英文:
How does Spring Security works?
问题
我是一个新手,使用 springboot 3.1 + webflux + kotlin。
在阅读官方文档和各种博客之后,我正在学习关于 spring security,但是原理还没有弄清楚,关于如何使用它的文章有很多,所以我想问一个问题。
我想知道 spring 如何执行 "strangeNaming" 函数。
我没有继承任何东西并覆盖它,但我想知道即使我按自己的方式编写函数名称,它是如何工作的。
请帮帮我。
@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfiguration {
@Bean
fun strangeNaming(http: ServerHttpSecurity): SecurityWebFilterChain {
return http.authorizeExchange {
it.anyExchange().permitAll()
}.exceptionHandling {
// 当应用程序请求身份验证时配置要执行的操作
it.authenticationEntryPoint { exchange, ex ->
Mono.fromRunnable {
exchange.response.statusCode = HttpStatus.UNAUTHORIZED
}
}
// 当经过身份验证的用户不具备所需权限时配置要执行的操作
it.accessDeniedHandler { exchange, denied ->
Mono.fromRunnable {
exchange.response.statusCode = HttpStatus.FORBIDDEN
}
}
}.build()
}
}
英文:
I'm a newbie on springboot 3.1 + webflux + kotlin.
I'm studying about spring security after watching the official documentation and various blogs, but the principle is not coming out and there are so many articles on how to use it, so I'm asking you a question.
I wonder how the spring executes "strangeNaming" function.
I'm not inheriting something and overriding it, but I wonder how it works even if I write the function name as I want.
Please save me.
@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfiguration {
@Bean
fun strangeNaming(http: ServerHttpSecurity): SecurityWebFilterChain {
return http.authorizeExchange {
it.anyExchange().permitAll()
}.exceptionHandling {
// Configures what to do when the application request authentication
it.authenticationEntryPoint { exchange, ex ->
Mono.fromRunnable {
exchange.response.statusCode = HttpStatus.UNAUTHORIZED
}
}
// Configures what to do when an authenticated user does not hold a required authority
it.accessDeniedHandler { exchange, denied ->
Mono.fromRunnable {
exchange.response.statusCode = HttpStatus.FORBIDDEN
}
}
}.build()
}
}
答案1
得分: 0
一个关于SecurityWebFilterChain的好文章,您将会找到一个关于为什么在spring-security中弃用了适配器并在之后移除的参考:不使用WebSecurityConfigurerAdapter的Spring安全性。
英文:
A good article about SecurityWebFilterChain, you will find a reference why adapters was deprecated in spring-security and after removed: Spring Security without the WebSecurityConfigurerAdapter
答案2
得分: 0
Spring将每个标有@Configuration
的类视为配置文件。特别是,Spring处理所有标有@Bean
的方法。如果一个方法被标注为@Bean
,它会在上下文创建期间被执行,无论方法的名称是什么。方法不应该由您直接调用,也不应在任何地方指定其名称。@Bean
就足够了。
该方法返回的对象将是一个Spring bean,并存在于Spring应用程序上下文中。然后由Spring Security负责应用和使用该bean。
这里是@Bean
的官方文档。这里是简要介绍了SecurityWebFilterChain
的Spring WebFlux安全指南。
英文:
Spring treats each class marked with @Configuration
as a configuration file. In particular, Spring handles all @Bean
-annotated methods. If a method is annotated as @Bean
, it would be executed during context creation whatever method is named. Method shouldn't be called by you directly neither it's name be specified anywhere. @Bean
is enough.
An object return by that method would be a Spring bean and would be present in a Spring application context. Then it is up to Spring Security to apply and use that bean.
Here is official docs to @Bean
. Here is Spring WebFlux Security guide briefly covering SecurityWebFilterChain
.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论