diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js index e73569f8f55e1e0a065c60a9bc7287511af9ff5a..5ccce227ed531a835f344f4e3efed5ff59ab5802 100644 --- a/docs/.vuepress/config.js +++ b/docs/.vuepress/config.js @@ -477,26 +477,115 @@ module.exports = { initialOpenGroupIndex: 0 // 可选的, 默认值是 0 } ], - // '/spring-security/': [ - // { - // title: 'Spring 安全', - // sidebarDepth: 2, - // collapsable: false, - // children: [ - // "/spring-security/overview.md", - // "/spring-security/prerequisites.md", - // "/spring-security/community.md", - // "/spring-security/whats-new.md", - // "/spring-security/getting-spring-security.md", - // "/spring-security/features.md", - // "/spring-security/modules.md", - // "/spring-security/samples.md", - // "/spring-security/servlet.md", - // "/spring-security/reactive.md" - // ], - // initialOpenGroupIndex: 0 // 可选的, 默认值是 0 - // } - // ], + '/spring-security/': [ + { + title: 'Spring 安全', + sidebarDepth: 2, + collapsable: false, + children: [ + "/spring-security/community.md", + "/spring-security/features-authentication-password-storage.md", + "/spring-security/features-authentication.md", + "/spring-security/features-exploits-csrf.md", + "/spring-security/features-exploits-headers.md", + "/spring-security/features-exploits-http.md", + "/spring-security/features-exploits.md", + "/spring-security/features-integrations-concurrency.md", + "/spring-security/features-integrations-cryptography.md", + "/spring-security/features-integrations-data.md", + "/spring-security/features-integrations-jackson.md", + "/spring-security/features-integrations-localization.md", + "/spring-security/features-integrations.md", + "/spring-security/features.md", + "/spring-security/getting-spring-security.md", + "/spring-security/modules.md", + "/spring-security/overview.md", + "/spring-security/prerequisites.md", + "/spring-security/reactive-authentication-logout.md", + "/spring-security/reactive-authentication-x509.md", + "/spring-security/reactive-authorization-authorize-http-requests.md", + "/spring-security/reactive-authorization-method.md", + "/spring-security/reactive-configuration-webflux.md", + "/spring-security/reactive-exploits-csrf.md", + "/spring-security/reactive-exploits-headers.md", + "/spring-security/reactive-exploits-http.md", + "/spring-security/reactive-exploits.md", + "/spring-security/reactive-getting-started.md", + "/spring-security/reactive-integrations-cors.md", + "/spring-security/reactive-integrations-rsocket.md", + "/spring-security/reactive-oauth2-client-authorization-grants.md", + "/spring-security/reactive-oauth2-client-authorized-clients.md", + "/spring-security/reactive-oauth2-client-client-authentication.md", + "/spring-security/reactive-oauth2-client-core.md", + "/spring-security/reactive-oauth2-client.md", + "/spring-security/reactive-oauth2-login-advanced.md", + "/spring-security/reactive-oauth2-login-core.md", + "/spring-security/reactive-oauth2-login.md", + "/spring-security/reactive-oauth2-resource-server-bearer-tokens.md", + "/spring-security/reactive-oauth2-resource-server-jwt.md", + "/spring-security/reactive-oauth2-resource-server-multitenancy.md", + "/spring-security/reactive-oauth2-resource-server-opaque-token.md", + "/spring-security/reactive-oauth2-resource-server.md", + "/spring-security/reactive-oauth2.md", + "/spring-security/reactive-test-method.md", + "/spring-security/reactive-test-web-authentication.md", + "/spring-security/reactive-test-web-csrf.md", + "/spring-security/reactive-test-web-oauth2.md", + "/spring-security/reactive-test-web-setup.md", + "/spring-security/reactive-test-web.md", + "/spring-security/reactive-test.md", + "/spring-security/reactive.md", + "/spring-security/samples.md", + "/spring-security/servlet-appendix-database-schema.md", + "/spring-security/servlet-appendix-faq.md", + "/spring-security/servlet-appendix-namespace-authentication-manager.md", + "/spring-security/servlet-appendix-namespace-http.md", + "/spring-security/servlet-appendix-namespace-ldap.md", + "/spring-security/servlet-appendix-namespace-method-security.md", + "/spring-security/servlet-appendix-namespace-websocket.md", + "/spring-security/servlet-appendix-namespace.md", + "/spring-security/servlet-appendix.md", + "/spring-security/servlet-architecture.md", + "/spring-security/servlet-authentication-anonymous.md", + "/spring-security/servlet-authentication-architecture.md", + "/spring-security/servlet-authentication-cas.md", + "/spring-security/servlet-authentication-events.md", + "/spring-security/servlet-authentication-jaas.md", + "/spring-security/servlet-authentication-logout.md", + "/spring-security/servlet-authentication-openid.md", + "/spring-security/servlet-authentication-passwords-basic.md", + "/spring-security/servlet-authentication-passwords-digest.md", + "/spring-security/servlet-authentication-passwords-form.md", + "/spring-security/servlet-authentication-passwords-input.md", + "/spring-security/servlet-authentication-passwords-storage-dao-authentication-provider.md", + "/spring-security/servlet-authentication-passwords-storage-in-memory.md", + "/spring-security/servlet-authentication-passwords-storage-jdbc.md", + "/spring-security/servlet-authentication-passwords-storage-ldap.md", + "/spring-security/servlet-authentication-passwords-storage-password-encoder.md", + "/spring-security/servlet-authentication-passwords-storage-user-details-service.md", + "/spring-security/servlet-authentication-passwords-storage-user-details.md", + "/spring-security/servlet-authentication-passwords-storage.md", + "/spring-security/servlet-authentication-passwords.md", + "/spring-security/servlet-authentication-preauth.md", + "/spring-security/servlet-authentication-rememberme.md", + "/spring-security/servlet-authentication-runas.md", + "/spring-security/servlet-authentication-session-management.md", + "/spring-security/servlet-authentication-x509.md", + "/spring-security/servlet-authentication.md", + "/spring-security/servlet-authorization-.md", + "/spring-security/servlet-authorization-acls.md", + "/spring-security/servlet-authorization-architecture.md", + "/spring-security/servlet-authorization-authorize-http-requests.md", + "/spring-security/servlet-authorization-authorize-requests.md", + "/spring-security/servlet-authorization-expression-based.md", + "/spring-security/servlet-authorization-method-security.md", + "/spring-security/servlet-authorization-secure-objects.md", + "/spring-security/servlet-configuration-java.md", + "/spring-security/servlet-configuration-kotlin.md" + ], + initialOpenGroupIndex: 0 // 可选的, 默认值是 0 + } + ], '/spring-for-graphql/': [ { diff --git a/docs/spring-security/servlet-architecture.md b/docs/spring-security/servlet-architecture.md index 5e5838e37b629e9f0b9f9ba0be91cdd61a41e658..3b872ab072065964d14451ed35d49f70ccb9cb3c 100644 --- a/docs/spring-security/servlet-architecture.md +++ b/docs/spring-security/servlet-architecture.md @@ -6,7 +6,7 @@ Spring 安全性的 Servlet 支持是基于 Servlet `Filter`s 的,因此通常首先查看`Filter`s 的作用是有帮助的。下图显示了单个 HTTP 请求的处理程序的典型分层。 -![滤清链](../_images/servlet/architecture/filterchain.png) +![滤清链](https://docs.spring.io/spring-security/reference/_images/servlet/architecture/filterchain.png) 图 1。滤清链 @@ -48,7 +48,7 @@ Spring 提供了名为[`Filter`](https://DOCS. Spring.io/ Spring-framework/DOC 下面是一张`DelegatingFilterProxy`如何与[`Filter`s 和`FilterChain`](# Servlet-filters-review)相匹配的图片。 -![委托过滤代理](../_images/servlet/architecture/delegatingfilterproxy.png) +![委托过滤代理](https://docs.spring.io/spring-security/reference/_images/servlet/architecture/delegatingfilterproxy.png) 图 2。委托过滤代理 @@ -86,7 +86,7 @@ fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterCh Spring Security 的 Servlet 支持包含在`FilterChainProxy`中。`FilterChainProxy`是 Spring Security 提供的一种特殊的`Filter`,它允许通过[`证券过滤链`](# Servlet-SecurityFilterchain)将许多`Filter`实例委托给多个实例。由于`FilterChainProxy`是 Bean,因此它通常被包装在[委托过滤代理](#servlet-delegatingfilterproxy)中。 -![FilterchainProxy ](../_images/servlet/architecture/filterchainproxy.png) +![FilterchainProxy ](https://docs.spring.io/spring-security/reference/_images/servlet/architecture/filterchainproxy.png) 图 3。FilterchainProxy @@ -94,7 +94,7 @@ Spring Security 的 Servlet 支持包含在`FilterChainProxy`中。`FilterChainP [`SecurityFilterChain`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/web/securityfilterchain.html)被[FilterchainProxy ](#servlet-filterchainproxy)用于确定应该为此请求调用哪个 Spring security`Filter`s。 -![证券过滤链](../_images/servlet/architecture/securityfilterchain.png) +![证券过滤链](https://docs.spring.io/spring-security/reference/_images/servlet/architecture/securityfilterchain.png) 图 4。证券过滤链 @@ -106,7 +106,7 @@ Spring Security 的 Servlet 支持包含在`FilterChainProxy`中。`FilterChainP 事实上,`FilterChainProxy`可以用来确定应该使用哪些`SecurityFilterChain`。这允许为应用程序的不同*切片*提供完全独立的配置。 -![多证券过滤链](../_images/servlet/architecture/multi-securityfilterchain.png) +![多证券过滤链](https://docs.spring.io/spring-security/reference/_images/servlet/architecture/multi-securityfilterchain.png) 图 5。多重证券过滤链 @@ -190,11 +190,11 @@ Spring Security 的 Servlet 支持包含在`FilterChainProxy`中。`FilterChainP `ExceptionTranslationFilter`作为[安全过滤器](#servlet-security-filters)中的一个插入到[FilterchainProxy ](#servlet-filterchainproxy)中。 -![ExceptionTranslationFilter ](../_images/servlet/architecture/exceptiontranslationfilter.png) +![ExceptionTranslationFilter ](https://docs.spring.io/spring-security/reference/_images/servlet/architecture/exceptiontranslationfilter.png) -* ![number 1](../_images/icons/number_1.png)首先,`ExceptionTranslationFilter`调用`FilterChain.doFilter(request, response)`来调用应用程序的其余部分。 +* ![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)首先,`ExceptionTranslationFilter`调用`FilterChain.doFilter(request, response)`来调用应用程序的其余部分。 -* ![number 2](../_images/icons/number_2.png)如果用户没有经过身份验证,或者它是`AuthenticationException`,那么*启动身份验证*。 +* ![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png)如果用户没有经过身份验证,或者它是`AuthenticationException`,那么*启动身份验证*。 * [SecurityContextholder ](authentication/architecture.html#servlet-authentication-securitycontextholder)已清除 @@ -202,7 +202,7 @@ Spring Security 的 Servlet 支持包含在`FilterChainProxy`中。`FilterChainP * `AuthenticationEntryPoint`用于从客户机请求凭据。例如,它可能重定向到一个登录页面,或者发送一个`WWW-Authenticate`头。 -* ![number 3](../_images/icons/number_3.png)否则如果是`AccessDeniedException`,则*访问被拒绝*。调用`AccessDeniedHandler`来处理拒绝访问。 +* ![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)否则如果是`AccessDeniedException`,则*访问被拒绝*。调用`AccessDeniedHandler`来处理拒绝访问。 | |如果应用程序不抛出`AccessDeniedException`或`AuthenticationException`,则`ExceptionTranslationFilter`不执行任何操作。| |---|-----------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/docs/spring-security/servlet-authentication-architecture.md b/docs/spring-security/servlet-authentication-architecture.md index e68bddbb87b05289cc815e7f37c80caee68e9467..9ab8e30c420affa48c910a5e829281954f11c4b0 100644 --- a/docs/spring-security/servlet-authentication-architecture.md +++ b/docs/spring-security/servlet-authentication-architecture.md @@ -26,7 +26,7 @@ hi Servlet/身份验证/体系结构 Spring 安全性的身份验证模型的核心是`SecurityContextHolder`。它包含[SecurityContext](#servlet-authentication-securitycontext)。 -![SecurityContextholder](../../_images/servlet/authentication/architecture/securitycontextholder.png) +![SecurityContextholder](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/architecture/securitycontextholder.png) 在`SecurityContextHolder`中, Spring 安全性存储了谁是[已认证](../../features/authentication/index.html#authentication)的详细信息。 Spring 安全性并不关心`SecurityContextHolder`是如何填充的。如果它包含一个值,那么它将被用作当前经过身份验证的用户。 @@ -126,17 +126,17 @@ val authorities = authentication.authorities [`ProviderManager`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/authentication/providermanager.html)是最常用的[`AuthenticationManager`](# Servlet-authentication-authentication manager)的实现。`ProviderManager`委托给[`List`的[`身份验证提供者`s](# Servlet-authenticentication-authenticationprov 每个`AuthenticationProvider`都有机会指示身份验证应该成功、失败或指示它不能做出决定,并允许下游`AuthenticationProvider`进行决定。如果所有配置的`AuthenticationProvider`都不能进行身份验证,则使用`ProviderNotFoundException`进行身份验证将失败,这是一个特殊的`AuthenticationException`,表示`ProviderManager`未配置为支持传递到它的`Authentication`类型。 -![ProviderManager](../../_images/servlet/authentication/architecture/providermanager.png) +![ProviderManager](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/architecture/providermanager.png) 在实践中,每个`AuthenticationProvider`都知道如何执行特定类型的身份验证。例如,一个`AuthenticationProvider`可能能够验证用户名/密码,而另一个可能能够验证 SAML 断言。这允许每个`AuthenticationProvider`执行非常特定类型的身份验证,同时支持多种类型的身份验证,并且只公开单个`AuthenticationManager` Bean。 `ProviderManager`还允许配置一个可选的父`AuthenticationManager`,在没有`AuthenticationProvider`可以执行身份验证的情况下,可以查询该父`AuthenticationManager`。父可以是`AuthenticationManager`的任何类型,但它通常是`ProviderManager`的实例。 -![ProviderManager 母公司](../../_images/servlet/authentication/architecture/providermanager-parent.png) +![ProviderManager 母公司](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/architecture/providermanager-parent.png) 实际上,多个`ProviderManager`实例可能共享同一个父`AuthenticationManager`。在多个[`SecurityFilterChain`](../architecture.html# Servlet-securityfilterchain)实例具有一些共同的身份验证(共享的父`AuthenticationManager`)的场景中,这种情况有些常见,但也存在不同的身份验证机制(不同的`ProviderManager`实例)。 -![ProviderManagers 母公司](../../_images/servlet/authentication/architecture/providermanagers-parent.png) +![ProviderManagers 母公司](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/architecture/providermanagers-parent.png) 默认情况下,`ProviderManager`将尝试清除由成功的身份验证请求返回的`Authentication`对象中的任何敏感凭据信息。这可以防止像密码这样的信息在`HttpSession`中保留的时间超过必要的时间。 @@ -160,13 +160,13 @@ val authorities = authentication.authorities 接下来,`AbstractAuthenticationProcessingFilter`可以对提交给它的任何身份验证请求进行身份验证。 -![抽象处理过滤器](../../_images/servlet/authentication/architecture/abstractauthenticationprocessingfilter.png) +![抽象处理过滤器](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/architecture/abstractauthenticationprocessingfilter.png) -![number 1](../../_images/icons/number_1.png)当用户提交其凭据时,`AbstractAuthenticationProcessingFilter`从`Authentication`创建一个[`Authentication`](# Servlet-authentication-authentication)来进行身份验证。创建的`Authentication`类型取决于`AbstractAuthenticationProcessingFilter`的子类。例如,[`UsernamePasswordAuthenticationFilter`](passwords/form.html# Servlet-authentication-usernamepasswordauthenticationfilter)从*用户 Name*和*密码*中创建一个`UsernamePasswordAuthenticationToken`,它们在`HttpServletRequest`中提交。 +![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)当用户提交其凭据时,`AbstractAuthenticationProcessingFilter`从`Authentication`创建一个[`Authentication`](# Servlet-authentication-authentication)来进行身份验证。创建的`Authentication`类型取决于`AbstractAuthenticationProcessingFilter`的子类。例如,[`UsernamePasswordAuthenticationFilter`](passwords/form.html# Servlet-authentication-usernamepasswordauthenticationfilter)从*用户 Name*和*密码*中创建一个`UsernamePasswordAuthenticationToken`,它们在`HttpServletRequest`中提交。 -![number 2](../../_images/icons/number_2.png)接下来,将[`Authentication`](# Servlet-authentication-authentication)传递到[`AuthenticationManager`](# Servlet-authentication-authenticationManager)中进行身份验证。 +![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png)接下来,将[`Authentication`](# Servlet-authentication-authentication)传递到[`AuthenticationManager`](# Servlet-authentication-authenticationManager)中进行身份验证。 -![number 3](../../_images/icons/number_3.png)如果身份验证失败,则*失败* +![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)如果身份验证失败,则*失败* * [SecurityContextholder](#servlet-authentication-securitycontextholder)被清除。 @@ -174,7 +174,7 @@ val authorities = authentication.authorities * 调用`AuthenticationFailureHandler`。 -![number 4](../../_images/icons/number_4.png)如果身份验证成功,则*成功*。 +![number 4](https://docs.spring.io/spring-security/reference/_images/icons/number_4.png)如果身份验证成功,则*成功*。 * `SessionAuthenticationStrategy`被通知有一个新的登录。 diff --git a/docs/spring-security/servlet-authentication-passwords-basic.md b/docs/spring-security/servlet-authentication-passwords-basic.md index 66dcc51bf96394e07dcde5d53f8320927948935d..73e988f037a876ef926daf4224d350db0bec0dd2 100644 --- a/docs/spring-security/servlet-authentication-passwords-basic.md +++ b/docs/spring-security/servlet-authentication-passwords-basic.md @@ -4,31 +4,31 @@ 让我们来看看 HTTP Basic 身份验证在 Spring 安全性中是如何工作的。首先,我们看到[WWW-认证](https://tools.ietf.org/html/rfc7235#section-4.1)头被发送回未经验证的客户端。 -![基本验证入口点](../../../_images/servlet/authentication/unpwd/basicauthenticationentrypoint.png) +![基本验证入口点](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/unpwd/basicauthenticationentrypoint.png) 图 1。发送 WWW-身份验证报头 该图构建于我们的[`SecurityFilterChain`](../../architecture.html# Servlet-SecurityFilterchain)图。 -![number 1](../../../_images/icons/number_1.png)首先,用户向资源`/private`发出未经授权的请求。 +![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)首先,用户向资源`/private`发出未经授权的请求。 -![number 2](../../../_images/icons/number_2.png) Spring security 的[`FilterSecurityInterceptor`](.../授权/authorization/authorization/authorization-requests.html# Servlet-authorization-filtersecurityinterceptor)通过抛出`AccessDeniedException`表示未经验证的请求是*拒绝*。 +![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png) Spring security 的[`FilterSecurityInterceptor`](.../授权/authorization/authorization/authorization-requests.html# Servlet-authorization-filtersecurityinterceptor)通过抛出`AccessDeniedException`表示未经验证的请求是*拒绝*。 -![number 3](../../../_images/icons/number_3.png)由于用户未经过身份验证,[`ExceptionTranslationFilter`](..../architecture.html# Servlet-ExceptionTranslationFilter)发起*启动身份验证*。配置的[`AuthenticationEntryPoint`](../architecture.html# Servlet-authentication-authentryPoint)是[`BasicAuthenticationEntryPoint`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/web/authentification/WWW/basicauthentrypoint.html)的一个实例,它发送一个 WWW-authenticate 报头。`RequestCache`通常是不保存请求的`NullRequestCache`,因为客户机能够重放它最初请求的请求。 +![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)由于用户未经过身份验证,[`ExceptionTranslationFilter`](..../architecture.html# Servlet-ExceptionTranslationFilter)发起*启动身份验证*。配置的[`AuthenticationEntryPoint`](../architecture.html# Servlet-authentication-authentryPoint)是[`BasicAuthenticationEntryPoint`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/web/authentification/WWW/basicauthentrypoint.html)的一个实例,它发送一个 WWW-authenticate 报头。`RequestCache`通常是不保存请求的`NullRequestCache`,因为客户机能够重放它最初请求的请求。 当客户端接收到 WWW-Authenticate 报头时,它知道应该使用用户名和密码重试。下面是正在处理的用户名和密码的流程。 -![基本验证过滤器](../../../_images/servlet/authentication/unpwd/basicauthenticationfilter.png) +![基本验证过滤器](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/unpwd/basicauthenticationfilter.png) 图 2。验证用户名和密码 这个图是基于我们的[`SecurityFilterChain`](../../architecture.html# Servlet-SecurityFilterchain)图构建的。 -![number 1](../../../_images/icons/number_1.png)当用户提交他们的用户名和密码时,`BasicAuthenticationFilter`通过从`HttpServletRequest`中提取用户名和密码,创建一个`UsernamePasswordAuthenticationToken`,这是一种[`Authentication`](../architecture.html# Servlet-authentication-authentication)的类型。 +![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)当用户提交他们的用户名和密码时,`BasicAuthenticationFilter`通过从`HttpServletRequest`中提取用户名和密码,创建一个`UsernamePasswordAuthenticationToken`,这是一种[`Authentication`](../architecture.html# Servlet-authentication-authentication)的类型。 -![number 2](../../../_images/icons/number_2.png)接下来,将`UsernamePasswordAuthenticationToken`传递到`AuthenticationManager`中以进行身份验证。`AuthenticationManager`的详细内容取决于[用户信息被存储](index.html#servlet-authentication-unpwd-storage)的方式。 +![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png)接下来,将`UsernamePasswordAuthenticationToken`传递到`AuthenticationManager`中以进行身份验证。`AuthenticationManager`的详细内容取决于[用户信息被存储](index.html#servlet-authentication-unpwd-storage)的方式。 -![number 3](../../../_images/icons/number_3.png)如果身份验证失败,则*失败* +![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)如果身份验证失败,则*失败* * [SecurityContextholder ](../architecture.html#servlet-authentication-securitycontextholder)被清除。 @@ -36,7 +36,7 @@ * 调用`AuthenticationEntryPoint`以触发再次发送 WWW-身份验证。 -![number 4](../../../_images/icons/number_4.png)如果身份验证成功,则*成功*。 +![number 4](https://docs.spring.io/spring-security/reference/_images/icons/number_4.png)如果身份验证成功,则*成功*。 * [认证](../architecture.html#servlet-authentication-authentication)设置在[SecurityContextholder ](../architecture.html#servlet-authentication-securitycontextholder)上。 diff --git a/docs/spring-security/servlet-authentication-passwords-form.md b/docs/spring-security/servlet-authentication-passwords-form.md index 6194997691f9308e7d4b47664cb43709ab23191e..7916284b4efa24e17858d2bebb751d8d1ad3933b 100644 --- a/docs/spring-security/servlet-authentication-passwords-form.md +++ b/docs/spring-security/servlet-authentication-passwords-form.md @@ -4,35 +4,35 @@ Spring 安全性为正在通过 HTML 表单提供的用户名和密码提供支 让我们来看看基于表单的登录在 Spring 安全性中是如何工作的。首先,我们来看看用户是如何被重定向到 Log In 表单的。 -![LoginurlauthenticationEntryPoint ](../../../_images/servlet/authentication/unpwd/loginurlauthenticationentrypoint.png) +![LoginurlauthenticationEntryPoint ](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/unpwd/loginurlauthenticationentrypoint.png) 图 1。重定向到登录页面 该图构建于我们的[`SecurityFilterChain`](../../architecture.html# Servlet-SecurityFilterchain)图。 -![number 1](../../../_images/icons/number_1.png)首先,用户向资源`/private`发出未经授权的请求。 +![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)首先,用户向资源`/private`发出未经授权的请求。 -![number 2](../../../_images/icons/number_2.png) Spring security 的[`FilterSecurityInterceptor`](.../授权/authorization/authorization/authorization-requests.html# Servlet-authorization-filtersecurityinterceptor)通过抛出`AccessDeniedException`表示未经验证的请求是*拒绝*。 +![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png) Spring security 的[`FilterSecurityInterceptor`](.../授权/authorization/authorization/authorization-requests.html# Servlet-authorization-filtersecurityinterceptor)通过抛出`AccessDeniedException`表示未经验证的请求是*拒绝*。 -![number 3](../../../_images/icons/number_3.png)由于未对用户进行身份验证,[`ExceptionTranslationFilter`](..../architecture.html# Servlet-ExceptionTranslationFilter)启动*启动身份验证*,并用配置的[`AuthenticationEntryPoint`](../architecture.html# Servlet-authentication-authentrationEntryPoint)向登录页面发送重定向。在大多数情况下,`AuthenticationEntryPoint`是[`LoginUrlAuthenticationEntryPoint`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/web/authentication/loginurlauthenticationentrypoint.html)的一个实例。 +![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)由于未对用户进行身份验证,[`ExceptionTranslationFilter`](..../architecture.html# Servlet-ExceptionTranslationFilter)启动*启动身份验证*,并用配置的[`AuthenticationEntryPoint`](../architecture.html# Servlet-authentication-authentrationEntryPoint)向登录页面发送重定向。在大多数情况下,`AuthenticationEntryPoint`是[`LoginUrlAuthenticationEntryPoint`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/web/authentication/loginurlauthenticationentrypoint.html)的一个实例。 -![number 4](../../../_images/icons/number_4.png)然后浏览器将请求重定向到的登录页面。 +![number 4](https://docs.spring.io/spring-security/reference/_images/icons/number_4.png)然后浏览器将请求重定向到的登录页面。 -![number 5](../../../_images/icons/number_5.png)应用程序中的某个内容,必须[呈现登录页面](#servlet-authentication-form-custom)。 +![number 5](https://docs.spring.io/spring-security/reference/_images/icons/number_5.png)应用程序中的某个内容,必须[呈现登录页面](#servlet-authentication-form-custom)。 当提交用户名和密码时,`UsernamePasswordAuthenticationFilter`将对用户名和密码进行身份验证。`UsernamePasswordAuthenticationFilter`扩展了[抽象处理过滤器](../architecture.html#servlet-authentication-abstractprocessingfilter),所以这个图看起来应该很相似。 -![用户名 passwordauthenticationfilter ](../../../_images/servlet/authentication/unpwd/usernamepasswordauthenticationfilter.png) +![用户名 passwordauthenticationfilter ](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/unpwd/usernamepasswordauthenticationfilter.png) 图 2。验证用户名和密码 该图构建于我们的[`SecurityFilterChain`](../../architecture.html# Servlet-SecurityFilterchain)图。 -![number 1](../../../_images/icons/number_1.png)当用户提交他们的用户名和密码时,`UsernamePasswordAuthenticationFilter`通过从`HttpServletRequest`中提取用户名和密码,创建一个`UsernamePasswordAuthenticationToken`,这是一种[`Authentication`](../architecture.html# Servlet-authentication-authentication)的类型。 +![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)当用户提交他们的用户名和密码时,`UsernamePasswordAuthenticationFilter`通过从`HttpServletRequest`中提取用户名和密码,创建一个`UsernamePasswordAuthenticationToken`,这是一种[`Authentication`](../architecture.html# Servlet-authentication-authentication)的类型。 -![number 2](../../../_images/icons/number_2.png)接下来,将`UsernamePasswordAuthenticationToken`传递到`AuthenticationManager`中以进行身份验证。`AuthenticationManager`的详细内容取决于[用户信息被存储](index.html#servlet-authentication-unpwd-storage)的方式。 +![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png)接下来,将`UsernamePasswordAuthenticationToken`传递到`AuthenticationManager`中以进行身份验证。`AuthenticationManager`的详细内容取决于[用户信息被存储](index.html#servlet-authentication-unpwd-storage)的方式。 -![number 3](../../../_images/icons/number_3.png)如果身份验证失败,则*失败* +![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)如果身份验证失败,则*失败* * [SecurityContextholder ](../architecture.html#servlet-authentication-securitycontextholder)被清除。 @@ -40,7 +40,7 @@ Spring 安全性为正在通过 HTML 表单提供的用户名和密码提供支 * 调用`AuthenticationFailureHandler`。 -![number 4](../../../_images/icons/number_4.png)如果身份验证成功,则*成功*。 +![number 4](https://docs.spring.io/spring-security/reference/_images/icons/number_4.png)如果身份验证成功,则*成功*。 * `SessionAuthenticationStrategy`被通知有一个新的登录。 diff --git a/docs/spring-security/servlet-authentication-passwords-storage-dao-authentication-provider.md b/docs/spring-security/servlet-authentication-passwords-storage-dao-authentication-provider.md index 2cca388578bf250032450a8d69cc0623747cab0f..4904a839fa6c1221420685978f0b1f0c6e49b23a 100644 --- a/docs/spring-security/servlet-authentication-passwords-storage-dao-authentication-provider.md +++ b/docs/spring-security/servlet-authentication-passwords-storage-dao-authentication-provider.md @@ -4,19 +4,19 @@ 让我们来看看`DaoAuthenticationProvider`在 Spring 安全性中是如何工作的。该图详细说明了[读取用户名和密码](index.html#servlet-authentication-unpwd-input)图中的[`AuthenticationManager`](../architecture.html# Servlet-authentication-authenticationmanager)是如何工作的。 -![DAoAuthenticationProvider ](../../../_images/servlet/authentication/unpwd/daoauthenticationprovider.png) +![DAoAuthenticationProvider ](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/unpwd/daoauthenticationprovider.png) 图 1。`DaoAuthenticationProvider`用法 -![number 1](../../../_images/icons/number_1.png)来自[读取用户名和密码](index.html#servlet-authentication-unpwd-input)的身份验证`Filter`将一个`UsernamePasswordAuthenticationToken`传递到`AuthenticationManager`,这是由[`ProviderManager`](../architecture.html# Servlet-assertification-providerManager)实现的。 +![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)来自[读取用户名和密码](index.html#servlet-authentication-unpwd-input)的身份验证`Filter`将一个`UsernamePasswordAuthenticationToken`传递到`AuthenticationManager`,这是由[`ProviderManager`](../architecture.html# Servlet-assertification-providerManager)实现的。 -![number 2](../../../_images/icons/number_2.png)`ProviderManager`被配置为使用[身份验证提供者](../architecture.html#servlet-authentication-authenticationprovider)类型的`DaoAuthenticationProvider`。 +![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png)`ProviderManager`被配置为使用[身份验证提供者](../architecture.html#servlet-authentication-authenticationprovider)类型的`DaoAuthenticationProvider`。 -![number 3](../../../_images/icons/number_3.png)`DaoAuthenticationProvider`从`UserDetailsService`中查找`UserDetails`。 +![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)`DaoAuthenticationProvider`从`UserDetailsService`中查找`UserDetails`。 -![number 4](../../../_images/icons/number_4.png)`DaoAuthenticationProvider`然后使用[`PasswordEncoder`](password-encoder.html# Servlet-authentication-password-storage)在上一步返回的`UserDetails`上验证密码。 +![number 4](https://docs.spring.io/spring-security/reference/_images/icons/number_4.png)`DaoAuthenticationProvider`然后使用[`PasswordEncoder`](password-encoder.html# Servlet-authentication-password-storage)在上一步返回的`UserDetails`上验证密码。 -![number 5](../../../_images/icons/number_5.png)当身份验证成功时,返回的[`Authentication`](../architecture.html# Servlet-Authentication-Authentication)类型为`UsernamePasswordAuthenticationToken`,并且具有一个主体,即配置的`UserDetailsService`返回的`UserDetails`。最终,返回的`UsernamePasswordAuthenticationToken`将由身份验证`Filter`设置在[`SecurityContextHolder`](../architecture.html# Servlet-authentication-securitycontextholder)上。 +![number 5](https://docs.spring.io/spring-security/reference/_images/icons/number_5.png)当身份验证成功时,返回的[`Authentication`](../architecture.html# Servlet-Authentication-Authentication)类型为`UsernamePasswordAuthenticationToken`,并且具有一个主体,即配置的`UserDetailsService`返回的`UserDetails`。最终,返回的`UsernamePasswordAuthenticationToken`将由身份验证`Filter`设置在[`SecurityContextHolder`](../architecture.html# Servlet-authentication-securitycontextholder)上。 [PasswordEncoder ](password-encoder.html)[LDAP](ldap.html) diff --git a/docs/spring-security/servlet-authorization-architecture.md b/docs/spring-security/servlet-authorization-architecture.md index cf29d4df462b3bed9c040e8c3eda562ff1ff4b23..c7085ed71441ba2b3b898da1008b5670a0f46390 100644 --- a/docs/spring-security/servlet-authorization-architecture.md +++ b/docs/spring-security/servlet-authorization-architecture.md @@ -49,7 +49,7 @@ default AuthorizationDecision verify(Supplier authentication, Ob [授权管理器实现](#authz-authorization-manager-implementations)说明了相关的类。 -![授权层次结构](../../_images/servlet/authorization/authorizationhierarchy.png) +![授权层次结构](https://docs.spring.io/spring-security/reference/_images/servlet/authorization/authorizationhierarchy.png) 图 1。授权管理器实现 @@ -207,7 +207,7 @@ boolean supports(Class clazz); 虽然用户可以实现他们自己的`AccessDecisionManager`以控制授权的所有方面, Spring 安全性包括几个基于投票的`AccessDecisionManager`实现。[投票决策经理](#authz-access-voting)举例说明了相关的类。 -![访问决定投票](../../_images/servlet/authorization/access-decision-voting.png) +![访问决定投票](https://docs.spring.io/spring-security/reference/_images/servlet/authorization/access-decision-voting.png) 图 2。投票决策经理 @@ -245,7 +245,7 @@ Spring 安全性提供的最常用的`AccessDecisionVoter`是简单的`RoleVoter 显然,你还可以实现一个自定义`AccessDecisionVoter`,并且你可以在其中放入你想要的任何访问控制逻辑。它可能是特定于你的应用程序的(与业务逻辑相关的),或者它可能实现一些安全管理逻辑。例如,你将在 Spring 网站上找到一个[博客文章](https://spring.io/blog/2009/01/03/spring-security-customization-part-2-adjusting-secured-session-in-real-time),该网站描述了如何使用投票器实时拒绝帐户已被暂停的用户的访问。 -![调用后](../../_images/servlet/authorization/after-invocation.png) +![调用后](https://docs.spring.io/spring-security/reference/_images/servlet/authorization/after-invocation.png) 图 3。调用实现之后 diff --git a/docs/spring-security/servlet-authorization-authorize-http-requests.md b/docs/spring-security/servlet-authorization-authorize-http-requests.md index 6c1c1ca39c747b41d78cd7c9365c8776a06ad783..0b512e8a0df70ce4d8d25cf9db2e83d920acb6dd 100644 --- a/docs/spring-security/servlet-authorization-authorize-http-requests.md +++ b/docs/spring-security/servlet-authorization-authorize-http-requests.md @@ -36,19 +36,19 @@ SecurityFilterChain web(HttpSecurity http) throws AuthenticationException { 当使用`authorizeHttpRequests`而不是`authorizeRequests`时,则使用[`AuthorizationFilter`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/web/access/intercept/Authorizationfilter.html)代替[<<](authority-requests.html# Servlet-authority-filtersecurityptor)。 -![授权过滤器](../../_images/servlet/authorization/authorizationfilter.png) +![授权过滤器](https://docs.spring.io/spring-security/reference/_images/servlet/authorization/authorizationfilter.png) 图 1。授权 HttpServletRequest -* ![number 1](../../_images/icons/number_1.png)首先,`AuthorizationFilter`从[SecurityContextholder](../authentication/architecture.html#servlet-authentication-securitycontextholder)得到[认证](../authentication/architecture.html#servlet-authentication-authentication)。它将此包在`Supplier`中,以延迟查找。 +* ![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)首先,`AuthorizationFilter`从[SecurityContextholder](../authentication/architecture.html#servlet-authentication-securitycontextholder)得到[认证](../authentication/architecture.html#servlet-authentication-authentication)。它将此包在`Supplier`中,以延迟查找。 -* ![number 2](../../_images/icons/number_2.png)秒,`AuthorizationFilter`从`HttpServletRequest`、`FilterInvocation`、`和`FilterInvocation`传递给[`AuthorizationManager`]。 +* ![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)接下来,它将`Supplier`和`FilterInvocation`传递给[`AuthorizationManager`]。 - * ![number 4](../../_images/icons/number_4.png)如果拒绝授权,将抛出`AccessDeniedException`。在这种情况下,[`ExceptionTranslationFilter`](../architecture.html# Servlet-ExceptionTranslationFilter)处理`AccessDeniedException`。 + * ![number 4](https://docs.spring.io/spring-security/reference/_images/icons/number_4.png)如果拒绝授权,将抛出`AccessDeniedException`。在这种情况下,[`ExceptionTranslationFilter`](../architecture.html# Servlet-ExceptionTranslationFilter)处理`AccessDeniedException`。 - * ![number 5](../../_images/icons/number_5.png)如果访问被授予,`AuthorizationFilter`继续使用[滤清链](../architecture.html#servlet-filters-review),这允许应用程序正常处理。 + * ![number 5](https://docs.spring.io/spring-security/reference/_images/icons/number_5.png)如果访问被授予,`AuthorizationFilter`继续使用[滤清链](../architecture.html#servlet-filters-review),这允许应用程序正常处理。 通过按优先级顺序添加更多规则,我们可以将安全性配置为具有不同的规则。 diff --git a/docs/spring-security/servlet-authorization-authorize-requests.md b/docs/spring-security/servlet-authorization-authorize-requests.md index f4f07ace5031003f3f13aca28744413905f42000..70938d7b051b2ecb2d7daeb2b3fe66a6d82cf9fc 100644 --- a/docs/spring-security/servlet-authorization-authorize-requests.md +++ b/docs/spring-security/servlet-authorization-authorize-requests.md @@ -7,21 +7,21 @@ [`FilterSecurityInterceptor`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/web/access/intercept/filtersecurityinterceptor.html)为`HttpServletRequest`s 提供[授权](index.html#servlet-authorization)。它作为[安全过滤器](../architecture.html#servlet-security-filters)中的一个插入到[FilterchainProxy](../architecture.html#servlet-filterchainproxy)中。 -![过滤安全拦截器](../../_images/servlet/authorization/filtersecurityinterceptor.png) +![过滤安全拦截器](https://docs.spring.io/spring-security/reference/_images/servlet/authorization/filtersecurityinterceptor.png) 图 1。授权 HttpServletRequest -* ![number 1](../../_images/icons/number_1.png)首先,`FilterSecurityInterceptor`从[SecurityContextholder](../authentication/architecture.html#servlet-authentication-securitycontextholder)得到一个[认证](../authentication/architecture.html#servlet-authentication-authentication)。 +* ![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)首先,`FilterSecurityInterceptor`从[SecurityContextholder](../authentication/architecture.html#servlet-authentication-securitycontextholder)得到一个[认证](../authentication/architecture.html#servlet-authentication-authentication)。 -* ![number 2](../../_images/icons/number_2.png)第二,`FilterSecurityInterceptor`从`HttpServletRequest`、`HttpServletResponse`和`FilterChain`中创建一个[`FilterChain`(https://DOCS. Spring.io/ Spring-security/site/site/DOCS/5.6.2/api/org/springframework/security/web/filterinvocation.html),并传递到`HttpServletRequest`中的`HttpServletResponse`和`FilterChain`中。 +* ![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png)第二,`FilterSecurityInterceptor`从`HttpServletRequest`、`HttpServletResponse`和`FilterChain`中创建一个[`FilterChain`(https://DOCS. Spring.io/ Spring-security/site/site/DOCS/5.6.2/api/org/springframework/security/web/filterinvocation.html),并传递到`HttpServletRequest`中的`HttpServletResponse`和`FilterChain`中。 -* ![number 3](../../_images/icons/number_3.png)下一步,它将`FilterInvocation`传递到`SecurityMetadataSource`,得到`ConfigAttribute`s。 +* ![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)下一步,它将`FilterInvocation`传递到`SecurityMetadataSource`,得到`ConfigAttribute`s。 -* ![number 4](../../_images/icons/number_4.png)最后,它将`Authentication`、`FilterInvocation`和`ConfigAttribute`s 传递给 Xref: Servlet/授权。ADOC#authz-access-decision-manager`AccessDecisionManager`。 +* ![number 4](https://docs.spring.io/spring-security/reference/_images/icons/number_4.png)最后,它将`Authentication`、`FilterInvocation`和`ConfigAttribute`s 传递给 Xref: Servlet/授权。ADOC#authz-access-decision-manager`AccessDecisionManager`。 - * ![number 5](../../_images/icons/number_5.png)如果拒绝授权,将抛出`AccessDeniedException`。在这种情况下,[`ExceptionTranslationFilter`](../architecture.html# Servlet-ExceptionTranslationFilter)处理`AccessDeniedException`。 + * ![number 5](https://docs.spring.io/spring-security/reference/_images/icons/number_5.png)如果拒绝授权,将抛出`AccessDeniedException`。在这种情况下,[`ExceptionTranslationFilter`](../architecture.html# Servlet-ExceptionTranslationFilter)处理`AccessDeniedException`。 - * ![number 6](../../_images/icons/number_6.png)如果访问被授予,`FilterSecurityInterceptor`继续使用[滤清链](../architecture.html#servlet-filters-review),这允许应用程序正常处理。 + * ![number 6](https://docs.spring.io/spring-security/reference/_images/icons/number_6.png)如果访问被授予,`FilterSecurityInterceptor`继续使用[滤清链](../architecture.html#servlet-filters-review),这允许应用程序正常处理。 默认情况下, Spring Security 的授权将要求对所有请求进行身份验证。显式配置如下所示: