Головна сторінка Огляд Довідка
Реєстрація Увійти
github
/
spring-security
дзеркало https://github.com/spring-projects/spring-security
2
0
Відгалуження 0
Файли Проблеми 0 Wiki
Дерево: 0cf95dbf61
Гілки Теги
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
getting-started.adoc

getting-started.adoc 4.3 KB
Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. [[servlet-hello]]
    2. 

  2. = Hello Spring Security
    3. 

  3. 

  4. This section covers the minimum setup for how to use Spring Security with Spring Boot.
    5. 

  5. 

  6. [NOTE]
    7. 

  7. ====
    8. 

  8. The completed application can be found {gh-samples-url}/servlet/spring-boot/java/hello-security[in our samples repository].
    9. 

  9. For your convenience, you can download a minimal Spring Boot + Spring Security application by https://start.spring.io/starter.zip?type=maven-project&language=java&packaging=jar&jvmVersion=1.8&groupId=example&artifactId=hello-security&name=hello-security&description=Hello%20Security&packageName=example.hello-security&dependencies=web,security[clicking here].
    10. 

  10. ====
    11. 

  11. 

  12. [[servlet-hello-dependencies]]
    13. 

  13. == Updating Dependencies
    14. 

  14. 

  15. The only step you need to do is update the dependencies by using xref:getting-spring-security.adoc#getting-maven-boot[Maven] or xref:getting-spring-security.adoc#getting-gradle-boot[Gradle].
    16. 

  16. 

  17. [[servlet-hello-starting]]
    18. 

  18. == Starting Hello Spring Security Boot
    19. 

  19. 

  20. You can now https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#using-boot-running-with-the-maven-plugin[run the Spring Boot application] by using the Maven Plugin's `run` goal.
    21. 

  21. The following example shows how to do so (and the beginning of the output from doing so):
    22. 

  22. 

  23. .Running Spring Boot Application
    24. 

  24. [source,bash]
    25. 

  25. ----
    26. 

  26. $ ./mvn spring-boot:run
    27. 

  27. ...
    28. 

  28. INFO 23689 --- [  restartedMain] .s.s.UserDetailsServiceAutoConfiguration :
    29. 

  29. 

  30. Using generated security password: 8e557245-73e2-4286-969a-ff57fe326336
    31. 

  31. 

  32. ...
    33. 

  33. ----
    34. 

  34. 

  35. 

  36. [[servlet-hello-auto-configuration]]
    37. 

  37. == Spring Boot Auto Configuration
    38. 

  38. 

  39. // FIXME: Link to relevant portions of documentation
    40. 

  40. // FIXME: Link to Spring Boot's Security Auto configuration classes
    41. 

  41. // FIXME: Add a links for what user's should do next
    42. 

  42. 

  43. Spring Boot automatically:
    44. 

  44. 

  45. * Enables Spring Security's default configuration, which creates a servlet `Filter` as a bean named `springSecurityFilterChain`.
    46. 

  46. This bean is responsible for all the security (protecting the application URLs, validating submitted username and passwords, redirecting to the log in form, and so on) within your application.
    47. 

  47. * Creates a `UserDetailsService` bean with a username of `user` and a randomly generated password that is logged to the console.
    48. 

  48. * Registers the `Filter` with a bean named `springSecurityFilterChain` with the Servlet container for every request.
    49. 

  49. 

  50. Spring Boot is not configuring much, but it does a lot.
    51. 

  51. A summary of the features follows:
    52. 

  52. 

  53. * Require an authenticated user for any interaction with the application
    54. 

  54. * Generate a default login form for you
    55. 

  55. * Let the user with a username of `user` and a password that is logged to the console to authenticate with form-based authentication (in the preceding example, the password is `8e557245-73e2-4286-969a-ff57fe326336`)
    56. 

  56. * Protects the password storage with BCrypt
    57. 

  57. * Lets the user log out
    58. 

  58. * https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
    59. 

  59. * https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
    60. 

  60. * Security Header integration
    61. 

  61. ** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
    62. 

  62. ** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
    63. 

  63. ** Cache Control (can be overridden later by your application to allow caching of your static resources)
    64. 

  64. ** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
    65. 

  65. ** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
    66. 

  66. * Integrate with the following Servlet API methods:
    67. 

  67. ** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[`HttpServletRequest#getRemoteUser()`]
    68. 

  68. ** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[`HttpServletRequest.html#getUserPrincipal()`]
    69. 

  69. ** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[`HttpServletRequest.html#isUserInRole(java.lang.String)`]
    70. 

  70. ** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[`HttpServletRequest.html#login(java.lang.String, java.lang.String)`]
    71. 

  71. ** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[`HttpServletRequest.html#logout()`]
    72. 

  72.