Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add More role=primary/secondary 

Issue gh-7801
This commit is contained in:
Rob Winch 2020-01-09 20:12:19 -06:00
parent 729da6463f
commit ad7c44f7fd
6 changed files with 45 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc
View File

@ -342,7 +342,6 @@ However, this can be customized by exposing a `PasswordEncoder` as a Spring bean
If you are migrating from Spring Security 4.2.x you can revert to the previous behavior by exposing a `NoOpPasswordEncoder` bean.
For example, if you are using Java Configuration, you can create a configuration that looks like:
[WARNING]
====
@ -350,24 +349,26 @@ Reverting to `NoOpPasswordEncoder` is not considered to be secure.
You should instead migrate to using `DelegatingPasswordEncoder` to support secure password encoding.
====
.NoOpPasswordEncoder with Java Configuration
.NoOpPasswordEncoder
====
[source,java]
.Java
[source,java,role="primary"]
----
@Bean
public static NoOpPasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
----
====
if you are using XML configuration, you can expose a `PasswordEncoder` with the id `passwordEncoder`:
.NoPasswordEncoder with XML
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<b:bean id="passwordEncoder"
class="org.springframework.security.crypto.password.NoOpPasswordEncoder" factory-method="getInstance"/>
----
====
[NOTE]
====
XML Configuration requires the `NoOpPasswordEncoder` bean name to be `passwordEncoder`.
====

13
docs/manual/src/docs/asciidoc/_includes/servlet/authentication/unpwd/input/digest.adoc
View File

@ -37,9 +37,10 @@ key: A private key to prevent modification of the nonce token
You will need to ensure you <<authentication-password-storage-configuration,configure>> insecure plain text <<authentication-password-storage,Password Storage>> using NoOpPasswordEncoder`.
The following provides an example of configuring Digest Authentication with Java Configuration:
.Digest Authentication with Java Configuration
.Digest Authentication
====
[source,java]
.Java
[source,java,role="primary"]
----
@Autowired
UserDetailsService userDetailsService;
@ -63,13 +64,9 @@ protected void configure(HttpSecurity http) throws Exception {
.addFilterBefore(digestFilter());
}
----
====
The following provides an example of configuring Digest Authentication with XML Configuration:
.Digest Authentication with XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<b:bean id="digestFilter"
class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter"

34
docs/manual/src/docs/asciidoc/_includes/servlet/authentication/unpwd/input/form.adoc
View File

@ -12,9 +12,10 @@ Spring Security form log in is enabled by default.
However, as soon as any servlet based configuration is provided, form based log in must be explicitly provided.
A minimal, explicit Java configuration can be found below:
.Form Log In Java Configuration
.Form Log
====
[source,java]
.Java
[source,java,role="primary"]
----
protected void configure(HttpSecurity http) {
http
@ -22,13 +23,9 @@ protected void configure(HttpSecurity http) {
.formLogin(withDefaults());
}
----
====
A minimal XML configuration can be found below:
.Form Log In XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -45,9 +42,10 @@ Most production applications will require a custom log in form.
The configuration below demonstrates how to provide a custom log in form.
.Custom Log In Form with Java Configuration
.Custom Log In Form Configuration
====
[source,java]
.Java
[source,java,role="primary"]
----
protected void configure(HttpSecurity http) throws Exception {
http
@ -58,13 +56,9 @@ protected void configure(HttpSecurity http) throws Exception {
);
}
----
====
A minimal XML configuration can be found below:
.Custom Log In Form with XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -75,13 +69,12 @@ A minimal XML configuration can be found below:
====
[[servlet-authentication-form-custom-html]]
=== HTML Form
When the login page is specified in the Spring Security configuration, you are responsible for rendering the page.
Below is a https://www.thymeleaf.org/[Thymeleaf] template that produces an HTML login form that complies with a login page of `/login`.:
.Log In Form src/main/resources/templates/login.html
.Log In Form
====
.src/main/resources/templates/login.html
[source,xml]
----
<!DOCTYPE html>
@ -122,13 +115,12 @@ Many users will not need much more than to customize the log in page.
However, if needed everything above can be customized with additional configuration.
[[servlet-authentication-form-custom-controller]]
== LoginController
If you are using Spring MVC, you will need a controller that maps `GET /login` to the login template we created.
A minimal sample `LoginController` can be see below:
.LoginController
====
.src/main/java/example/LoginController.java
[source,java]
----
@Controller

11
docs/manual/src/docs/asciidoc/_includes/servlet/authentication/unpwd/storage/in-memory.adoc
View File

@ -9,7 +9,8 @@ In this sample we use <<authentication-password-storage-boot-cli,Spring Boot CLI
.InMemoryUserDetailsManager Java Configuration
====
[source,java]
.Java
[source,java,role="primary"]
----
@Bean
public UserDetailsService users() {
@ -26,13 +27,9 @@ public UserDetailsService users() {
return new InMemoryUserDetailsManager(user, admin);
}
----
====
The same configuration in XML looks like:
.<user-service> XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<user-service>
<user name="user"

2
docs/manual/src/docs/asciidoc/_includes/servlet/authentication/unpwd/storage/index.adoc
View File

@ -1,7 +1,7 @@
[[servlet-authentication-unpwd-storage]]
= User Storage
Spring Security's <<servlet-authentication-userdetailsservice,`UserDetailsService`>> allows for storing user information including a username and password.
Spring Security's <<servlet-authentication-userdetailsservice,`UserDetailsService`>> allows for storing user information when authenticating with a username/password.
`UserDetailsService` is used by Spring Security when it is configured to <<servlet-authentication-unpwd-input,accept a username/password>> for authentication.
// FIXME: Once it is retrieved it is validated using DaoAuthenticationProvider

35
docs/manual/src/docs/asciidoc/_includes/servlet/authentication/unpwd/storage/jdbc.adoc
View File

@ -3,6 +3,7 @@
Spring Security's `JdbcDaoImpl` implements <<servlet-authentication-userdetailsservice,UserDetailsService>> to provide support for username/password based authentication that is retrieved using JDBC.
`JdbcUserDetailsManager` extends `JdbcDaoImpl` to provide management of `UserDetails` through the `UserDetailsManager` interface.
`UserDetails` based authentication is used by Spring Security when it is configured to <<servlet-authentication-unpwd-input,accept a username/password>> for authentication.
In the following sections we will discuss:
@ -10,15 +11,6 @@ In the following sections we will discuss:
* <<servlet-authentication-jdbc-datasource>>
* <<servlet-authentication-jdbc-bean>>
[[servlet-authentication-jdbc-when]]
== When is it Used?
JDBC authentication is used for authenticating a username and password.
Spring Security leverages username/password based authentication when any of the following are enabled:
* <<servlet-authentication-form>>
* <<servlet-authentication-basic>>
[[servlet-authentication-jdbc-schema]]
== Default Schema
@ -115,9 +107,10 @@ create table group_members (
Before we configure `JdbcUserDetailsManager`, we must create a `DataSource`.
In our example, we will setup an https://docs.spring.io/spring-framework/docs/current/spring-framework-reference/data-access.html#jdbc-embedded-database-support[embedded DataSource] that is initialized with the <<servlet-authentication-jdbc-schema,default user schema>>.
.Embedded Data Source with Java Configuration
.Embedded Data Source
====
[source,java]
.Java
[source,java,role="primary"]
----
@Bean
DataSource dataSource() {
@ -127,11 +120,9 @@ DataSource dataSource() {
.build();
}
----
====
.Embedded Data Source with XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<jdbc:embedded-database>
<jdbc:script location="classpath:org/springframework/security/core/userdetails/jdbc/users.ddl"/>
@ -147,9 +138,11 @@ In a production environment, you will want to ensure you setup a connection to a
In this sample we use <<authentication-password-storage-boot-cli,Spring Boot CLI>> to encode the password of `password` and get the encoded password of `{bcrypt}$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW`.
See the <<authentication-password-storage,PasswordEncoder>> section for more details about how to store passwords.
.JdbcUserDetailsManager with Java Configuration
.JdbcUserDetailsManager
====
[source,java]
.Java
[source,java,role="primary"]
----
@Bean
UserDetailsManager users(DataSource dataSource) {
@ -167,13 +160,9 @@ UserDetailsManager users(DataSource dataSource) {
users.createUser()
}
----
====
The same configuration in XML looks like:
.<jdbc-user-service> XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<jdbc-user-service>
<user name="user"