漫談Spring Security 在Spring Boot 2.x endpoints中的應用（一）

    Spring Boot 2.x極大簡化了默認的安全配置，並不是說有很多安全相關的配置，現在你只需要提供一個WebSecurityConfigurerAdapter繼承類這樣一個簡單的操作，Spring Boot就可以規避很多安全問題。

Actuator 不再有各自單獨的安全配置（management.security.*配置已被取消），每個endpoint的sensitive 標志也會被取消，這樣使得安全配置更加明確了。

比如說：你有如下配置

endpoints:
    info:
        sensitive: false
    mappings:
        sensitive: true
management:
    security:
        roles: MY_ADMIN

now,you can do it like this:

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * name: TestWebSecurityConfigureAdapter
 *
 * @author aboruo
 * @Description an example on adding our custom WebSecurityConfigurerAdapter
 * @Date create in 2019/9/9 20:50.
 */
@EnableWebSecurity
public class TestWebSecurityConfigureAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .antMatchers("/actuator/health","/actuator/info")
                .permitAll()
                .antMatchers("/actuator/**")
                .hasRole("MY_ADMIN")
                .and().httpBasic();
    }
}

 

請注意，在2.x中，默認情況下 health 和info 是可以被訪問的，（默認情況下 health 的詳細信息不能被訪問顯示）。 為了與這些新的默認值保持一致，health 已被添加到首要的mather中。

Spring boot 2.x 不引入Spring Security時，endpoint實現(未完待續)

1. 先在spring-boot-autoconfigure的spring.factories文件找到autoconfiguration類

 

 查看此類

/**
 * {@link EnableAutoConfiguration Auto-configuration} for Spring Security.
 *
 * @author Dave Syer
 * @author Andy Wilkinson
 * @author Madhura Bhave
 * @since 1.0.0
 */
@Configuration
@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
@EnableConfigurationProperties(SecurityProperties.class)
@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
        SecurityDataConfiguration.class })
public class SecurityAutoConfiguration {

    @Bean
    @ConditionalOnMissingBean(AuthenticationEventPublisher.class)
    public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {
        return new DefaultAuthenticationEventPublisher(publisher);
    }

}

DefaultAuthenticationEventPublisher： 默認使用的權限授權事件publisher

SecurityProperties: 安全設置相關屬性配置文件，以：spring.security開頭
通過 SecurityAutoConfiguration 又引入了幾個關鍵的配置類

① SpringBootWebSecurityConfiguration

/**
 * The default configuration for web security. It relies on Spring Security's
 * content-negotiation strategy to determine what sort of authentication to use. If the
 * user specifies their own {@link WebSecurityConfigurerAdapter}, this will back-off
 * completely and the users should specify all the bits that they want to configure as
 * part of the custom security configuration.
 *
 * @author Madhura Bhave
 * @since 2.0.0
 */
@Configuration
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration {

    @Configuration
    @Order(SecurityProperties.BASIC_AUTH_ORDER)
    static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {

    }

}

 

這是spring boot 默認的安全配置類，它依賴於Spring安全的*內容協商策略來確定使用哪種身份驗證。通過代碼，我們可以看到：

• 當用戶定義了自己的WebSecurityConfigurerAdapter類時，SpringBootWebSecurityConfiguration將不會生效；
• 當應用是web應用且類型是SERVLET類型時才會生效

② WebSecurityEnablerConfiguration
這是一個確認配置類，顧名思義：當applicationContext中存在WebSecurityConfigureAdapter類型的bean時，它才會生效，它的職責是這類bean加@EnableWebSecurity注解。

/**
 * If there is a bean of type WebSecurityConfigurerAdapter, this adds the
 * {@link EnableWebSecurity} annotation. This will make sure that the annotation is
 * present with default security auto-configuration and also if the user adds custom
 * security and forgets to add the annotation. If {@link EnableWebSecurity} has already
 * been added or if a bean with name {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has
 * been configured by the user, this will back-off.
 *
 * @author Madhura Bhave
 * @since 2.0.0
 */
@Configuration
@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@EnableWebSecurity
public class WebSecurityEnablerConfiguration {

}

 

③ SecurityDataConfiguration
當應用環境中存在SecurityEvaluationContextExtension類時，自動添加帶有Spring Data 的 spring security 集成。

/**
 * Automatically adds Spring Security's integration with Spring Data.
 *
 * @author Rob Winch
 * @since 1.3.0
 */
@Configuration
@ConditionalOnClass(SecurityEvaluationContextExtension.class)
public class SecurityDataConfiguration {

    @Bean
    @ConditionalOnMissingBean
    public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
        return new SecurityEvaluationContextExtension();
    }

}

 

后續我們會對

SecurityRequestMatcherProviderAutoConfiguration

UserDetailsServiceAutoConfiguration

SecurityFilterAutoConfiguration

OAuth2ClientAutoConfiguration

OAuth2ResourceServerAutoConfiguration

這幾個類逐一進行介紹，從而來了解它的工作原理。