Spring Security是如何工作的?

huangapple go评论62阅读模式
英文:

How does Spring Security works?

问题

我是一个新手,使用 springboot 3.1 + webflux + kotlin。

在阅读官方文档和各种博客之后,我正在学习关于 spring security,但是原理还没有弄清楚,关于如何使用它的文章有很多,所以我想问一个问题。

我想知道 spring 如何执行 "strangeNaming" 函数。

我没有继承任何东西并覆盖它,但我想知道即使我按自己的方式编写函数名称,它是如何工作的。

请帮帮我。

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfiguration {

    @Bean
    fun strangeNaming(http: ServerHttpSecurity): SecurityWebFilterChain {
        return http.authorizeExchange {
            it.anyExchange().permitAll()
        }.exceptionHandling {
//            当应用程序请求身份验证时配置要执行的操作
            it.authenticationEntryPoint { exchange, ex ->
                Mono.fromRunnable {
                    exchange.response.statusCode = HttpStatus.UNAUTHORIZED
                }
            }
//            当经过身份验证的用户不具备所需权限时配置要执行的操作
            it.accessDeniedHandler { exchange, denied ->
                Mono.fromRunnable {
                    exchange.response.statusCode = HttpStatus.FORBIDDEN
                }
            }

        }.build()
    }
}
英文:

I'm a newbie on springboot 3.1 + webflux + kotlin.

I'm studying about spring security after watching the official documentation and various blogs, but the principle is not coming out and there are so many articles on how to use it, so I'm asking you a question.

I wonder how the spring executes "strangeNaming" function.

I'm not inheriting something and overriding it, but I wonder how it works even if I write the function name as I want.

Please save me.

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
class SecurityConfiguration {

    @Bean
    fun strangeNaming(http: ServerHttpSecurity): SecurityWebFilterChain {
        return http.authorizeExchange {
            it.anyExchange().permitAll()
        }.exceptionHandling {
//            Configures what to do when the application request authentication
            it.authenticationEntryPoint { exchange, ex ->
                Mono.fromRunnable {
                    exchange.response.statusCode = HttpStatus.UNAUTHORIZED
                }
            }
//            Configures what to do when an authenticated user does not hold a required authority
            it.accessDeniedHandler { exchange, denied ->
                Mono.fromRunnable {
                    exchange.response.statusCode = HttpStatus.FORBIDDEN
                }
            }

        }.build()
    }
}

答案1

得分: 0

一个关于SecurityWebFilterChain的好文章,您将会找到一个关于为什么在spring-security中弃用了适配器并在之后移除的参考:不使用WebSecurityConfigurerAdapter的Spring安全性

英文:

A good article about SecurityWebFilterChain, you will find a reference why adapters was deprecated in spring-security and after removed: Spring Security without the WebSecurityConfigurerAdapter

答案2

得分: 0

Spring将每个标有@Configuration的类视为配置文件。特别是,Spring处理所有标有@Bean的方法。如果一个方法被标注为@Bean,它会在上下文创建期间被执行,无论方法的名称是什么。方法不应该由您直接调用,也不应在任何地方指定其名称。@Bean就足够了。

该方法返回的对象将是一个Spring bean,并存在于Spring应用程序上下文中。然后由Spring Security负责应用和使用该bean。

这里@Bean的官方文档。这里是简要介绍了SecurityWebFilterChain的Spring WebFlux安全指南。

英文:

Spring treats each class marked with @Configuration as a configuration file. In particular, Spring handles all @Bean-annotated methods. If a method is annotated as @Bean, it would be executed during context creation whatever method is named. Method shouldn't be called by you directly neither it's name be specified anywhere. @Bean is enough.

An object return by that method would be a Spring bean and would be present in a Spring application context. Then it is up to Spring Security to apply and use that bean.

Here is official docs to @Bean. Here is Spring WebFlux Security guide briefly covering SecurityWebFilterChain.

huangapple
  • 本文由 发表于 2023年6月16日 15:51:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/76488049.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定