Spring Security（十九）：6. Security Namespace Configuration

6.1 Introduction

Namespace configuration has been available since version 2.0 of the Spring Framework. It allows you to supplement the traditional Spring beans application context syntax with elements from additional XML schema. You can find more information in the Spring Reference Documentation. A namespace element can be used simply to allow a more concise way of configuring an individual bean or, more powerfully, to define an alternative configuration syntax which more closely matches the problem domain and hides the underlying complexity from the user.

自Spring Framework 2.0版以来，命名空间配置已经可用。它允许您使用其他XML模式中的元素来补充传统的Spring bean应用程序上下文语法。您可以在Spring Reference Documentation中找到更多信息。命名空间元素可以简单地用于允许更简洁的方式来配置单个bean，或者更有力地用于定义替代配置语法，该语法更紧密地匹配问题域并且隐藏用户的底层复杂性。

 

 A simple element may conceal the fact that multiple beans and processing steps are being added to the application context. For example, adding the following element from the security namespace to an application context will start up an embedded LDAP server for testing use within the application:

一个简单的元素可能会隐藏多个bean和处理步骤被添加到应用程序上下文的事实。例如，将以下元素从安全名称空间添加到应用程序上下文将启动嵌入式LDAP服务器，以便在应用程序中测试使用：

<security:ldap-server />

This is much simpler than wiring up the equivalent Apache Directory Server beans. The most common alternative configuration requirements are supported by attributes on the ldap-server element and the user is isolated from worrying about which beans they need to create and what the bean property names are. ^[1]. Use of a good XML editor while editing the application context file should provide information on the attributes and elements that are available. We would recommend that you try out the Spring Tool Suite as it has special features for working with standard Spring namespaces.

这比连接等效的Apache Directory Server bean简单得多。 ldap-server元素上的属性支持最常见的备用配置要求，并且用户可以避免担心需要创建哪些bean以及bean属性名称是什么。 [1]。在编辑应用程序上下文文件时使用良好的XML编辑器应该提供有关可用属性和元素的信息。我们建议您试用Spring Tool Suite，因为它具有处理标准Spring命名空间的特殊功能。

 

To start using the security namespace in your application context, you need to have the spring-security-config jar on your classpath. Then all you need to do is add the schema declaration to your application context file:

要在应用程序上下文中开始使用安全命名空间，您需要在类路径上安装spring-security-config jar。然后，您需要做的就是将架构声明添加到应用程序上下文文件中：

 

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/security
		http://www.springframework.org/schema/security/spring-security.xsd">
	...
</beans>

In many of the examples you will see (and in the sample applications), we will often use "security" as the default namespace rather than "beans", which means we can omit the prefix on all the security namespace elements, making the content easier to read. You may also want to do this if you have your application context divided up into separate files and have most of your security configuration in one of them. Your security application context file would then start like this

在您将看到的许多示例中（以及示例应用程序中），我们经常使用“security”作为默认命名空间而不是“beans”，这意味着我们可以在所有安全命名空间元素上省略前缀，从而制作内容更容易阅读。如果您将应用程序上下文划分为单独的文件并在其中一个文件中包含大部分安全配置，则可能还需要执行此操作。然后，您的安全应用程序上下文文件将如下所示

 

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/security
		http://www.springframework.org/schema/security/spring-security.xsd">
	...
</beans:beans>

We’ll assume this syntax is being used from now on in this chapter.

我们假设从现在开始在本章中使用了这种语法。

6.1.1 Design of the Namespace

The namespace is designed to capture the most common uses of the framework and provide a simplified and concise syntax for enabling them within an application. The design is based around the large-scale dependencies within the framework, and can be divided up into the following areas:

命名空间旨在捕获框架的最常见用法，并提供简化和简洁的语法，以便在应用程序中启用它们。该设计基于框架内的大规模依赖性，可分为以下几个方面：

 

• Web/HTTP Security - the most complex part. Sets up the filters and related service beans used to apply the framework authentication mechanisms, to secure URLs, render login and error pages and much more.
• Web / HTTP安全 - 最复杂的部分。设置用于应用框架身份验证机制的过滤器和相关服务bean，保护URL，呈现登录和错误页面等等。
• Business Object (Method) Security - options for securing the service layer.
• 业务对象（方法）安全性 - 保护服务层的选项。
• AuthenticationManager - handles authentication requests from other parts of the framework.
• AuthenticationManager - 处理来自框架其他部分的身份验证请求。
• AccessDecisionManager - provides access decisions for web and method security. A default one will be registered, but you can also choose to use a custom one, declared using normal Spring bean syntax.
• AccessDecisionManager - 提供Web和方法安全性的访问决策。将注册一个默认值，但您也可以选择使用自定义Spring bean语法声明的自定义。
• AuthenticationProviders - mechanisms against which the authentication manager authenticates users. The namespace provides supports for several standard options and also a means of adding custom beans declared using a traditional syntax.
• AuthenticationProviders - 身份验证管理器对用户进行身份验证的机制。命名空间提供了对多个标准选项的支持，也提供了添加使用传统语法声明的自定义bean的方法。
• UserDetailsService - closely related to authentication providers, but often also required by other beans.
• UserDetailsS​​ervice - 与身份验证提供程序密切相关，但通常也需要其他bean。

We’ll see how to configure these in the following sections.

我们将在以下部分中看到如何配置它们。

 

6.2 Getting Started with Security Namespace Configuration

In this section, we’ll look at how you can build up a namespace configuration to use some of the main features of the framework. Let’s assume you initially want to get up and running as quickly as possible and add authentication support and access control to an existing web application, with a few test logins. Then we’ll look at how to change over to authenticating against a database or other security repository. In later sections we’ll introduce more advanced namespace configuration options.

在本节中，我们将介绍如何构建命名空间配置以使用框架的一些主要功能。假设您最初希望尽快启动并运行，并通过一些测试登录将身份验证支持和访问控制添加到现有Web应用程序。然后，我们将了解如何更改以对数据库或其他安全存储库进行身份验证。在后面的部分中，我们将介绍更高级的命名空间配置选项。

 

6.2.1 web.xml Configuration

The first thing you need to do is add the following filter declaration to your web.xml file:

您需要做的第一件事是将以下过滤器声明添加到您的web.xml文件中：

 

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

This provides a hook into the Spring Security web infrastructure. DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context. In this case, the bean is named "springSecurityFilterChain", which is an internal infrastructure bean created by the namespace to handle web security. Note that you should not use this bean name yourself. Once you’ve added this to your web.xml, you’re ready to start editing your application context file. Web security services are configured using the <http> element.

这为Spring Security Web基础结构提供了一个钩子。 DelegatingFilterProxy是一个Spring Framework类，它委托给一个过滤器实现，该实现在应用程序上下文中定义为一个Spring bean。在这种情况下，bean被命名为“springSecurityFilterChain”，它是由命名空间创建的内部基础结构bean，用于处理Web安全性。请注意，您不应自己使用此bean名称。将此文件添加到web.xml后，即可开始编辑应用程序上下文文件。使用<http>元素配置Web安全服务。

 

6.2.2 A Minimal <http> Configuration

All you need to enable web security to begin with is

启用Web安全性所需的只是

<http>
<intercept-url pattern="/**" access="hasRole('USER')" />
<form-login />
<logout />
</http>

Which says that we want all URLs within our application to be secured, requiring the role ROLE_USER to access them, we want to log in to the application using a form with username and password, and that we want a logout URL registered which will allow us to log out of the application. <http> element is the parent for all web-related namespace functionality. The <intercept-url> element defines a pattern which is matched against the URLs of incoming requests using an ant path style syntax ^[2]. 

这说明我们希望应用程序中的所有URL都是安全的，需要角色ROLE_USER来访问它们，我们希望使用带有用户名和密码的表单登录应用程序，并且我们希望注册的注销URL允许我们退出应用程序。 <http>元素是所有与Web相关的命名空间功能的父元素。 <intercept-url>元素定义了一个模式，该模式使用ant路径样式语法[2]与传入请求的URL匹配。

 

You can also use regular-expression matching as an alternative (see the namespace appendix for more details). The access attribute defines the access requirements for requests matching the given pattern. With the default configuration, this is typically a comma-separated list of roles, one of which a user must have to be allowed to make the request. 

您还可以使用正则表达式匹配作为替代方法（有关详细信息，请参阅命名空间附录）。 access属性定义与给定模式匹配的请求的访问要求。使用默认配置时，这通常是以逗号分隔的角色列表，其中一个角色必须允许用户发出请求。

 

The prefix"ROLE_" is a marker which indicates that a simple comparison with the user’s authorities should be made. In other words, a normal role-based check should be used. Access-control in Spring Security is not limited to the use of simple roles (hence the use of the prefix to differentiate between different types of security attributes). We’ll see later how the interpretation can vary footnote:[The interpretation of the comma-separated values in the access attribute depends on the implementation of the –1— which is used. In Spring Security 3.0, the attribute can also be populated with an –2—.

前缀“ROLE_”是一个标记，表示应该与用户的权限进行简单比较。换句话说，应该使用正常的基于角色的检查。 Spring Security中的访问控制不仅限于使用简单角色（因此使用前缀来区分不同类型的安全属性）。稍后我们将看到解释如何变化脚注：[访问属性中逗号分隔值的解释取决于所使用的-1的实现。在Spring Security 3.0中，该属性也可以用-2-填充。

 

You can use multiple <intercept-url> elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top. You can also add a method attribute to limit the match to a particular HTTP method (GET, POST, PUT etc.).

您可以使用多个<intercept-url>元素为不同的URL集定义不同的访问要求，但它们将按列出的顺序进行评估，并将使用第一个匹配项。所以你必须把最具体的比赛放在最上面。您还可以添加方法属性以限制与特定HTTP方法（GET，POST，PUT等）的匹配。

 

To add some users, you can define a set of test data directly in the namespace:

要添加一些用户，您可以直接在命名空间中定义一组测试数据：

 

<authentication-manager>
<authentication-provider>
	<user-service>
	<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
	<user name="bob" password="bobspassword" authorities="ROLE_USER" />
	</user-service>
</authentication-provider>
</authentication-manager>

If you are familiar with pre-namespace versions of the framework, you can probably already guess roughly what’s going on here. The <http> element is responsible for creating a FilterChainProxy and the filter beans which it uses. Common problems like incorrect filter ordering are no longer an issue as the filter positions are predefined.

如果您熟悉框架的命名空间前版本，那么您可能已经大致猜测了这里发生了什么。 <http>元素负责创建FilterChainProxy及其使用的过滤器bean。由于过滤器位置是预定义的，因此不正确的过滤器排序等常见问题不再是问题。

 

The <authentication-provider> element creates a DaoAuthenticationProvider bean and the <user-service> element creates an InMemoryDaoImpl. All authentication-provider elements must be children of the <authentication-manager> element, which creates a ProviderManager and registers the authentication providers with it. You can find more detailed information on the beans that are created in the namespace appendix. It’s worth cross-checking this if you want to start understanding what the important classes in the framework are and how they are used, particularly if you want to customise things later.

<authentication-provider>元素创建一个DaoAuthenticationProvider bean，<user-service>元素创建一个InMemoryDaoImpl。所有身份验证提供程序元素都必须是<authentication-manager>元素的子元素，这会创建一个ProviderManager并向其注册身份验证提供程序。您可以在命名空间附录中找到有关bean创建的更多详细信息。如果您想要开始了解框架中的重要类以及它们的使用方式，特别是如果您想稍后自定义内容，则值得交叉检查。

 

The configuration above defines two users, their passwords and their roles within the application (which will be used for access control). It is also possible to load user information from a standard properties file using the properties attribute on user-service. See the section on in-memory authentication for more details on the file format. Using the <authentication-provider> element means that the user information will be used by the authentication manager to process authentication requests. You can have multiple <authentication-provider> elements to define different authentication sources and each will be consulted in turn.

上面的配置定义了两个用户，他们的密码和他们在应用程序中的角色（将用于访问控制）。还可以使用user-service上的properties属性从标准属性文件加载用户信息。有关文件格式的更多详细信息，请参阅内存中身份验证部分。使用<authentication-provider>元素意味着身份验证管理器将使用用户信息来处理身份验证请求。您可以使用多个<authentication-provider>元素来定义不同的身份验证源，并依次查阅每个身份验证源。

 

At this point you should be able to start up your application and you will be required to log in to proceed. Try it out, or try experimenting with the "tutorial" sample application that comes with the project.

此时，您应该可以启动应用程序，并且您将需要登录才能继续。尝试一下，或尝试尝试项目附带的“教程”示例应用程序。