当前 Spring Security 版本:5.1.5-RELEASE [Spring Cloud Security 官方文档] [Spring Security 官方文档]

一、Spring Cloud Security 和 Spring Security

1.1、Spring Cloud Security

官方文档

Spring Cloud Security offers a set of primitives for building secure applications and services with minimum fuss.
【Spring Cloud Security 提供了一组基础组件,以最小的代价构建安全的服务和应用。】 A declarative model which can be heavily configured externally (or centrally) lends itself to the implementation of large systems of co-operating, remote components, usually with a central indentity management service. 【Spring Cloud Security 是一个声明式模型,它可以通过大量或者几种的配置实现大型系统间的远程协作。】
It is also extremely easy to use in a service platform like Cloud Foundry.
【Spring Cloud Security 很容易在云计算服务平台上使用】

Building on Spring Boot and Spring Security OAuth2 we can quickly create systems that implement common patterns like single sign on, token relay and token exchange.

【基于 Spring Boot 和 Spring Security OAuth2 可以快速的创建通用模式的系统,如:单点登录(SSO),令牌中继、令牌交换】

1.2、Spring Security

官方文档

Spring Security is a framework that provides authentication, authorization, and protection against common attacks. 【Spring Security 是一个框架,提供了身份验证、授权和防范常见攻击】
With first class support for both imperative and reactive applications, it is the de-facto standard for securing Spring-based applications. 【Spring Security 是一个事实上的标准,用于保护基于Spring的应用程序。SpringSecurity 对命令式和响应式应用程序都提供了一流的支持】


1.3、对比

Spring Cloud Security 是基于 Spring Security 的上层封装,提供了更简易的使用 API。

二、Spring Security 功能模块

文档

Spring Security provides comprehensive support for authentication, authorization, and protection against common exploits. 【Spring Security 提供了身份认证(authentication)、授权(authorization)和防范常见攻击的全面支持】 It also provides integration with other libraries to simplify its usage. 【Spring Security 还提供了与其他库的集成,以简化其使用】


  • authorization(授权)
  • protection against common exploits(防范常见漏洞)

2.1、authentication(身份认证)

2.1.1、支持的身份认证操作

Spring Security 提供了两种身份认证支持实现

  • Servlet[文档]

  • Reactive (such as:webflux)[文档]

    2.2、Password Storage(密码存储)

    Spring Security 提供 PasswordEncoder 进行明文密码的加密操作,让密码的存储更安全。
    PasswordEncoder 是单向加密工具,例如:MD5 ,主要是用来进行凭证的校验。
    [密码存储历史变迁文章]

    2.3、Protection Against Exploits(防范常规漏洞)

    Spring Security 提供了常规漏洞的防范,这些功能通常默认都是开启。
    常规漏洞

  • Cross Site Request Forgery(CSRF)跨站请求伪造 [文章]

  • Security HTTP Response Headers 如:XSS 攻击 [文章]