1. Overview
1.概述
In this article, we’ll explain how to setup Spring Security with Maven and go over specific use-cases of using Spring Security dependencies. You can find the latest Spring Security releases on Maven Central.
在本文中,我们将解释如何用Maven设置Spring Security,并介绍使用Spring Security依赖项的具体用例。您可以找到最新的Spring Security版本在Maven Central上。
This is a followup to the previous Spring with Maven article, so for non-security Spring dependencies, that’s the place to start.
这是之前使用Maven的Spring文章的后续内容,所以对于非安全的Spring依赖,可以从这里开始。
2. Spring Security With Maven
2.使用Maven的Spring安全
2.1. spring-security-core
2.1.spring-security-core
The Core Spring Security support – spring-security-core – contains authentication and access control functionality. This dependency is mandatory to include for all projects using Spring Security.
核心Spring Security支持 – spring-security-core – 包含认证和访问控制功能。对于所有使用Spring Security的项目来说,这个依赖关系是必须包含的。
Additionally, spring-security-core supports the standalone (non-web) applications, method level security and JDBC:
此外,spring-security-core支持独立(非网络)应用程序、方法级安全和JDBC。
<properties>
<spring-security.version>5.3.4.RELEASE</spring-security.version>
<spring.version>5.2.8.RELEASE</spring.version>
</properties>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring-security.version}</version>
</dependency>Note that Spring and Spring Security are on different release schedules, so there isn’t always a 1:1 match between the version numbers.
请注意,Spring和Spring Security的发布时间表不同,所以版本号之间并不总是1:1匹配。
If you’re working with older versions of Spring – also very important to understand is the fact that, unintuitively, Spring Security 4.1.x do not depend on Spring 4.1.x releases! For example, when Spring Security 4.1.0 was released, Spring core framework was already at 4.2.x and hence includes that version as its compile dependency. The plan is to align these dependencies more closely in future releases – see this JIRA for more details – but for the time being, this has practical implications that we’ll look at next.
2.2. spring-security-web
如果您正在使用旧版本的 Spring — 同样非常重要的是要了解这样一个事实:Spring Security 4.1.x 不依赖于 Spring 4.1.x 版本!例如,当Spring Security 4.1.0 发布时,Spring 核心框架已经达到 4.2.x,因此将该版本作为其编译依赖项。我们计划在未来的版本中更紧密地调整这些依赖关系 – 参见该 JIRA以了解更多细节 – 但就目前而言,这具有实际意义,我们将在下一步进行探讨。
2.2.spring-security-web。
To add Web support for Spring Security, we need the spring-security-web dependency:
要为Spring Security添加Web支持,我们需要spring-security-web依赖。
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring-security.version}</version>
</dependency>This contains filters and related web security infrastructure that enables URL access control in a Servlet environment.
它包含过滤器和相关的网络安全基础设施,能够在Servlet环境中进行URL访问控制。
2.3. Spring Security and Older Spring Core Dependencies Problem
2.3.Spring Security和较早的Spring Core依赖问题
This new dependency also exhibits a problem for the Maven dependency graph. As mentioned above, Spring Security jars do not depend on the latest Spring core jars (but on the previous version). This may lead to these older dependencies making their way on top the classpath instead of the newer 5.x Spring artifacts.
这个新的依赖也给Maven的依赖图带来了问题。如上所述,Spring Security罐子并不依赖最新的Spring核心罐子(而是依赖以前的版本)。这可能会导致这些较早的依赖项进入classpath,而不是较新的5.x Spring构件。
To understand why this is happening, we need to look at how Maven resolves conflicts. In case of a version conflict, Maven will pick the jar that is closest to the root of the tree. For example, spring-core is defined by both spring-orm (with the 5.0.0.RELEASE version) but also by spring-security-core (with the 5.0.2.RELEASE version). So in both cases, spring-jdbc is defined at a depth of 1 from the root pom of our project. Because of that, it will actually matter in which order spring-orm and spring-security-core are defined in our own pom. The first one will take priority so we may end up with either version on our classpath.
要理解为什么会这样,我们需要看看Maven是如何解决冲突的。如果出现版本冲突,Maven会选择最接近树根的jar。例如,spring-core既被spring-orm(5.0.0.RELEASE版本)定义,也被spring-security-core(5.0.2.RELEASE版本)定义。所以在这两种情况下,spring-jdbc都被定义在我们项目的根pom的深度为1。正因为如此,spring-orm和spring-security-core在我们自己的pom中的定义顺序实际上很重要。第一个版本将被优先考虑,所以我们最终可能会在classpath上使用任一版本。
To address this problem, we’ll have to explicitly define some of the Spring dependencies in our own pom and not rely on the implicit Maven dependency resolution mechanism. Doing this will put that particular dependency at depth 0 from our pom (as it’s defined in the pom itself) so it will take priority. All of the following fall into the same category and all need to be explicitly defined, either directly or, for multi-module projects, in the dependencyManagement element of the parent:
为了解决这个问题,我们必须在自己的Pom中明确定义一些Spring的依赖项,而不是依赖隐式的Maven依赖项解析机制。这样做会使特定的依赖在我们的Pom中处于0深度(因为它是在Pom中定义的),所以它将具有优先权。下面这些都属于同一类别,都需要明确定义,或者直接定义,或者对于多模块项目,在父项目的dependencyManagement元素中定义。
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring-version}</version>
</dependency>2.4. spring-security-config and Others
2.4.spring-security-config和其他
To use the rich Spring Security XML namespace and annotations, we’ll need the spring-security-config dependency:
为了使用丰富的Spring Security XML命名空间和注解,我们需要spring-security-config依赖。
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring-security.version}</version>
</dependency>Finally, LDAP, ACL, CAS, OAuth and OpenID support have their own dependencies in Spring Security: spring-security-ldap, spring-security-acl, spring-security-cas, spring-security-oauth and spring-security-openid.
最后,LDAP、ACL、CAS、OAuth和OpenID支持在Spring Security中有自己的依赖性。spring-security-ldap, spring-security-acl, spring-security-cas, spring-security-oauth 和spring-security-openid。
3. Using Spring Boot
3.使用Spring Boot
When working with Spring Boot, the spring-boot-starter-security starter will automatically include all dependencies such as spring-security-core, spring-security-web, and spring-security-config among others:
在使用Spring Boot时,spring-boot-starter-security启动器将自动包括所有的依赖项,如spring-security-core、spring-security-web,和spring-security-config等。
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.3.3.RELEASE</version>
</dependency>
Since Spring Boot will be managing all the dependencies automatically for us, this will also get rid of the spring security and older core dependencies problem mentioned previously.
由于Spring Boot将为我们自动管理所有的依赖关系,这也将摆脱前面提到的spring security和老的核心依赖关系问题。
4. Using Snapshots and Milestones
4.使用快照和里程碑
Spring Security milestones, as well as snapshots, are available in the custom Maven repositories provided by Spring. For additional details about how to configure these, see how to use Snapshots and Milestones.
Spring Security 里程碑以及快照在Spring提供的自定义Maven仓库中可用。有关如何配置这些的其他细节,请参见如何使用快照和里程碑。
5. Conclusion
5.结论
In this quick tutorial, we discussed the practical details of using Spring Security with Maven. The Maven dependencies presented here are of course some of the major ones, and there are several others that may be worth mentioning and haven’t yet made the cut. Nevertheless, this should be a good starting point for using Spring in a Maven enabled project.
在这篇快速教程中,我们讨论了使用Spring Security与Maven的实际细节。这里介绍的Maven依赖项当然是一些主要的依赖项,还有几个可能值得一提的依赖项还没有被选中。不过,这应该是在支持Maven的项目中使用Spring的一个良好起点。