How to use Spring Boot to implement security authentication and authorization management

With the development of the Internet, the security of applications has become very important, and every programmer needs to pay attention to security issues. Since the Spring framework is widely used in large-scale enterprise-level applications, Spring Boot is a very popular choice to develop web applications. In this article, we will learn how to use Spring Boot to implement security authentication and authorization management.

1. Authentication and Authorization

Before we start discussing Spring Boot’s implementation of security authentication and authorization, we need to understand what authentication and authorization are.

Authentication is to confirm whether the identity of an entity is legal. In web applications, it is usually to confirm whether the user is a legitimate user.

Authorization is to grant specific operation permissions to an entity after confirming that it is legal. In web applications, it is common to confirm that the user has appropriate access rights to the requested resource.

2. Spring Boot Security Framework

Spring Boot provides a security framework that can easily implement security authentication and authorization management for web applications. Spring Security is part of the Spring Boot security framework. It provides a configurable framework to ensure applications can run securely.

Spring Security provides the following functions:

1. Security authentication and authorization

2. HTTPS support

3. Session management

4. Cross-domain request support

5. Method-level authorization

6. LDAP support

7. OpenID support

8. OAuth 2.0 support

3. Spring Boot security configuration

Before starting to use Spring Boot to implement security authentication and authorization, we need to understand the security configuration of Spring Boot.

Spring Boot uses Java configuration and annotations to configure security. Security configuration is defined in a class that is annotated with @EnableWebSecurity to enable Security, and then defines a class that inherits from WebSecurityConfigurerAdapter to configure Security.

The following is an example of a basic Spring Boot security configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/user/**").hasAnyRole("ADMIN", "USER")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
    
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("admin").password("admin").roles("ADMIN")
                .and()
                .withUser("user").password("user").roles("USER");
    }
}

In the above configuration, we enable Security using the @EnableWebSecurity annotation, and then define a class that inherits from WebSecurityConfigurerAdapter.

Theconfigure() method will be called when the application starts to set the rules for HTTP request security. In this example, we define three rules:

1. Any URL starting with /admin/ is only allowed to be accessed by users with the role of ADMIN.

2. Any URL starting with /user/ allows users with roles of ADMIN or USER to access.

3. All other requests require authentication.

The formLogin() method defines the location of the login form and allows all users to access it.

The logout() method sets the logout function and allows access to all users.

The configureGlobal() method configures an in-memory authentication scheme, including username and password and assigned roles.

This is just a simple example, more complex security configurations can be set up using various Spring Security options.

4. Authentication provider

In the above configuration example, we used an in-memory authentication scheme. However, in reality we usually use a database to store user information. Spring Security provides us with authentication providers to handle authentication.

In Spring Security, an authentication provider is an interface that needs to implement the authenticate() method to perform authentication. Authentication providers can be in-memory, relational database or LDAP based etc.

The following is an example of a database-based authentication provider:

@Service
public class UserDetailsServiceImp implements UserDetailsService {
    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userRepository.findByName(username);
        if (user == null) {
            throw new UsernameNotFoundException("User not found");
        }
        return new org.springframework.security.core.userdetails.User(user.getName(), user.getPassword(),
                AuthorityUtils.createAuthorityList(user.getAuthorities()));
    }
}

In the above code, we define a UserDetailsServiceImp class, which implements the UserDetailsService interface. The loadUserByUsername() method loads user information from the database and returns Spring Security's UserDetails object, which contains username, password, and authorization.

5. Authorization Management

In Spring Boot, we can use Spring Security for role-based authorization management. Spring Security provides two methods for authorization management: declarative and programmatic.

1. Declarative

In declarative authorization, we can use the @PreAuthorize and @PostAuthorize annotations to set access control rules. @PreAuthorize is used to specify the conditions that need to be met before accessing the method, while @PostAuthorize is used to specify the conditions that should be met before returning.

The following is an example of declarative-based authorization management:

@Service
public class ProductService {
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public void addProduct() {
        // add product
    }
    
    @PreAuthorize("hasRole('ROLE_USER')")
    @PostAuthorize("returnObject.owner == authentication.name")
    public Product findProductByName(String name) {
        // find product by name
    }
}

In the above code, we added @PreAuthorize annotations to the addProduct() and findProductByName() methods to set access control rules .

In the addProduct() method, we restrict users with the role ROLE_ADMIN to access this method.

In the findProductByName() method, we restrict users with the role ROLE_USER to access the method, and set another access control rule using the @PostAuthorize annotation to ensure that only all users owned by the returned product The product will be returned only when the user is the same as the authenticated user.

2. Programmatic

In programmatic authorization, we can use the Spring Security API to set access control rules.

The following is an example of programmatic authorization management:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserService userService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/user/**").hasAnyRole("ADMIN", "USER")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll()
                .and()
            .csrf().disable()
            .exceptionHandling().accessDeniedHandler(accessDeniedHandler());
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
    }
    
    @Bean
    public AccessDeniedHandler accessDeniedHandler(){
        return new CustomAccessDeniedHandler();
    }
    
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

在上面的代码中，我们定义了一个UserService类来处理用户信息，并在configure()方法中使用了accessDeniedHandler()方法来定制访问被拒绝时的错误信息。

我们还实现了一个CustomAccessDeniedHandler类来自定义访问被拒绝时的响应。

最后，我们使用了PasswordEncoder来编码密码。

六、结论

在本文中，我们了解了如何使用Spring Boot实现安全认证和授权管理。我们已经讨论了Spring Boot安全框架、安全配置、身份验证提供器和授权管理等关键概念。我们还讨论了如何使用声明式和编程式授权管理。通过使用Spring Boot的安全框架，我们可以轻松地为Web应用程序提供安全性，并确保应用程序可以安全地运行。

The above is the detailed content of How to use Spring Boot to implement security authentication and authorization management. For more information, please follow other related articles on the PHP Chinese website!