Getting Spring Security

Spring Security 提供Maven和Gradle工件，允许用户通过依赖管理轻松集成Spring Security。
对于 Spring Boot 应用程序，使用 spring-boot-starter-security 启动器是首选方法。
对于非 Spring Boot 应用程序，建议使用 Spring Security BOM 来管理依赖项版本并确保一致使用 Spring Security 版本。
Spring Security 应与 Spring Framework 5.x 版本一起使用，但传递依赖项可能会导致类路径问题，可以使用 spring-framework-bom 来解决。

此小节介绍如何获取 Spring Security 二进制文件。请参阅 Source Code了解如何获取源代码。

This section describes how to get the Spring Security binaries. See Source Code for how to obtain the source code.

Release Numbering

Spring Security 版本遵循 MAJOR.MINOR.PATCH 这样的格式：

Spring Security versions are formatted as MAJOR.MINOR.PATCH such that:

MAJOR versions may contain breaking changes. Typically, these are done to provide improved security to match modern security practices.
MINOR versions contain enhancements but are considered passive updates.
PATCH level should be perfectly compatible, forwards and backwards, with the possible exception of changes that fix bugs.

Usage with Maven

与大多数开源项目一样，Spring Security 将其依赖项部署为 Maven 工件。本部分中的主题说明如何在使用 Maven 时使用 Spring Security。

As most open source projects, Spring Security deploys its dependencies as Maven artifacts. The topics in this section describe how to consume Spring Security when using Maven.

Spring Boot with Maven

Spring Boot 提供将与 Spring Security 相关的依赖项聚合在一起的 spring-boot-starter-security 启动器，最简单、最推荐的使用启动器的方式是通过 IDE 集成 ( Eclipse 或 IntelliJ， NetBeans) 或通过 [role="bare"][role="bare"]https://start.spring.io 使用 Spring Initializr。或者，你可以手动添加启动器，如下面的示例所示：

Spring Boot provides a spring-boot-starter-security starter that aggregates Spring Security-related dependencies. The simplest and preferred way to use the starter is to use Spring Initializr by using an IDE integration in (Eclipse or IntelliJ, NetBeans) or through [role="bare"]https://start.spring.io. Alternatively, you can manually add the starter, as the following example shows:

pom.xml

<dependencies>
	<!-- ... other dependency elements ... -->
	<dependency>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-security</artifactId>
	</dependency>
</dependencies>

由于 Spring Boot 提供了 Maven BOM 来管理依赖项版本，因此你无需指定版本。如果你希望覆盖 Spring Security 版本，可以通过提供 Maven 属性来进行覆盖：

Since Spring Boot provides a Maven BOM to manage dependency versions, you do not need to specify a version. If you wish to override the Spring Security version, you can do so by providing a Maven property:

pom.xml

<properties>
	<!-- ... -->
	<spring-security.version>{spring-security-version}</spring-security.version>
</properties>

由于 Spring Security 仅在主要版本中进行重大变更，因此你可以安全地在 Spring Boot 中使用 Spring Security 的较新版本。但是，有时你也可能需要更新 Spring Framework 的版本。你可以通过添加 Maven 属性来进行更新：

Since Spring Security makes breaking changes only in major releases, you can safely use a newer version of Spring Security with Spring Boot. However, at times, you may need to update the version of Spring Framework as well. You can do so by adding a Maven property:

pom.xml

<properties>
	<!-- ... -->
	<spring.version>{spring-core-version}</spring.version>
</properties>

如果你使用附加功能（例如，LDAP、OAuth 2 和其他功能），则还需要包含相应的 Project Modules and Dependencies。

If you use additional features (such as LDAP, OAuth 2, and others), you need to also include the appropriate Project Modules and Dependencies.

Maven Without Spring Boot

在你未使用 Spring Boot 而使用 Spring Security 时，首选方式是使用 Spring Security 的 BOM，以确保在整个项目中使用了一致的 Spring Security 版本。以下示例展示了如何进行操作：

When you use Spring Security without Spring Boot, the preferred way is to use Spring Security’s BOM to ensure that a consistent version of Spring Security is used throughout the entire project. The following example shows how to do so:

pom.xml

<dependencyManagement>
	<dependencies>
		<!-- ... other dependency elements ... -->
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-bom</artifactId>
			<version>{spring-security-version}</version>
			<type>pom</type>
			<scope>import</scope>
		</dependency>
	</dependencies>
</dependencyManagement>

Spring Security 的最小 Maven 依赖项集合通常如下例所示：

A minimal Spring Security Maven set of dependencies typically looks like the following example:

pom.xml

<dependencies>
	<!-- ... other dependency elements ... -->
	<dependency>
		<groupId>org.springframework.security</groupId>
		<artifactId>spring-security-web</artifactId>
	</dependency>
	<dependency>
		<groupId>org.springframework.security</groupId>
		<artifactId>spring-security-config</artifactId>
	</dependency>
</dependencies>

如果你使用附加功能（例如，LDAP、OAuth 2 和其他功能），则还需要包含相应的 Project Modules and Dependencies。

If you use additional features (such as LDAP, OAuth 2, and others), you need to also include the appropriate Project Modules and Dependencies.

Spring Security 根据 Spring Framework {spring-core-version} 构建，但通常应可与任何较新版本的 Spring Framework 5.x 一起使用。许多用户可能会遇到 Spring Security 的传递依赖项解析 Spring Framework {spring-core-version} 的情况，这可能导致奇怪的类路径问题。解决此问题的最简单方法是在 pom.xml 的 <dependencyManagement> 部分内使用 spring-framework-bom：

Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x. Many users are likely to run afoul of the fact that Spring Security’s transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems. The easiest way to resolve this is to use the spring-framework-bom within the <dependencyManagement> section of your pom.xml:

pom.xml

<dependencyManagement>
	<dependencies>
		<!-- ... other dependency elements ... -->
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-framework-bom</artifactId>
			<version>{spring-core-version}</version>
			<type>pom</type>
			<scope>import</scope>
		</dependency>
	</dependencies>
</dependencyManagement>

前面的示例可确保 Spring Security 的所有传递依赖项都使用 Spring {spring-core-version} 模块。

The preceding example ensures that all the transitive dependencies of Spring Security use the Spring {spring-core-version} modules.

此方法使用 Maven 的 “bill of materials” (BOM) 概念，并且仅在 Maven 2.0.9+ 中可用，有关如何解决依赖项的其他详细信息，请参阅 Maven’s Introduction to the Dependency Mechanism documentation。

This approach uses Maven’s “bill of materials” (BOM) concept and is only available in Maven 2.0.9+. For additional details about how dependencies are resolved, see Maven’s Introduction to the Dependency Mechanism documentation.

Maven Repositories

所有 GA 版本（即以 .RELEASE 结尾的版本）均已部署到 Maven Central，因此你无需在 pom 中声明其他 Maven 存储库。

All GA releases (that is, versions ending in .RELEASE) are deployed to Maven Central, so you need not declare additional Maven repositories in your pom.

如果你使用 SNAPSHOT 版本，则需要确保已定义 Spring 快照存储库：

If you use a SNAPSHOT version, you need to ensure that you have the Spring Snapshot repository defined:

pom.xml

<repositories>
	<!-- ... possibly other repository elements ... -->
	<repository>
		<id>spring-snapshot</id>
		<name>Spring Snapshot Repository</name>
		<url>https://repo.spring.io/snapshot</url>
	</repository>
</repositories>

如果你使用里程碑或候选版本，则需要确保已定义 Spring 里程碑存储库，如下例所示：

If you use a milestone or release candidate version, you need to ensure that you have the Spring Milestone repository defined, as the following example shows:

pom.xml

<repositories>
	<!-- ... possibly other repository elements ... -->
	<repository>
		<id>spring-milestone</id>
		<name>Spring Milestone Repository</name>
		<url>https://repo.spring.io/milestone</url>
	</repository>
</repositories>

Gradle

与大多数开源项目一样，Spring Security 将其依赖项作为 Maven 工件进行部署，从而允许对 Gradle 提供一流的支持。以下主题介绍了在使用 Gradle 时如何使用 Spring Security。

As most open source projects, Spring Security deploys its dependencies as Maven artifacts, which allows for first-class Gradle support. The following topics describe how to consume Spring Security when using Gradle.

Spring Boot with Gradle

Spring Boot provides a spring-boot-starter-security starter that aggregates Spring Security related dependencies. The simplest and preferred method to use the starter is to use Spring Initializr by using an IDE integration in (Eclipse or IntelliJ, NetBeans) or through [role="bare"]https://start.spring.io.

或者，您可以手动添加起动器：

Alternatively, you can manually add the starter:

build.gradle

dependencies {
	implementation "org.springframework.boot:spring-boot-starter-security"
}

因为 Spring Boot 提供了一个 Maven BOM 来管理依赖项版本，所以您不需要指定一个版本。如果您希望覆盖 Spring Security 版本，则可以通过提供一个 Gradle 属性来实现：

Since Spring Boot provides a Maven BOM to manage dependency versions, you need not specify a version. If you wish to override the Spring Security version, you can do so by providing a Gradle property:

build.gradle

ext['spring-security.version']='{spring-security-version}'

因为 Spring Security 仅在主要版本中进行重大更改，所以您可以安全地在 Spring Boot 中使用 Spring Security 的较新版本。但是，有时您可能还需要更新 Spring Framework 的版本。您可以通过添加一个 Gradle 属性来实现：

build.gradle

ext['spring.version']='{spring-core-version}'

如果你使用附加功能（例如，LDAP、OAuth 2 和其他功能），则还需要包含相应的 Project Modules and Dependencies。

If you use additional features (such as LDAP, OAuth 2, and others), you need to also include the appropriate Project Modules and Dependencies.

Gradle Without Spring Boot

在不使用 Spring Boot 的情况下使用 Spring Security 时，首选的方式是使用 Spring Security 的 BOM，以确保在整个项目中使用 Spring Security 的一致版本，可通过使用 Dependency Management Plugin 来实现：

When you use Spring Security without Spring Boot, the preferred way is to use Spring Security’s BOM to ensure a consistent version of Spring Security is used throughout the entire project. You can do so by using the Dependency Management Plugin:

build.gradle

plugins {
	id "io.spring.dependency-management" version "1.0.6.RELEASE"
}

dependencyManagement {
	imports {
		mavenBom 'org.springframework.security:spring-security-bom:{spring-security-version}'
	}
}

Spring Security 的最小 Maven 依赖项集合通常如下所示：

A minimal Spring Security Maven set of dependencies typically looks like the following:

build.gradle

dependencies {
	implementation "org.springframework.security:spring-security-web"
	implementation "org.springframework.security:spring-security-config"
}

如果你使用附加功能（例如，LDAP、OAuth 2 和其他功能），则还需要包含相应的 Project Modules and Dependencies。

If you use additional features (such as LDAP, OAuth 2, and others), you need to also include the appropriate Project Modules and Dependencies.

Spring Security 根据 Spring Framework {spring-core-version} 构建，但通常应与任何较新版本的 Spring Framework 5.x 配合使用，许多用户可能会陷入 Spring Security 的传递性依赖项解析 Spring Framework {spring-core-version} 的事实，这可能会导致奇怪的类路径问题。解决此问题的最简单方法是在 build.gradle 的 dependencyManagement 部分中使用 spring-framework-bom。可通过使用 Dependency Management Plugin 来实现：

Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x. Many users are likely to run afoul of the fact that Spring Security’s transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems. The easiest way to resolve this is to use the spring-framework-bom within your dependencyManagement section of your build.gradle. You can do so by using the Dependency Management Plugin:

build.gradle

plugins {
	id "io.spring.dependency-management" version "1.0.6.RELEASE"
}

dependencyManagement {
	imports {
		mavenBom 'org.springframework:spring-framework-bom:{spring-core-version}'
	}
}

前面的示例可确保 Spring Security 的所有传递依赖项都使用 Spring {spring-core-version} 模块。

The preceding example ensures that all the transitive dependencies of Spring Security use the Spring {spring-core-version} modules.

Gradle Repositories

所有 GA 版本（即以 .RELEASE 结尾的版本）都部署到 Maven Central，因此对于 GA 版本，使用 mavenCentral() 存储库就足够了。下面的示例演示了如何实现：

All GA releases (that is, versions ending in .RELEASE) are deployed to Maven Central, so using the mavenCentral() repository is sufficient for GA releases. The following example shows how to do so:

build.gradle

repositories {
	mavenCentral()
}

如果你使用 SNAPSHOT 版本，则需要确保已定义 Spring 快照存储库：

If you use a SNAPSHOT version, you need to ensure that you have the Spring Snapshot repository defined:

build.gradle

repositories {
	maven { url 'https://repo.spring.io/snapshot' }
}

如果您使用一个里程碑或候选版本，您需要确保定义了 Spring 里程碑存储库：

If you use a milestone or release candidate version, you need to ensure that you have the Spring Milestone repository defined:

build.gradle

repositories {
	maven { url 'https://repo.spring.io/milestone' }
}