 Spring MVC 时的一个常见要求是指定 servlet path 属性。
对于基于 Java 的配置,您可以使用MvcRequestMatcher.Builder创建多个MvcRequestMatcher共享同一 servlet 路径的实例:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector).servletPath("/path");
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(mvcMatcherBuilder.pattern("/admin")).hasRole("ADMIN")
.requestMatchers(mvcMatcherBuilder.pattern("/user")).hasRole("USER")
);
return http.build();
}对于 Kotlin 和 XML,当您为每个路径指定 servlet 路径时,会发生这种情况,如下所示:
-
Kotlin
-
Xml
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize("/admin/**", "/mvc", hasRole("ADMIN"))
authorize("/user/**", "/mvc", hasRole("USER"))
}
}
return http.build()
}<http request-matcher="mvc">
<intercept-url pattern="/admin/**" servlet-path="/mvc" access="hasRole('ADMIN')"/>
<intercept-url pattern="/user/**" servlet-path="/mvc" access="hasRole('USER')"/>
</http>@AuthenticationPrincipal
Spring Security 提供AuthenticationPrincipalArgumentResolver,它可以自动解析当前的Authentication.getPrincipal()对于 Spring MVC 参数。
通过使用@EnableWebSecurity,你会自动将其添加到你的 Spring MVC 配置中。
如果使用基于 XML 的配置,则必须自行添加以下内容:
<mvc:annotation-driven>
<mvc:argument-resolvers>
<bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver" />
</mvc:argument-resolvers>
</mvc:annotation-driven>正确配置后AuthenticationPrincipalArgumentResolver,则可以在 Spring MVC 层中与 Spring Security 完全解耦。
考虑自定义UserDetailsService返回一个Object实现UserDetails和你自己的CustomUser Object.这CustomUser可以使用以下代码访问当前经过身份验证的用户:
-
Java
-
Kotlin
@RequestMapping("/messages/inbox")
public ModelAndView findMessagesForUser() {
Authentication authentication =
SecurityContextHolder.getContext().getAuthentication();
CustomUser custom = (CustomUser) authentication == null ? null : authentication.getPrincipal();
// .. find messages for this user and return them ...
}@RequestMapping("/messages/inbox")
open fun findMessagesForUser(): ModelAndView {
val authentication: Authentication = SecurityContextHolder.getContext().authentication
val custom: CustomUser? = if (authentication as CustomUser == null) null else authentication.principal
// .. find messages for this user and return them ...
}从 Spring Security 3.2 开始,我们可以通过添加 annotation 来更直接地解决参数:
-
Java
-
Kotlin
import org.springframework.security.core.annotation.AuthenticationPrincipal;
// ...
@RequestMapping("/messages/inbox")
public ModelAndView findMessagesForUser(@AuthenticationPrincipal CustomUser customUser) {
// .. find messages for this user and return them ...
}
@RequestMapping("/messages/inbox")
open fun findMessagesForUser(@AuthenticationPrincipal customUser: CustomUser?): ModelAndView {
// .. find messages for this user and return them ...
}
Sometimes, you may need to transform the principal in some way.
For example, if CustomUser needed to be final, it could not be extended.
In this situation, the UserDetailsService might return an Object that implements UserDetails and provides a method named getCustomUser to access CustomUser:
-
Java
-
Kotlin
public class CustomUserUserDetails extends User {
// ...
public CustomUser getCustomUser() {
return customUser;
}
}
class CustomUserUserDetails(
username: String?,
password: String?,
authorities: MutableCollection<out GrantedAuthority>?
) : User(username, password, authorities) {
// ...
val customUser: CustomUser? = null
}
We could then access the CustomUser by using a SpEL expression that uses Authentication.getPrincipal() as the root object:
-
Java
-
Kotlin
import org.springframework.security.core.annotation.AuthenticationPrincipal;
// ...
@RequestMapping("/messages/inbox")
public ModelAndView findMessagesForUser(@AuthenticationPrincipal(expression = "customUser") CustomUser customUser) {
// .. find messages for this user and return them ...
}
import org.springframework.security.core.annotation.AuthenticationPrincipal
// ...
@RequestMapping("/messages/inbox")
open fun findMessagesForUser(@AuthenticationPrincipal(expression = "customUser") customUser: CustomUser?): ModelAndView {
// .. find messages for this user and return them ...
}
We can also refer to beans in our SpEL expressions.
For example, we could use the following if we were using JPA to manage our users and if we wanted to modify and save a property on the current user:
-
Java
-
Kotlin
import org.springframework.security.core.annotation.AuthenticationPrincipal;
// ...
@PutMapping("/users/self")
public ModelAndView updateName(@AuthenticationPrincipal(expression = "@jpaEntityManager.merge(#this)") CustomUser attachedCustomUser,
@RequestParam String firstName) {
// change the firstName on an attached instance which will be persisted to the database
attachedCustomUser.setFirstName(firstName);
// ...
}
import org.springframework.security.core.annotation.AuthenticationPrincipal
// ...
@PutMapping("/users/self")
open fun updateName(
@AuthenticationPrincipal(expression = "@jpaEntityManager.merge(#this)") attachedCustomUser: CustomUser,
@RequestParam firstName: String?
): ModelAndView {
// change the firstName on an attached instance which will be persisted to the database
attachedCustomUser.setFirstName(firstName)
// ...
}
We can further remove our dependency on Spring Security by making @AuthenticationPrincipal a meta-annotation on our own annotation.
The next example demonstrates how we could do so on an annotation named @CurrentUser.
To remove the dependency on Spring Security, it is the consuming application that would create @CurrentUser.
This step is not strictly required but assists in isolating your dependency to Spring Security to a more central location.
-
Java
-
Kotlin
@Target({ElementType.PARAMETER, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@AuthenticationPrincipal
public @interface CurrentUser {}
@Target(AnnotationTarget.VALUE_PARAMETER, AnnotationTarget.TYPE)
@Retention(AnnotationRetention.RUNTIME)
@MustBeDocumented
@AuthenticationPrincipal
annotation class CurrentUser
We have isolated our dependency on Spring Security to a single file.
Now that @CurrentUser has been specified, we can use it to signal to resolve our CustomUser of the currently authenticated user:
-
Java
-
Kotlin
@RequestMapping("/messages/inbox")
public ModelAndView findMessagesForUser(@CurrentUser CustomUser customUser) {
// .. find messages for this user and return them ...
}
@RequestMapping("/messages/inbox")
open fun findMessagesForUser(@CurrentUser customUser: CustomUser?): ModelAndView {
// .. find messages for this user and return them ...
}
Once it is a meta-annotation, parameterization is also available to you.
For example, consider when you have a JWT as your principal and you want to say which claim to retrieve.
As a meta-annotation, you might do:
-
Java
-
Kotlin
@Target({ElementType.PARAMETER, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@AuthenticationPrincipal(expression = "claims['sub']")
public @interface CurrentUser {}
@Target(AnnotationTarget.VALUE_PARAMETER, AnnotationTarget.TYPE)
@Retention(AnnotationRetention.RUNTIME)
@MustBeDocumented
@AuthenticationPrincipal(expression = "claims['sub']")
annotation class CurrentUser
which is already quite powerful.
But, it is also limited to retrieving the sub claim.
To make this more flexible, first publish the AnnotationTemplateExpressionDefaults bean like so:
-
Java
-
Kotlin
-
Xml
@Bean
public AnnotationTemplateExpressionDefaults templateDefaults() {
return new AnnotationTemplateExpressionDeafults();
}
@Bean
fun templateDefaults(): AnnotationTemplateExpressionDefaults {
return AnnotationTemplateExpressionDeafults()
}
<b:bean name="annotationExpressionTemplateDefaults" class="org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults"/>
and then you can supply a parameter to @CurrentUser like so:
-
Java
-
Kotlin
@Target({ElementType.PARAMETER, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@AuthenticationPrincipal(expression = "claims['{claim}']")
public @interface CurrentUser {
String claim() default 'sub';
}
@Target(AnnotationTarget.VALUE_PARAMETER, AnnotationTarget.TYPE)
@Retention(AnnotationRetention.RUNTIME)
@MustBeDocumented
@AuthenticationPrincipal(expression = "claims['{claim}']")
annotation class CurrentUser(val claim: String = "sub")
This will allow you more flexibility across your set of applications in the following way:
-
Java
-
Kotlin
@RequestMapping("/messages/inbox")
public ModelAndView findMessagesForUser(@CurrentUser("user_id") String userId) {
// .. find messages for this user and return them ...
}
@RequestMapping("/messages/inbox")
open fun findMessagesForUser(@CurrentUser("user_id") userId: String?): ModelAndView {
// .. find messages for this user and return them ...
}
Spring MVC Async Integration
Spring Web MVC 3.2+ has excellent support for Asynchronous Request Processing.
With no additional configuration, Spring Security automatically sets up the SecurityContext to the Thread that invokes a Callable returned by your controllers.
For example, the following method automatically has its Callable invoked with the SecurityContext that was available when the Callable was created:
-
Java
-
Kotlin
@RequestMapping(method=RequestMethod.POST)
public Callable<String> processUpload(final MultipartFile file) {
return new Callable<String>() {
public Object call() throws Exception {
// ...
return "someView";
}
};
}
@RequestMapping(method = [RequestMethod.POST])
open fun processUpload(file: MultipartFile?): Callable<String> {
return Callable {
// ...
"someView"
}
}
Associating SecurityContext to Callable’s
More technically speaking, Spring Security integrates with WebAsyncManager.
The SecurityContext that is used to process the Callable is the SecurityContext that exists on the SecurityContextHolder when startCallableProcessing is invoked.
There is no automatic integration with a DeferredResult that is returned by controllers.
This is because DeferredResult is processed by the users and, thus, there is no way of automatically integrating with it.
However, you can still use Concurrency Support to provide transparent integration with Spring Security.
Spring MVC and CSRF Integration
Spring Security integrates with Spring MVC to add CSRF protection.
Automatic Token Inclusion
Spring Security automatically include the CSRF Token within forms that use the Spring MVC form tag.
Consider the following JSP:
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:c="http://java.sun.com/jsp/jstl/core"
xmlns:form="http://www.springframework.org/tags/form" version="2.0">
<jsp:directive.page language="java" contentType="text/html" />
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<!-- ... -->
<c:url var="logoutUrl" value="/logout"/>
<form:form action="${logoutUrl}"
method="post">
<input type="submit"
value="Log out" />
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
</form:form>
<!-- ... -->
</html>
</jsp:root>
The preceding example output HTMLs that is similar to the following:
<!-- ... -->
<form action="/context/logout" method="post">
<input type="submit" value="Log out"/>
<input type="hidden" name="_csrf" value="f81d4fae-7dec-11d0-a765-00a0c91e6bf6"/>
</form>
<!-- ... -->
Resolving the CsrfToken
Spring Security provides CsrfTokenArgumentResolver, which can automatically resolve the current CsrfToken for Spring MVC arguments.
By using @EnableWebSecurity, you automatically have this added to your Spring MVC configuration.
If you use XML-based configuration, you must add this yourself.
Once CsrfTokenArgumentResolver is properly configured, you can expose the CsrfToken to your static HTML based application:
-
Java
-
Kotlin
@RestController
public class CsrfController {
@RequestMapping("/csrf")
public CsrfToken csrf(CsrfToken token) {
return token;
}
}
@RestController
class CsrfController {
@RequestMapping("/csrf")
fun csrf(token: CsrfToken): CsrfToken {
return token
}
}
It is important to keep the CsrfToken a secret from other domains.
This means that, if you use Cross Origin Sharing (CORS), you should NOT expose the CsrfToken to any external domains.