当前位置: 首页 > news >正文

Spring-Security-5.7.11升级6.5.2

news 2025/8/12 8:15:33

1.Session Management

1.1.必须明确调用SecurityContextRepository保存SecurityContext

在Spring Security 5中,默认行为是SecurityContext使用SecurityContextPersistenceFilter自动保存到SecurityContextRepository

//版本5.7.11
//SecurityContextPersistenceFilter中核心代码
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);SecurityContext contextBeforeChainExecution = this.repo.loadContext(holder);try {SecurityContextHolder.setContext(contextBeforeChainExecution);//...}finally {SecurityContext contextAfterChainExecution = SecurityContextHolder.getContext();SecurityContextHolder.clearContext();// 保存this.repo.saveContext(contextAfterChainExecution, holder.getRequest(), holder.getResponse());}

SecurityContextPersistenceFilter已被作废

在Spring Security 6中,默认行为是SecurityContextHolderFilter只会从SecurityContextRepository读取SecurityContext并将其填充到SecurityContextHolder中。如果用户希望SecurityContext在请求之间保持不变,他们现在必须使用SecurityContextRepository显式保存SecurityContext

//版本6.5.2
private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)throws ServletException, IOException {Supplier<SecurityContext> deferredContext = this.securityContextRepository.loadDeferredContext(request);try {this.securityContextHolderStrategy.setDeferredContext(deferredContext);chain.doFilter(request, response);}finally {// 没有保存this.securityContextHolderStrategy.clearContext();request.removeAttribute(FILTER_APPLIED);}}

1.2.登录成功的通用保存逻辑

如果是登录成功,根据不同的登录方式设置,以下是必须要设置的

// 版本6.5.2
SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
context.setAuthentication(authenticationResult);
this.securityContextHolderStrategy.setContext(context);
this.securityContextRepository.saveContext(context, request, response);

用户名密码登录可参见AbstractAuthenticationProcessingFilter

//版本5.7.11
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,Authentication authResult) throws IOException, ServletException {SecurityContext context = SecurityContextHolder.createEmptyContext();context.setAuthentication(authResult);SecurityContextHolder.setContext(context);this.securityContextRepository.saveContext(context, request, response);if (this.logger.isDebugEnabled()) {this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", authResult));}this.rememberMeServices.loginSuccess(request, response, authResult);if (this.eventPublisher != null) {this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));}this.successHandler.onAuthenticationSuccess(request, response, authResult);}
​
// 版本6.5.2
private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
​
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,Authentication authResult) throws IOException, ServletException {//创建SecurityContext的对象不同SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();context.setAuthentication(authResult);this.securityContextHolderStrategy.setContext(context);// 显示保存this.securityContextRepository.saveContext(context, request, response);if (this.logger.isDebugEnabled()) {this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", authResult));}this.rememberMeServices.loginSuccess(request, response, authResult);if (this.eventPublisher != null) {this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));}this.successHandler.onAuthenticationSuccess(request, response, authResult);}

1.3.SecurityContextRepository默认的初始化

//版本6.5.2
HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository();
DelegatingSecurityContextRepository defaultRepository = new DelegatingSecurityContextRepository(httpSecurityRepository, new RequestAttributeSecurityContextRepository());
return defaultRepository;
​
//版本5.7.11
HttpSessionSecurityContextRepository httpSecurityRepository; = new HttpSessionSecurityContextRepository();
return httpSecurityRepository;

1.4.SecurityContextRepository的接口

public interface SecurityContextRepository {
​//5.7.11中使用的接口@DeprecatedSecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
​//最新6.5.2中使用接口,目前兼容,作废的loadContext后续会被删除default DeferredSecurityContext loadDeferredContext(HttpServletRequest request) {Supplier<SecurityContext> supplier = () -> loadContext(new HttpRequestResponseHolder(request, null));return new SupplierDeferredSecurityContext(SingletonSupplier.of(supplier),SecurityContextHolder.getContextHolderStrategy());}
​void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
​
​boolean containsContext(HttpServletRequest request);
}

2.csrf的token

 private CsrfTokenRepository tokenRepository;
​
//5.7.11通过一下方法获取
CsrfToken token = tokenRepository.loadToken(request);
if (token != null) {userDetails.getUserDTO().setToken(token.getToken());
}
​
//6.5.2使用以下方式
DeferredCsrfToken token = tokenRepository.loadDeferredToken(request, response);
if (token != null) {userDetails.getUserDTO().setToken(token.get().getToken());
}

3.授权

//5.7.11 使用以下方式 在6中已被标记作废
FilterSecurityInterceptor AccessDecisionManager//6.5.2 已通过
AuthorizationManager控制public void customize(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizationManagerRequestMatcherRegistry) {HttpSecurity http = authorizationManagerRequestMatcherRegistry.and();
​AuthorizationManager<RequestAuthorizationContext> requestAuthorizationManager =  new xxxx
​authorizationManagerRequestMatcherRegistry.requestMatchers(accessRequestMatcherToArray()).access(xxRequestAuthorizationManager);
}  

4.SecurityFilterChain的配置

<1>HttpSecurity中的apply方法将被作废

//升级前   
http.apply(xxxCaptchaVerifier())
//升级后    
http.with(xxxCaptchaVerifier(), withDefaults())

<2>xxExceptionHandlingCustomizerand方法将被作废,主要获取HttpSecurity,然后获取ApplicationContext,获取Bean

// 升级前
public class XxExceptionHandlingCustomizer extends XxAbstractCustomizer<ExceptionHandlingConfigurer<HttpSecurity>> {@Overridepublic void customize(ExceptionHandlingConfigurer<HttpSecurity> exceptionHandlingConfigurer) {//.and()已作废HttpSecurity http = exceptionHandlingConfigurer.and();Http401UnauthorizedEntryPoint http401UnauthorizedEntryPoint = getBean(http, Http401UnauthorizedEntryPoint.class);}
}// 升级后
public class XxExceptionHandlingCustomizer extends XxAbstractCustomizer<ExceptionHandlingConfigurer<HttpSecurity>> {public XxExceptionHandlingCustomizer(ApplicationContext context) {super(context);}@Overridepublic void customize(ExceptionHandlingConfigurer<HttpSecurity> exceptionHandlingConfigurer) {Http401UnauthorizedEntryPoint http401UnauthorizedEntryPoint = getBean(Http401UnauthorizedEntryPoint.class);exceptionHandlingConfigurer.authenticationEntryPoint(http401UnauthorizedEntryPoint);}}

<3>HttpSecurity中多个配置不在使用and方法,统一使用Customizer<T>接口配置

//升级前
http.cors().and().securityContext(xxxSecurityContextCustomizer())    //升级后     //只开启cors,不自定义配置
http.cors(withDefaults());
//开启cors,自定义配置   
http.cors(corsConfigurer -> {})

http://www.dtcms.com/a/326018.html

相关文章:

  • Socket(套接字)网络编程
  • Scala异步任务编排与弹性容错机制
  • [特殊字符]走进标杆工厂参观研学| 破茧成蝶的感悟之旅
  • Spring Boot 中 @Transactional 解析
  • Spring Boot启动事件详解:类型、监听与实战应用
  • PyCharm(2025.1.3.1)绑定 Conda 环境
  • SoftCnKiller:绿色小巧,流氓软件一键扫描!
  • 得物,三七互娱,游卡快手26秋招内推
  • 麒麟系统使用-PATH设置
  • 【Figma】Figma基础笔记二,常用快捷键和操作
  • 集成电路学习:什么是URDF Model统一机器人描述格式模型
  • 红队快速打包,通过 Sharp4CompressArchive 一键定制化压缩文件
  • “一车一码一池一充”:GB 17761-2024新国标下电动自行车的安全革命
  • gophis钓鱼流程
  • 企业内外网物理隔离时文件怎么传输更安全
  • 算法基础 1
  • 【排序算法】⑦归并排序
  • 模拟多重循环解决逻辑问题
  • Mysql系列--6、内置函数
  • 横向越权:修改参数访问不属于自己的数据
  • LeetCode——241.为运算表达式设计优先级
  • 【Maven】02 - 进阶篇
  • Spark AI 算力通平台全球正式上线,引领算力新时代
  • 亚马逊KYC审核“拒死”困局:成因解析与全流程破局策略
  • 数据结构-字符串
  • 人工智能-python-机器学习- 欠拟合与过拟合:岭回归与拉索回归的应用
  • TopLiDM架构解析:DriveVLM如何融合VLM与E2E自动驾驶
  • 一文读懂 C# 中的 Lazy<T>
  • (三十二)-java+ selenium自动化测试-select 下拉框
  • Linux运维学习第十四周