Spring Security 2026 最佳实践构建安全可靠的应用系统别叫我大神叫我 Alex 就好。一、引言大家好我是 Alex。在当今复杂的网络环境中应用安全已经成为开发过程中不可或缺的一部分。Spring Security 作为 Spring 生态中处理安全问题的核心组件一直致力于提供强大而灵活的安全解决方案。随着 Spring Security 2026 的发布它带来了许多新特性和改进。今天我想和大家分享一下 Spring Security 2026 的最佳实践帮助大家构建更安全、更可靠的应用系统。二、Spring Security 2026 新特性1. 增强的 OAuth 2.1 支持Spring Security 2026 全面支持 OAuth 2.1 协议简化的配置更简洁的 OAuth 2.1 配置方式增强的 token 管理更安全的 token 存储和验证支持 OIDC 1.0完整的 OpenID Connect 1.0 支持2. 虚拟线程集成Configuration public class SecurityConfig { Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(authorize - authorize .requestMatchers(/public/**).permitAll() .anyRequest().authenticated() ) .oauth2Login(withDefaults()) .sessionManagement(session - session .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) ); return http.build(); } }3. 安全性增强更强大的密码编码器默认使用 Argon2PasswordEncoder增强的 CSRF 防护更智能的 CSRF 令牌管理安全 headers 自动配置默认启用更安全的 HTTP 头三、核心最佳实践1. 认证管理基于 OAuth 2.1 的认证Configuration public class OAuth2ClientConfig { Bean public ClientRegistrationRepository clientRegistrationRepository() { return new InMemoryClientRegistrationRepository( ClientRegistration.withRegistrationId(github) .clientId(your-client-id) .clientSecret(your-client-secret) .redirectUri({baseUrl}/login/oauth2/code/{registrationId}) .authorizationUri(https://github.com/login/oauth/authorize) .tokenUri(https://github.com/login/oauth/access_token) .userInfoUri(https://api.github.com/user) .userNameAttributeName(IdTokenClaimNames.SUB) .clientName(GitHub) .build() ); } }自定义认证逻辑Service public class CustomUserDetailsService implements UserDetailsService { Autowired private UserRepository userRepository; Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user userRepository.findByUsername(username) .orElseThrow(() - new UsernameNotFoundException(User not found: username)); return User.builder() .username(user.getUsername()) .password(user.getPassword()) .authorities(user.getRoles().stream() .map(role - new SimpleGrantedAuthority(ROLE_ role.getName())) .collect(Collectors.toList())) .accountExpired(false) .accountLocked(false) .credentialsExpired(false) .enabled(true) .build(); } }2. 授权管理基于角色的访问控制Configuration public class SecurityConfig { Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(authorize - authorize .requestMatchers(/admin/**).hasRole(ADMIN) .requestMatchers(/user/**).hasAnyRole(USER, ADMIN) .anyRequest().permitAll() ); return http.build(); } }基于权限的访问控制PreAuthorize(hasPermission(#order, READ)) public Order getOrder(Long id) { return orderRepository.findById(id).orElse(null); } PreAuthorize(hasPermission(#order, WRITE)) public Order updateOrder(Order order) { return orderRepository.save(order); }基于表达式的访问控制PreAuthorize(#userId authentication.principal.id or hasRole(ADMIN)) public User getUser(Long userId) { return userRepository.findById(userId).orElse(null); }3. 安全防护CSRF 防护Configuration public class SecurityConfig { Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .csrf(csrf - csrf .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .ignoringRequestMatchers(/api/**) ); return http.build(); } }XSS 防护Configuration public class WebConfig implements WebMvcConfigurer { Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(new XssInterceptor()); } } public class XssInterceptor implements HandlerInterceptor { Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) { // XSS 防护逻辑 return true; } }CORS 配置Configuration public class CorsConfig { Bean public CorsFilter corsFilter() { CorsConfiguration config new CorsConfiguration(); config.setAllowedOrigins(List.of(*)); config.setAllowedMethods(List.of(GET, POST, PUT, DELETE, OPTIONS)); config.setAllowedHeaders(List.of(*)); config.setAllowCredentials(true); UrlBasedCorsConfigurationSource source new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration(/**, config); return new CorsFilter(source); } }四、高级特性1. 会话管理会话配置Configuration public class SecurityConfig { Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .sessionManagement(session - session .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .maximumSessions(1) .expiredUrl(/login?expired) .sessionRegistry(sessionRegistry()) ); return http.build(); } Bean public SessionRegistry sessionRegistry() { return new SessionRegistryImpl(); } }会话并发控制Service public class SessionService { Autowired private SessionRegistry sessionRegistry; public void invalidateUserSessions(String username) { ListSessionInformation sessions sessionRegistry.getAllSessions( username, false); for (SessionInformation session : sessions) { session.expireNow(); } } }2. 安全事件自定义安全事件监听Component public class AuthenticationEventListener { EventListener public void handleAuthenticationSuccess(AuthenticationSuccessEvent event) { // 处理认证成功事件 Authentication authentication event.getAuthentication(); String username authentication.getName(); System.out.println(User username logged in successfully); } EventListener public void handleAuthenticationFailure(AuthenticationFailureBadCredentialsEvent event) { // 处理认证失败事件 String username event.getAuthentication().getName(); System.out.println(User username failed to log in); } }3. 安全日志安全日志配置logging: level: org.springframework.security: DEBUG spring: security: oauth2: client: registration: github: client-id: ${GITHUB_CLIENT_ID} client-secret: ${GITHUB_CLIENT_SECRET}五、生产环境配置1. 密钥管理使用环境变量spring: security: oauth2: client: registration: github: client-id: ${GITHUB_CLIENT_ID} client-secret: ${GITHUB_CLIENT_SECRET}使用密钥库Configuration public class JwtConfig { Bean public KeyPair keyPair() { try { KeyStore keyStore KeyStore.getInstance(JKS); keyStore.load(new FileInputStream(keystore.jks), password.toCharArray()); PrivateKey privateKey (PrivateKey) keyStore.getKey(jwt, password.toCharArray()); PublicKey publicKey keyStore.getCertificate(jwt).getPublicKey(); return new KeyPair(publicKey, privateKey); } catch (Exception e) { throw new RuntimeException(e); } } }2. 安全监控集成 Actuatormanagement: endpoints: web: exposure: include: health,info,metrics,prometheus,security security: enabled: true安全审计Configuration EnableAuditing public class AuditConfig { Bean public AuditorAwareString auditorAware() { return () - Optional.ofNullable(SecurityContextHolder.getContext().getAuthentication()) .map(Authentication::getName); } }六、常见问题与解决方案1. 密码安全问题密码存储不安全解决方案使用 Argon2PasswordEncoder定期更新密码启用多因素认证2. 授权绕过问题权限控制不严格导致授权绕过解决方案使用基于表达式的访问控制定期进行安全审计实现细粒度的权限检查3. 会话固定问题会话固定攻击解决方案启用会话重生成使用 HttpSessionIdResolver合理设置会话超时七、实战案例案例企业级应用安全架构需求支持多种认证方式用户名密码、OAuth 2.0、SAML细粒度的权限控制安全审计和监控高可用性实现Configuration public class SecurityConfig { Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(authorize - authorize .requestMatchers(/public/**).permitAll() .requestMatchers(/api/**).authenticated() .requestMatchers(/admin/**).hasRole(ADMIN) .anyRequest().authenticated() ) .formLogin(form - form .loginPage(/login) .permitAll() ) .oauth2Login(withDefaults()) .saml2Login(withDefaults()) .logout(logout - logout .logoutSuccessUrl(/login?logout) .permitAll() ) .sessionManagement(session - session .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .maximumSessions(1) ) .csrf(csrf - csrf .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) ); return http.build(); } }八、总结Spring Security 2026 为我们提供了更强大、更灵活的安全解决方案。通过合理的配置和最佳实践我们可以构建出既安全又可靠的应用系统。这其实可以更优雅一点。希望这篇文章能帮助大家更好地使用 Spring Security 2026。如果你有任何问题欢迎在评论区留言。关于作者我是 Alex一个在 CSDN 写 Java 架构思考的暖男。喜欢手冲咖啡养了一只叫Java的拉布拉多。如果我的文章对你有帮助欢迎关注我一起探讨 Java 技术的优雅之道。