Spring Security 中文文档
版本
4.2.10.RELEASE
5.1.2.RELEASE
语言
English
中文
返回目录
I. Preface
1. Spring Security 社区
1.1. 获得帮助
1.2. 参与其中
1.3. 源代码
1.4. Apache 2 许可证
1.5. 社交媒体
2. Spring Security 5.1 的新增功能
2.1. Servlet
2.2. WebFlux
2.3. Integrations
3. 获得 Spring Security
3.1. 版本编号
3.2. Maven 的用法
3.2.1. Maven 的 Spring Boot
3.2.2. 没有 Spring Boot 的 Maven
3.2.3. Maven 存储库
3.3. Gradle
3.3.1. 带有 Gradle 的 Spring Boot
3.3.2. 不带 Spring Boot 的 Gradle
3.3.3. GradleRepositories
4. Project Modules
4.1. 核心-spring-security-core.jar
4.2. 远程处理-spring-security-remoting.jar
4.3. 网络-spring-security-web.jar
4.4. 配置-spring-security-config.jar
4.5. LDAP-spring-security-ldap.jar
4.6. OAuth 2.0 核心-spring-security-oauth2-core.jar
4.7. OAuth 2.0Client 端-spring-security-oauth2-client.jar
4.8. OAuth 2.0 JOSE-spring-security-oauth2-jose.jar
4.9. ACL-spring-security-acl.jar
4.10. CAS-spring-security-cas.jar
4.11. OpenID-spring-security-openid.jar
4.12. 测试-spring-security-test.jar
5. Sample Applications
5.1. 教程 samples
5.2. Contacts
5.3. LDAP 示例
5.4. OpenID 示例
5.5. CASsamples
5.6. JAAS 示例
5.7. 身份验证前 samples
II. Servlet 应用程序
6. Java Configuration
6.1. Hello Web Security Java 配置
6.1.1. AbstractSecurityWebApplicationInitializer
6.1.2. 没有现有 Spring 的 AbstractSecurityWebApplicationInitializer
带有 Spring MVC 的 6.1.3. AbstractSecurityWebApplicationInitializer
6.2. HttpSecurity
6.3. Java 配置和表单登录
6.4. 授权请求
6.5. 处理注销
6.5.1. LogoutHandler
6.5.2. LogoutSuccessHandler
6.5.3. 其他与注销有关的参考
6.6. OAuth 2.0Client 端
6.6.1. ClientRegistration
6.6.2. ClientRegistrationRepository
6.6.3. OAuth2AuthorizedClient
6.6.4. OAuth2AuthorizedClientRepository/OAuth2AuthorizedClientService
6.6.5. RegisteredOAuth2AuthorizedClient
6.6.6. AuthorizationRequestRepository
6.6.7. OAuth2AuthorizationRequestResolver
6.6.8. OAuth2AccessTokenResponseClient
6.7. OAuth 2.0 登录
6.7.1. Spring Boot 2.xsamples
Initial setup
设置重定向 URI
Configure application.yml
启动应用程序
6.7.2. Spring Boot 2.x 属性 Map
6.7.3. CommonOAuth2Provider
6.7.4. 配置自定义提供程序属性
6.7.5. 覆盖 Spring Boot 2.x 自动配置
注册一个 ClientRegistrationRepository @Bean
提供一个 WebSecurityConfigurerAdapter
完全覆盖自动配置
6.7.6. 没有 Spring Boot 2.x 的 Java 配置
6.7.7. 其他资源
6.8. OAuth 2.0 资源服务器
6.8.1. Dependencies
6.8.2. 最低配置
指定授权服务器
Startup Expectations
Runtime Expectations
6.8.3. 直接指定授权服务器 JWK 设置 Uri
6.8.4. 覆盖或替换引导自动配置
Using jwkSetUri()
Using decoder()
公开一个 JwtDecoder @Bean
6.8.5. 配置授权
手动提取权限
6.8.6. 配置验证
自定义时间戳验证
配置自定义验证器
6.8.7. 配置声明集 Map
自定义单个索赔的转换
添加索赔
删除索赔
重命名索赔
6.8.8. 配置超时
6.9. Authentication
6.9.1. 内存中身份验证
6.9.2. JDBC 身份验证
6.9.3. LDAP 认证
6.9.4. AuthenticationProvider
6.9.5. UserDetailsService
6.10. 多个 HttpSecurity
6.11. 方法安全性
6.11.1. EnableGlobalMethodSecurity
6.11.2. GlobalMethodSecurityConfiguration
6.12. 后处理配置的对象
6.13. 自定义 DSL
7. 安全命名空间配置
7.1. Introduction
7.1.1. 命名空间的设计
7.2. 安全命名空间配置入门
7.2.1. web.xml 配置
7.2.2. 最小<http>配置
7.2.3. 表单和基本登录选项
设置默认的登录后目标
7.2.4. 注销处理
7.2.5. 使用其他身份验证提供程序
添加密码编码器
7.3. 高级网络功能
7.3.1. 记住我身份验证
7.3.2. 添加 HTTP/HTTPS 通道安全性
7.3.3. 会话 Management
Detecting Timeouts
并发会话控制
会话固定攻击防护
7.3.4. OpenID 支持
Attribute Exchange
7.3.5. 响应标题
7.3.6. 添加您自己的过滤器
设置自定义 AuthenticationEntryPoint
7.4. 方法安全性
7.4.1. <global-method-security>元素
使用保护切入点添加安全切入点
7.5. 默认的 AccessDecisionManager
7.5.1. 自定义 AccessDecisionManager
7.6. 身份验证 Management 器和命名空间
8. 架构与实施
8.1. 技术概述
8.1.1. 运行时环境
8.1.2. 核心组件
SecurityContextHolder,SecurityContext 和身份验证对象
The UserDetailsService
GrantedAuthority
Summary
8.1.3. Authentication
Spring Security 中的身份验证是什么?
直接设置 SecurityContextHolder 内容
8.1.4. Web 应用程序中的身份验证
ExceptionTranslationFilter
AuthenticationEntryPoint
Authentication Mechanism
在请求之间存储 SecurityContext
8.1.5. Spring Security 中的访问控制(授权)
安全和 AOP 建议
安全对象和 AbstractSecurityInterceptor
8.1.6. Localization
8.2. 核心服务
8.2.1. AuthenticationManager,ProviderManager 和 AuthenticationProvider
清除成功认证的凭据
DaoAuthenticationProvider
8.2.2. UserDetailsService 实施
In-Memory Authentication
JdbcDaoImpl
8.2.3. 密码编码
Password History
DelegatingPasswordEncoder
BCryptPasswordEncoder
Pbkdf2PasswordEncoder
SCryptPasswordEncoder
Other PasswordEncoders
8.2.4. Jackson 支持
9. Testing
9.1. 测试方法的安全性
9.1.1. 安全测试设置
9.1.2. @WithMockUser
9.1.3. @WithAnonymousUser
9.1.4. @WithUserDetails
9.1.5. @WithSecurityContext
9.1.6. 测试元 Comments
9.2. Spring MVC 测试集成
9.2.1. 设置 MockMvc 和 Spring Security
9.2.2. SecurityMockMvcRequestPostProcessors
使用 CSRF 保护进行测试
在 Spring MVC 测试中以用户身份运行测试
在 Spring MVC Test 中使用 RequestPostProcessor 以用户身份运行
测试 HTTP 基本身份验证
9.2.3. SecurityMockMvcRequestBuilders
测试基于表单的身份验证
Testing Logout
9.2.4. SecurityMockMvcResultMatchers
Unauthenticated Assertion
Authenticated Assertion
10. Web 应用安全
10.1. 安全筛选器链
10.1.1. DelegatingFilterProxy
10.1.2. FilterChainProxy
绕过过滤链
10.1.3. 过滤器 Order
10.1.4. 请求匹配和 HttpFirewall
10.1.5. 与其他基于过滤器的框架一起使用
10.1.6. 高级命名空间配置
10.2. 核心安全过滤器
10.2.1. FilterSecurityInterceptor
10.2.2. ExceptionTranslationFilter
AuthenticationEntryPoint
AccessDeniedHandler
SavedRequest 和 RequestCache 接口
10.2.3. SecurityContextPersistenceFilter
SecurityContextRepository
10.2.4. UsernamePasswordAuthenticationFilter
认证成功与失败的应用流程
10.3. Servlet API 集成
10.3.1. Servlet 2.5 集成
HttpServletRequest.getRemoteUser()
HttpServletRequest.getUserPrincipal()
HttpServletRequest.isUserInRole(String)
10.3.2. Servlet 3 集成
HttpServletRequest.authenticate(HttpServletRequest,HttpServletResponse)
HttpServletRequest.login(String,String)
HttpServletRequest.logout()
AsyncContext.start(Runnable)
异步 Servlet 支持
10.3.3. Servlet 3.1 集成
HttpServletRequest#changeSessionId()
10.4. 基本身份验证和摘要身份验证
10.4.1. BasicAuthenticationFilter
Configuration
10.4.2. DigestAuthenticationFilter
Configuration
10.5. 记住我身份验证
10.5.1. Overview
10.5.2. 基于哈希的简单令牌方法
10.5.3. 永久令牌方法
10.5.4. 记住我的界面和实现
TokenBasedRememberMeServices
PersistentTokenBasedRememberMeServices
10.6. 跨站请求伪造(CSRF)
10.6.1. CSRF 攻击
10.6.2. 同步器令牌模式
10.6.3. 何时使用 CSRF 保护
CSRF 保护和 JSON
CSRF 和 Stateless 浏览器应用程序
10.6.4. 使用 Spring Security CSRF 保护
使用正确的 HTTP 动词
配置 CSRF 保护
包括 CSRF 令牌
10.6.5. CSRF 警告
Timeouts
Logging In
Logging Out
分段(文件上传)
HiddenHttpMethodFilter
10.6.6. 覆盖默认值
10.7. CORS
10.8. 安全 HTTP 响应 Headers
10.8.1. 默认安全标题
Cache Control
Content Type 选项
HTTP 严格传输安全性(HSTS)
HTTP 公钥固定(HPKP)
X-Frame-Options
X-XSS-Protection
内容安全 Policy(CSP)
Referrer Policy
Feature Policy
10.8.2. 自定义标题
Static Headers
Headers Writer
DelegatingRequestMatcherHeaderWriter
10.9. 会话 Management
10.9.1. SessionManagementFilter
10.9.2. SessionAuthenticationStrategy
10.9.3. 并发控制
查询 SessionRegistry 中当前经过身份验证的用户及其会话
10.10. 匿名身份验证
10.10.1. Overview
10.10.2. Configuration
10.10.3. AuthenticationTrustResolver
10.11. WebSocket 安全
10.11.1. WebSocket 配置
10.11.2. WebSocket 身份验证
10.11.3. WebSocket 授权
WebSocket 授权说明
Outbound Messages
10.11.4. 实施同一原产地 Policy
为什么起源相同?
Spring WebSocket 允许的来源
将 CSRF 添加到 StompHeaders
在 WebSockets 中禁用 CSRF
10.11.5. 使用 SockJS
SockJS 和框架选项
SockJS 和令人放松的 CSRF
11. Authorization
11.1. 授权架构
11.1.1. Authorities
11.1.2. 调用前处理
The AccessDecisionManager
基于投票的 AccessDecisionManager 实现
11.1.3. 调用处理后
11.1.4. 分层角色
11.2. 安全对象的实现
11.2.1. AOPunion(方法调用)安全拦截器
显式方法 SecurityInterceptor 配置
11.2.2. AspectJ(JoinPoint)安全拦截器
11.3. 基于表达式的访问控制
11.3.1. Overview
常见的内置表达式
11.3.2. Web 安全表达式
在 Web 安全表达式中引用 Bean
Web 安全表达式中的路径变量
11.3.3. 方法安全性表达式
@Pre 和@Post 注解
Built-In Expressions
12. Additional Topics
12.1. 域对象安全性(ACL)
12.1.1. Overview
12.1.2. 关键概念
12.1.3. 使用入门
12.2. 预身份验证方案
12.2.1. 预身份验证框架类
AbstractPreAuthenticatedProcessingFilter
PreAuthenticatedAuthenticationProvider
Http403ForbiddenEntryPoint
12.2.2. 具体实施
请求 Headers 验证(Siteminder)
Java EE 容器认证
12.3. LDAP 认证
12.3.1. Overview
12.3.2. 将 LDAP 与 Spring Security 结合使用
12.3.3. 配置 LDAP 服务器
使用嵌入式测试服务器
使用绑定身份验证
Loading Authorities
12.3.4. 实现类
LdapAuthenticator Implementations
连接到 LDAP 服务器
LDAP 搜索对象
LdapAuthoritiesPopulator
Spring Bean 配置
LDAP 属性和自定义的用户详细信息
12.3.5. Active Directory 身份验证
ActiveDirectoryLdapAuthenticationProvider
12.4. OAuth 2.0 登录—高级配置
12.4.1. OAuth 2.0 登录页面
12.4.2. 重定向端点
12.4.3. UserInfo 端点
Map 用户权限
配置自定义 OAuth2User
OAuth 2.0 UserService
OpenID Connect 1.0 用户服务
13. Servlet 环境的 WebClient
13.1. WebClient OAuth2 设置
13.2. 隐式 OAuth2AuthorizedClient
13.3. 明确的 OAuth2AuthorizedClient
13.4. clientRegistrationId
13.5. JSP 标记库
13.5.1. 声明 Taglib
13.5.2. 授权标签
禁用测试的标签授权
13.5.3. 身份验证标签
13.5.4. accesscontrollist 标记
13.5.5. csrfInput 标签
13.5.6. csrfMetaTags 标记
13.6. Java 身份验证和授权服务(JAAS)提供程序
13.6.1. Overview
13.6.2. AbstractJaasAuthenticationProvider
JAAS CallbackHandler
JAAS AuthorityGranter
13.6.3. DefaultJaasAuthenticationProvider
InMemoryConfiguration
DefaultJaasAuthenticationProvider 示例配置
13.6.4. JaasAuthenticationProvider
13.6.5. 以主题身份 Running
13.7. CAS 验证
13.7.1. Overview
13.7.2. CAS 的工作方式
Spring Security 和 CAS 交互序列
13.7.3. CASClient 端的配置
服务票证认证
Single Logout
通过 CAS 向 Stateless 服务进行身份验证
代理票证认证
13.8. X.509 身份验证
13.8.1. Overview
13.8.2. 将 X.509 身份验证添加到 Web 应用程序
13.8.3. 在 Tomcat 中设置 SSL
13.9. 运行身份验证替换
13.9.1. Overview
13.9.2. Configuration
13.10. Spring Security 加密模块
13.10.1. Introduction
13.10.2. Encryptors
BytesEncryptor
TextEncryptor
13.10.3. 密钥生成器
BytesKeyGenerator
StringKeyGenerator
13.10.4. 密码编码
13.11. 并发支持
13.11.1. DelegatingSecurityContextRunnable
13.11.2. DelegatingSecurityContextExecutor
13.11.3. Spring Security 并发类
13.12. Spring MVC 集成
13.12.1. @EnableWebMvcSecurity
13.12.2. MvcRequestMatcher
13.12.3. @AuthenticationPrincipal
13.12.4. Spring MVC 异步集成
13.12.5. Spring MVC 和 CSRF 集成
自动令牌包含
解析 CsrfToken
14. Spring 数据集成
14.1. Spring 数据和 Spring 安全性配置
14.2. @Query 中的安全表达式
15. Appendix
15.1. 安全数据库架构
15.1.1. 用户架构
对于 Oracle 数据库
Group Authorities
15.1.2. 永久登录(记住我)架构
15.1.3. ACL 架构
HyperSQL
PostgreSQL
MySQL 和 MariaDB
Microsoft SQL 服务器
Oracle Database
15.2. 安全命名空间
15.2.1. Web 应用程序安全
<debug>
<http>
<access-denied-handler>
<cors>
<headers>
<cache-control>
<hsts>
<hpkp>
<pins>
<pin>
<content-security-policy>
<referrer-policy>
<feature-policy>
<frame-options>
<xss-protection>
<content-type-options>
<header>
<anonymous>
<csrf>
<custom-filter>
<expression-handler>
<form-login>
<http-basic>
<http-firewall> Element
<intercept-url>
<jee>
<logout>
<openid-login>
<attribute-exchange>
<openid-attribute>
<port-mappings>
<port-mapping>
<remember-me>
<request-cache> Element
<session-management>
<concurrency-control>
<x509>
<filter-chain-map>
<filter-chain>
<filter-security-metadata-source>
15.2.2. WebSocket Security
<websocket-message-broker>
<intercept-message>
15.2.3. Authentication Services
<authentication-manager>
<authentication-provider>
<jdbc-user-service>
<password-encoder>
<user-service>
<user>
15.2.4. Method Security
<global-method-security>
<after-invocation-provider>
<pre-post-annotation-handling>
<invocation-attribute-factory>
<post-invocation-advice>
<pre-invocation-advice>
Securing Methods using
<intercept-methods>
<method-security-metadata-source>
<protect>
15.2.5. LDAP Namespace Options
Defining the LDAP Server using the
<ldap-authentication-provider>
<password-compare>
<ldap-user-service>
15.3. Spring Security Dependencies
15.3.1. spring-security-core
15.3.2. spring-security-remoting
15.3.3. spring-security-web
15.3.4. spring-security-ldap
15.3.5. spring-security-config
15.3.6. spring-security-acl
15.3.7. spring-security-cas
15.3.8. spring-security-openid
15.3.9. spring-security-taglibs
15.4. Proxy Server Configuration
15.5. Spring Security FAQ
15.5.1. General Questions
Will Spring Security take care of all my application security requirements?
Why not just use web.xml security?
What Java and Spring Framework versions are required?
I'm new to Spring Security and I need to build an application that supports CAS single sign-on over HTTPS, while allowing Basic authentication locally for certain URLs, authenticating against multiple back end user information sources (LDAP and JDBC). I've copied some configuration files I found but it doesn't work.
15.5.2. Common Problems
When I try to log in, I get an error message that says "Bad Credentials". What's wrong?
My application goes into an "endless loop" when I try to login, what's going on?
I get an exception with the message "Access is denied (user is anonymous);". What's wrong?
Why can I still see a secured page even after I've logged out of my application?
I get an exception with the message "An Authentication object was not found in the SecurityContext". What's wrong?
I can't get LDAP authentication to work.
Session Management
I'm using Spring Security's concurrent session control to prevent users from logging in more than once at a time.
Why does the session Id change when I authenticate through Spring Security?
I'm using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards.
I'm not switching between HTTP and HTTPS but my session is still getting lost
I'm trying to use the concurrent session-control support but it won't let me log back in, even if I'm sure I've logged out and haven't exceeded the allowed sessions.
Spring Security is creating a session somewhere, even though I've configured it not to, by setting the create-session attribute to never.
I get a 403 Forbidden when performing a POST
I'm forwarding a request to another URL using the RequestDispatcher, but my security constraints aren't being applied.
I have added Spring Security's <global-method-security> element to my application context but if I add security annotations to my Spring MVC controller beans (Struts actions etc.) then they don't seem to have an effect.
I have a user who has definitely been authenticated, but when I try to access the SecurityContextHolder during some requests, the Authentication is null.
The authorize JSP Tag doesn't respect my method security annotations when using the URL attribute.
15.5.3. Spring Security Architecture Questions
How do I know which package class X is in?
How do the namespace elements map to conventional bean configurations?
What does "ROLE_" mean and why do I need it on my role names?
How do I know which dependencies to add to my application to work with Spring Security?
What dependencies are needed to run an embedded ApacheDS LDAP server?
What is a UserDetailsService and do I need one?
15.5.4. Common "Howto" Requests
I need to login in with more information than just the username.
How do I apply different intercept-url constraints where only the fragment value of the requested URLs differs (e.g./foo#bar and /foo#blah?
How do I access the user's IP Address (or other web-request data) in a UserDetailsService?
How do I access the HttpSession from a UserDetailsService?
How do I access the user's password in a UserDetailsService?
How do I define the secured URLs within an application dynamically?
How do I authenticate against LDAP but load user roles from a database?
I want to modify the property of a bean that is created by the namespace, but there is nothing in the schema to support it.
III. Reactive Applications
16. WebFlux Security
16.1. Minimal WebFlux Security Configuration
16.2. Explicit WebFlux Security Configuration
17. Default Security Headers
17.1. Cache Control
17.2. Content Type Options
17.3. HTTP Strict Transport Security (HSTS)
17.4. X-Frame-Options
17.5. X-XSS-Protection
17.6. Content Security Policy (CSP)
17.6.1. Configuring Content Security Policy
17.6.2. Additional Resources
17.7. Referrer Policy
17.7.1. Configuring Referrer Policy
17.8. Feature Policy
17.8.1. Configuring Feature Policy
18. Redirect to HTTPS
19. OAuth2 WebFlux
19.1. OAuth 2.0 Login
19.1.1. Spring Boot 2.0 Sample
Initial setup
Setting the redirect URI
Configure application.yml
Boot up the application
19.1.2. Using OpenID Provider Configuration
19.1.3. Explicit OAuth2 Login Configuration
19.2. OAuth2 Client
19.3. OAuth2 Resource Server
19.3.1. Dependencies
19.3.2. Minimal Configuration
Specify the Authorization Server
Startup Expectations
Runtime Expectations
Specifying the Authorization Server JWK Set Uri Directly
Overriding or Replacing Boot Auto Configuration
Configuring Authorization
Configuring Validation
20. @RegisteredOAuth2AuthorizedClient
21. WebClient
21.1. WebClient OAuth2 Setup
21.2. Implicit OAuth2AuthorizedClient
21.3. Explicit OAuth2AuthorizedClient
21.4. clientRegistrationId
22. EnableReactiveMethodSecurity
23. Reactive Test Support
23.1. Testing Reactive Method Security
23.2. WebTestClientSupport
23.2.1. Authentication
23.2.2. CSRF Support
中文
English
A
A
Serif
Sans
White
Sepia
Night
首页
API Docs
工具
首页
API Docs
工具
Part II. Servlet 应用程序
Name
Spring Security 中文文档
Version
4.2.10.RELEASE
5.1.2.RELEASE
Language
English
中文
Badge
Last Updated
2021-07-03T15:47:37