Category : spring-security

WeChat Public Number: An Outstanding Disabled Person. If you have any questions, please leave a message backstage. I won’t listen anyway. Preface Yesterday’s article introduced the implementation of WebSocket broadcasting, that is, when the server side has a message, it sends the message to all browsers connected to the current endpoint. However, this cannot solve ..

Read more

Order For using spring security, there is a need to dynamically configure url permissions, that is, to configure the access role corresponding to the url at runtime. Here is a brief introduction. Standard Filter Aliases and Ordering First you need to understand the various filter built into spring security: Alias Filter Class Namespace Element or ..

Read more

Order A previous article talked about how to implement the login-free dynamic configuration scheme, using reflection to implement it, which smacks of black magic. Here is another scheme permitAll spring-security-config-4.2.3.RELEASE-sources.jar! /org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractInterceptUrlConfigurer<ExpressionUrlAuthorizationConfigurer<H>, H> { static final String permitAll = “permitAll”; private static final String denyAll = “denyAll”; private ..

Read more

Order This article describes a problem that spring security customizes filter very easily, that is, filter is executed twice. Reproduction @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Bean public DemoFilter demoFilter(){ return new DemoFilter(); } @Override protected void configure(HttpSecurity http) throws Exception { http .addFilterBefore(demoFilter(),AnonymousAuthenticationFilter.class) .authorizeRequests() .antMatchers(“/login”,”/css/**”, “/js/**”,”/fonts/**”).permitAll() .anyRequest().authenticated(); } } Where DemoFilter is as ..

Read more

Order This article mainly talks about how to get the requested handler mapping. best _ matching _ pattern _ attribute in spring security filter. BEST_MATCHING_PATTERN_ATTRIBUTE Spring mvc supports configuring variables in urls, which is relatively easy to meet rest-style api design, but also brings some troubles to authentication, monitoring statistics, etc. That is, it is ..

Read more

Order This article mainly studies how spring mvc calculates best-matching-pattern DispatcherServlet spring-webmvc-4.3.10.RELEASE-sources.jar! /org/springframework/web/servlet/DispatcherServlet.java protected void doDispatch(HttpServletRequest request, HttpServletResponse response) throws Exception { HttpServletRequest processedRequest = request; HandlerExecutionChain mappedHandler = null; boolean multipartRequestParsed = false; WebAsyncManager asyncManager = WebAsyncUtils.getAsyncManager(request); try { ModelAndView mv = null; Exception dispatchException = null; try { processedRequest = checkMultipart(request); multipartRequestParsed = ..

Read more

Order This article introduces another dynamic permission configuration scheme of spring security. config @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Bean public ExtAuthProvider extAuthProvider(){ return new ExtAuthProvider(); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(“/login/**”,”/logout/**”) .permitAll() .anyRequest().access(“@authService.canAccess(request,authentication)”); } Here, all data permission checks are given to the spring el expression defined ..

Read more

Order This article mainly introduces the client_credentials mode of spring security oauth2 maven <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> auth server config @Configuration @EnableAuthorizationServer //提供/oauth/authorize,/oauth/token,/oauth/check_token,/oauth/confirm_access,/oauth/error public class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter { @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer .tokenKeyAccess(“permitAll()”) .checkTokenAccess(“isAuthenticated()”) //allow check token .allowFormAuthenticationForClients(); } @Override public ..

Read more

Order The previous article described the client credentials authorization mode of spring security oauth2, which is generally used in authorization scenarios related to open platform api authentication that are not related to users. This article mainly talks about password mode, one of the authorization modes related to users. Reviewing the Four Models OAuth 2.0 defines ..

Read more

Order The previous two articles talked about client credentials and password authorization mode. This article will talk about authorization code authorization mode. Configuration security config @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { /** * 1\这里记得设置requestMatchers,不拦截需要token验证的url * 不然会优先被这个filter拦截,走用户端的认证而不是token认证 * 2\这里记得对oauth的url进行保护,正常是需要登录态才可以 */ @Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http .requestMatchers().antMatchers(“/oauth/**”,”/login/**”,”/logout/**”) .and() ..

Read more

Order The first three articles talked about client credentials, password and authorization code authorization modes. This article will talk about implicit mode. Implicit mode This mode directly applies the token to the authentication server in the browser without going through the client server, skipping the step of “authorization code”. All steps are completed in the ..

Read more

Order This article focuses on how to use spring security oauth2 as a client. Four modes OAuth 2.0 defines four authorization methods. Authorization code Simplified model (Client is a browser/front-end application.) Resource owner password credentials (It is not safe for the user password to be exposed to the client side.) Client credentials (It is mainly ..

Read more