Spring Security 是一个功能强大且高度可定制的安全框架，主要用于保护基于 Spring 的应用程序。它提供了一整套用于身份验证、授权、加密、会话管理等功能的工具和 API，从而帮助开发者快速、有效地保护应用程序。

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("user").password("{noop}password").roles("USER");
    }
}

<http>
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/admin/**" access="hasRole('ADMIN')" />
    <form-login login-page="/login" />
    <logout logout-url="/logout" />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user" password="password" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>