Spring security permission system of Java framework


Spring Security integrates spring technology stack, provides the overall security solution of Java EE application, and provides comprehensive security services. Spring Security supports a wide range of authentication models

Module division

Core - spring-security-core.jar

Core modules: core authentication, authorization, JDBC user support, independent Spring application support

Remoting - spring-security-remoting.jar

Remote interaction module: generally not required, you can use Spring Remoting function to simplify remote client interaction

Web - spring-security-web.jar

web security module: web project use, access control based on URL

Config - spring-security-config.jar

java configuration module: must rely on package, including parsing xml and java annotation to use spring security function

LDAP - spring-security-ldap.jar

LDAP (Lightweight Directory Access Protocol) support module: optional dependency package, LDAP function support

ACL - spring-security-acl.jar

ACL support: ACL (access control list) access control list. Fine grained resource access control (RBAC+ACL)

CAS - spring-security-cas.jar

CAS integration support: CAS (Central Authentication Service) Central Authentication Service. Open source ApereoCAS integration

OpenID - spring-security-openid.jar

OpenID authentication method: used to authenticate users against external servers (wechat, Sina Weibo third party login)

Test - spring-security-test.jar

Test module: fast test of spring security application

Maven based Web engineering example

Add security POM dependency

    <!-- In the security framework jar package -->
    <!-- Tag library -->

Add spring security Filter to web.xml for security control

  <!-- Core controller, pay attention to spring and springmvc Configuration files are created by Web Container loading -->
<!--Agent management all SpringSecurity Filter-->
    <filter-name>springSecurityFilterChain</filter-name><!--Name fixing,Can not change-->

Spring security configuration class

 * @Configuration   Components in hypervisor (scan)
 * @EnableWebSecurity   Formal basic annotation of security framework support annotation
* @EnableGlobalMethodSecurity Turn on using expression methods to verify security
*/ @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class AppWebSecurityConfig extends WebSecurityConfigurerAdapter { @Override //Authentication protected void configure(AuthenticationManagerBuilder auth) throws Exception { } @Override //To grant authorization protected void configure(HttpSecurity http) throws Exception { } }

Check the source code of the login page, and there is a tag < input type = "hidden" name = "${65374; CSRF. Parametername}" value = "${ᦉ CSRF. Token}" / > this is spring security to help us prevent "Cross Site Request Forgery" attack; it can also prevent the form from submitting repeatedly. This tag value dynamically generates a token value that verifies the correctness of the token value when a user requests to log in. If you want to disable this function, you can set http.csrf().disable();

l. token value change:

n. if the login is successful (the user name and password are correct), the token will be deleted,

n. return to the login page or the back page, and the token will be regenerated;

n. if the login fails (wrong user name and password), the token does not change.

n. refresh the login page, and the token value does not change


    private UserDetailsService  userDetailsService;
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //Query data from database        
      auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());


This interface is called by Security to check the permission based on AOP mode, and returns a UserDetails interface type, which stores all the permission information queried by the user from the database

1. Implement the UserDetailsService interface in the business layer to query the user object from the Dao layer through the user name
2. Create a set of HashSet < GrantedAuthority > interface type. The GrantedAuthority type is used to store role and permission information. Its implementation class simplegratedauthority needs to pass in string type role name and permission name
3. Query the role set owned by the user through the user id
4. Query the permission set owned by the user through the user id
5 create a simplegratedauthority object with all role names and ownership restrictions and add it to the HashSet < grantedauthority > Set
6. Create a user class object, which implements the UserDetails interface. For this user object, pass in the user name and password of the user plus the permission Set and return the object
    @Autowired //user
    private TAdminMapper adminMapper;
    @Autowired //role
    private TRoleMapper roleMapper;
    @Autowired //Jurisdiction
    private TPermissionMapper permissionMapper;
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        TAdminExample example = new TAdminExample();
        TAdminExample.Criteria criteria = example.createCriteria();
        List<TAdmin> admins = adminMapper.selectByExample(example);
        //Find the user from the database
        TAdmin admin = admins.get(0);
        //This collection is used to store roles and permissions
        HashSet<GrantedAuthority> authorities = new HashSet<>();
        //Find out the corresponding role of the user from the database
        List<TRole> roles = roleMapper.listRole(admin.getId());
        //Find out the corresponding permissions of the user from the database
        List<TPermission> permissions = permissionMapper.listPermission(admin.getId());
        //Add roles and permissions to authorities Collection
        for (TRole role : roles) {
            String name = role.getName();
            authorities.add(new SimpleGrantedAuthority("ROLE_" + name));//Note that roles need to be added "ROLE_"
        permissions.forEach((p) -> {
            String name = p.getName();
            authorities.add(new SimpleGrantedAuthority(name));
        //Created from this user name and password and permission collection User Object and return
        User user = new User(admin.getLoginacct().toString(), admin.getUserpswd().toString(), authorities);
        return user;

To grant authorization

 HttpSecurity This class allows configuration of specific http requests based on security considerations. By default, it applies to all requests. It also applies to http method Configure fine access control for users

    protected void configure(HttpSecurity http) throws Exception {
        //Be based on httpRequest Specify antMatchers Resources permitAll Release,For other requests anyRequest Must be certified authenticated
        //Jump to the default login interface
        //Controller specified at login/login,And verify the user name and password,Jump to controller after successful verification/main
        //cancel csrf Token value validation
        //Controller specified on exit,And specify the login interface after successful exit
        //Remember my function.To be specified in the front check box value The value is remember-me
        //Custom exception handler
        http.exceptionHandling().accessDeniedHandler(new AccessDeniedHandler() {
            public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
                //Determine whether it is an asynchronous request
                }else {

Access control can be more refined through method calls

authorizeRequests(): returns a configuration object to configure the access restrictions of the request
formLogin(): returns the form configuration object. When nothing is specified, a default is provided, such as configure login request and login success page
logout(): returns the logout configuration object. You can set the exit url through logoutUrl
Ant matchers: match the request path or request action type, such as. Ant matchers ("/ admin / *")
addFilterBefore: add a filter before a filter
addFilterAfter: add a filter after a filter
addFilterAt: adding a filter in the same location of a filter will not overwrite the filter in the same location
hasRole: used in combination with ant matchers to set the role permission or IP that the request is allowed to access

Method name



Can be accessed when the result of SpringEL expression is true


Anonymous accessible


User not accessible


User fully authenticated access (automatic login under non remember me)


Any permission in the parameter can be accessed


Any role in the parameter can be accessed


Users with a certain permission can access


Users of a role can access


Accessible to all users


Allow users logged in through remember me to access


User can access after login


The user can access the IP from the parameter


@Details of EnableGlobalMethodSecurity

@ enableglobalmethodsecurity (secureenabled = true) enable @ Secured annotation filtering permission

@ Secured("software engineer"): have the specified role to access the method

@ EnableGlobalMethodSecurity(jsr250Enabled=true) enable @ RolesAllowed annotation filtering permission

@ EnableGlobalMethodSecurity(prePostEnabled=true) use SpEL Expression method level security 4 annotations available

@PreAuthorize checks before method execution, and restricts access to the method based on expression evaluation results / / @ PreAuthorize("hasRole('software engineer ')")

@PostAuthorize checks after method execution, but if the expression evaluates to false, a security exception is thrown

@PostFilter allows method calls, but must filter the results of the method by expression

@PreFilter allows method calls, but you must filter the input values before entering the method

Security tab

In jsp page, you can further control the access right of html tag or obtain the user information through tag: import tag library

<%@taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
  <sec:authentication property="name"/> //Display the user login name in the required location, and the property must be name
   <sec:authorize access="hasRole('PM - project manager')">//Users who are not in this role hide the following tags
       <button type="button" id="deleteBath" class="btn btn-danger" style="float:right;margin-left:10px;">delete</button>

Keywords: Java Spring Database JSP xml

Added by angelac on Thu, 20 Feb 2020 12:01:16 +0200