Spring Security文章目錄
流程圖說明:
核心關注FilterChainProxy的生成。
部分注釋點說明:
1、為webSecurity設定webSecurityConfigurers
org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration#setFilterChainProxySecurityConfigurer
通過#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}查找WebSecurityConfigurer.class類型的bean,我們自定義的SecurityConfig 就是。
2、生成filter chain
2.1 bean聲明,最終傳回springSecurityFilterChain
org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration#springSecurityFilterChain
3、webSecurity build操作
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder#doBuild
3.1 根據自定義的WebSecurityConfigurerAdapter進行build操作,我們這裡是SecurityConfig。SecurityConfig的init過程中見第4步驟說明。
3.2 調用performBuild
生成filter chain,包括FilterChainProxy
3.2.1 FilterChainProxy包含兩部分,一部分是忽略請求清單,每一個配置url就是一個DefaultSecurityFilterChain;一部分是需要鑒權的chain,包含httpSecurity filter清單,是核心功能。
filters 在請求時候根據請求資訊動态比對。
3.2.2 部分filter說明如下
https://docs.spring.io/spring-security/site/docs/4.2.2.RELEASE/reference/htmlsingle/#filter-security-interceptor
Table 6.1. Standard Filter Aliases and Ordering
| Alias | Filter Class | Namespace Element or Attribute |
| CHANNEL_FILTER | ChannelProcessingFilter(協定跳轉) | http/[email protected] |
| SECURITY_CONTEXT_FILTER | SecurityContextPersistenceFilter(SecurityContext儲存到session中,給下一次web請求使用) | http |
| CONCURRENT_SESSION_FILTER | ConcurrentSessionFilter(存放session資訊,重新整理請求時間;以及session失效後,觸發登出操作) | session-management/concurrency-control |
| HEADERS_FILTER | HeaderWriterFilter | http/headers |
| CSRF_FILTER | CsrfFilter(csrf校驗處理) | http/csrf |
| LOGOUT_FILTER | LogoutFilter(登出邏輯實作) | http/logout |
| X509_FILTER | X509AuthenticationFilter(X509證書認證) | http/x509 |
| PRE_AUTH_FILTER | AbstractPreAuthenticatedProcessingFilterSubclasses | N/A |
| CAS_FILTER | CasAuthenticationFilter(cas 單點登入) | N/A |
| FORM_LOGIN_FILTER | UsernamePasswordAuthenticationFilter(使用者名密碼認證) | http/form-login |
| BASIC_AUTH_FILTER | BasicAuthenticationFilter(basic認證) | http/http-basic |
| SERVLET_API_SUPPORT_FILTER | SecurityContextHolderAwareRequestFilter | http/@servlet-api-provision |
| JAAS_API_SUPPORT_FILTER | JaasApiIntegrationFilter(Jaas認證) | http/@jaas-api-provision |
| REMEMBER_ME_FILTER | RememberMeAuthenticationFilter(remeber me 實作,借助cookie) | http/remember-me |
| ANONYMOUS_FILTER | AnonymousAuthenticationFilter(無登入,補充一個預設認證) | http/anonymous |
| SESSION_MANAGEMENT_FILTER | SessionManagementFilter(多會話管理) | session-management |
| EXCEPTION_TRANSLATION_FILTER | ExceptionTranslationFilter(異常處理,頁面跳轉) | http |
| FILTER_SECURITY_INTERCEPTOR | FilterSecurityInterceptor(權限控制) | http |
| SWITCH_USER_FILTER | SwitchUserFilter | N/A |
4、WebSecurityConfigurerAdapter init操作
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#init
4.1 生成AuthenticationManager, 執行自定義configure(localConfigureAuthenticationBldr)
4.1.1 disableLocalConfigureAuthenticationBldr為false
localConfigureAuthenticationBldr也是一個SecurityBuilder,構造傳回ProviderManagement,包含多個AuthenticationProvider,用于登入鑒權處理,通過自定義SecurityConfig configure(AuthenticationManagerBuilder auth) 追加AuthenticationProvider。
4.1.2 disableLocalConfigureAuthenticationBldr為true
該邏輯中,走authenticationConfiguration邏輯,如果沒有AuthenticationProvider bean,會建立DaoAuthenticationProvider。
4.2 執行自定義 configure(http) ,追加http相關配置,并将SecurityConfigurer追加到configurers集合中,如http中.logout()就會建立一個LogoutConfigurer放到集合中。
這些配置最終會生成filter,filter順序是固定的,org.springframework.security.config.annotation.web.builders.FilterComparator#FilterComparator中存放了初始順序。
4.3 最終追加http到web的securityFilterChainBuilders,用于後續filter生成等處理。
5、WebSecurityConfigurerAdapter configure 操作
該操作預設空操作,可以修改WebSecurity相關邏輯。
6、spring boot FilterChainProxy自動注入
org.springframework.boot.autoconfigure.security.SecurityFilterAutoConfiguration#securityFilterChainRegistration 自動注入springSecurityFilterChain filter,也就是FilterChainProxy