Spring Security（三十七）：Part IV. Web Application Security

Most Spring Security users will be using the framework in applications which make user of HTTP and the Servlet API. In this part, we’ll take a look at how Spring Security provides authentication and access-control features for the web layer of an application. We’ll look behind the facade of the namespace and see which classes and interfaces are actually assembled to provide web-layer security. In some situations it is necessary to use traditional bean configuration to provide full control over the configuration, so we’ll also see how to configure these classes directly without the namespace.

大多數Spring Security用戶將在使用HTTP和Servlet API的應用程序中使用該框架。在本部分中，咱們將瞭解Spring Security如何爲應用程序的Web層提供身份驗證和訪問控制功能。咱們將查看命名空間的外觀，並查看實際組裝的類和接口，以提供Web層安全性。在某些狀況下，有必要使用傳統的bean配置來提供對配置的徹底控制，所以咱們還將看到如何在沒有命名空間的狀況下直接配置這些類。 

13. The Security Filter Chain

Spring Security’s web infrastructure is based entirely on standard servlet filters. It doesn’t use servlets or any other servlet-based frameworks (such as Spring MVC) internally, so it has no strong links to any particular web technology. It deals in HttpServletRequest s and HttpServletResponse s and doesn’t care whether the requests come from a browser, a web service client, an HttpInvoker or an AJAX application.

Spring Security的Web基礎結構徹底基於標準的servlet過濾器。它不在內部使用servlet或任何其餘基於servlet的框架（例如Spring MVC），所以它沒有與任何特定Web技術的強大連接。它處理HttpServletRequest和HttpServletResponse，並不關心請求是來自瀏覽器，Web服務客戶端，HttpInvoker仍是AJAX應用程序。

 

 Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them. If you have been using  namespace configuration, then the filters are automatically configured for you and you don’t have to define any Spring beans explicitly but here may be times when you want full control over the security filter chain, either because you are using features which aren’t supported in the namespace, or you are using your own customized versions of classes.

Spring Security在內部維護一個過濾器鏈，每一個過濾器都有特定的責任，並根據所需的服務在配置中添加或刪除過濾器。過濾器的順序很重要，由於它們之間存在依賴關係。若是您一直在使用命名空間配置，那麼將自動爲您配置過濾器，您沒必要明肯定義任何Spring bean，但這多是您但願徹底控制安全過濾器鏈的時候，由於您正在使用功能命名空間中不支持，或者您使用本身的自定義版本的類。

 

13.1 DelegatingFilterProxy

When using servlet filters, you obviously need to declare them in your web.xml, or they will be ignored by the servlet container. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces. Spring’s DelegatingFilterProxy provides the link between web.xml and the application context.

使用servlet過濾器時，顯然須要在web.xml中聲明它們，不然servlet容器將忽略它們。在Spring Security中，過濾器類也是在應用程序上下文中定義的Spring bean，所以可以利用Spring豐富的依賴注入工具和生命週期接口。 Spring的DelegatingFilterProxy提供了web.xml和應用程序上下文之間的連接。

 

When using  DelegatingFilterProxy, you will see something like this in the  web.xml file:

使用DelegatingFilterProxy時，您將在web.xml文件中看到相似的內容：

<filter>
<filter-name>myFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>myFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Notice that the filter is actually a DelegatingFilterProxy, and not the class that will actually implement the logic of the filter. What DelegatingFilterProxy does is delegate the Filter 's methods through to a bean which is obtained from the Spring application context. This enables the bean to benefit from the Spring web application context lifecycle support and configuration flexibility. The bean must implement javax.servlet.Filter and it must have the same name as that in the filter-name element. Read the Javadoc for DelegatingFilterProxy for more information

請注意，過濾器其實是DelegatingFilterProxy，而不是實際實現過濾器邏輯的類。 DelegatingFilterProxy所作的是將Filter的方法委託給從Spring應用程序上下文中獲取的bean。這使bean可以受益於Spring Web應用程序上下文生命週期支持和配置靈活性。 bean必須實現javax.servlet.Filter，它必須與filter-name元素中的名稱相同。有關更多信息，請閱讀Javadoc for DelegatingFilterProxy

13.2 FilterChainProxy

Spring Security’s web infrastructure should only be used by delegating to an instance of FilterChainProxy. The security filters should not be used by themselves. In theory you could declare each Spring Security filter bean that you require in your application context file and add a corresponding DelegatingFilterProxy entry to web.xml for each filter, making sure that they are ordered correctly, but this would be cumbersome and would clutter up the web.xml file quickly if you have a lot of filters. FilterChainProxy lets us add a single entry to web.xml and deal entirely with the application context file for managing our web security beans. It is wired using a DelegatingFilterProxy, just like in the example above, but with the filter-name set to the bean name "filterChainProxy". The filter chain is then declared in the application context with the same bean name. Here’s an example:

Spring Security的Web基礎結構只能經過委託FilterChainProxy實例來使用。安全過濾器自己不該使用。從理論上講，您能夠在應用程序上下文文件中聲明所需的每一個Spring Security過濾器bean，併爲每一個過濾器添加相應的DelegatingFilterProxy條目到web.xml，確保它們正確排序，但這會很麻煩而且會使若是您有不少過濾器，請快速使用web.xml文件。 FilterChainProxy容許咱們向web.xml添加一個條目，並徹底處理應用程序上下文文件以管理咱們的Web安全bean。它使用DelegatingFilterProxy鏈接，就像上面的例子同樣，可是filter-name設置爲bean名稱「filterChainProxy」。而後，在應用程序上下文中使用相同的bean名稱聲明過濾器鏈。這是一個例子：

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
	<list>
	<sec:filter-chain pattern="/restful/**" filters="
		securityContextPersistenceFilterWithASCFalse,
		basicAuthenticationFilter,
		exceptionTranslationFilter,
		filterSecurityInterceptor" />
	<sec:filter-chain pattern="/**" filters="
		securityContextPersistenceFilterWithASCTrue,
		formLoginFilter,
		exceptionTranslationFilter,
		filterSecurityInterceptor" />
	</list>
</constructor-arg>
</bean>

The namespace element filter-chain is used for convenience to set up the security filter chain(s) which are required within the application. ^[6]. It maps a particular URL pattern to a list of filters built up from the bean names specified in the filters element, and combines them in a bean of type SecurityFilterChain. The pattern attribute takes an Ant Paths and the most specific URIs should appear first ^[7]. At runtime the FilterChainProxy will locate the first URI pattern that matches the current web request and the list of filter beans specified by the filters attribute will be applied to that request. The filters will be invoked in the order they are defined, so you have complete control over the filter chain which is applied to a particular URL.

命名空間元素過濾器鏈用於方便設置應用程序中所需的安全過濾器鏈。 [6]。它將特定的URL模式映射到根據filters元素中指定的bean名稱構建的過濾器列表，並將它們組合在SecurityFilterChain類型的bean中。 pattern屬性採用Ant路徑，最具體的URI應首先出現[7]。在運行時，FilterChainProxy將找到與當前Web請求匹配的第一個URI模式，而且filters屬性指定的過濾器bean列表將應用於該請求。過濾器將按照定義的順序調用，所以您能夠徹底控制應用於特定URL的過濾器鏈。

 

You may have noticed we have declared two  SecurityContextPersistenceFilter s in the filter chain ( ASC is short for  allowSessionCreation, a property of  SecurityContextPersistenceFilter). As web services will never present a  jsessionid on future requests, creating  HttpSession s for such user agents would be wasteful. If you had a high-volume application which required maximum scalability, we recommend you use the approach shown above. For smaller applications, using a single  SecurityContextPersistenceFilter (with its default  allowSessionCreation as  true) would likely be sufficient.

您可能已經注意到咱們在過濾器鏈中聲明瞭兩個SecurityContextPersistenceFilter（ASC是allowSessionCreation的縮寫，是SecurityContextPersistenceFilter的一個屬性）。因爲Web服務永遠不會出現將來請求的jsessionid，所以爲這樣的用戶代理建立HttpSession將是浪費。若是您的大批量應用程序須要最大的可擴展性，咱們建議您使用上面顯示的方法。對於較小的應用程序，使用單個SecurityContextPersistenceFilter（默認的allowSessionCreation爲true）可能就足夠了。

 

Note that  FilterChainProxy does not invoke standard filter lifecycle methods on the filters it is configured with. We recommend you use Spring’s application context lifecycle interfaces as an alternative, just as you would for any other Spring bean.

請注意，FilterChainProxy不會在配置的過濾器上調用標準過濾器生命週期方法。咱們建議您使用Spring的應用程序上下文生命週期接口做爲替代方法，就像使用任何其餘Spring bean同樣。

 

When we looked at how to set up web security using  namespace configuration, we used a  DelegatingFilterProxy with the name "springSecurityFilterChain". You should now be able to see that this is the name of the  FilterChainProxy which is created by the namespace.

當咱們查看如何使用命名空間配置設置Web安全性時，咱們使用了名爲「springSecurityFilterChain」的DelegatingFilterProxy。您如今應該可以看到這是由命名空間建立的FilterChainProxy的名稱。

13.2.1 Bypassing the Filter Chain

You can use the attribute filters = "none" as an alternative to supplying a filter bean list. This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible. If you want to make use of the contents of the SecurityContext contents during a request, then it must have passed through the security filter chain. Otherwise the SecurityContextHolder will not have been populated and the contents will be null.

您可使用屬性filters =「none」做爲提供過濾器bean列表的替代方法。這將徹底省略安全過濾器鏈中的請求模式。請注意，與此路徑匹配的任何內容都將不會應用任何身份驗證或受權服務，而且能夠自由訪問。若是要在請求期間使用SecurityContext內容的內容，則它必須已經過安全篩選器鏈。不然，將不會填充SecurityContextHolder，而且內容將爲null。

13.3 Filter Ordering

The order that filters are defined in the chain is very important. Irrespective of which filters you are actually using, the order should be as follows:

過濾器在鏈中定義的順序很是重要。不管您實際使用哪一種過濾器，訂單應以下：

• ChannelProcessingFilter, because it might need to redirect to a different protocol
• ChannelProcessingFilter，由於它可能須要重定向到不一樣的協議
• SecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request, and any changes to the SecurityContext can be copied to the HttpSession when the web request ends (ready for use with the next web request)
• SecurityContextPersistenceFilter，所以能夠在Web請求開始時在SecurityContextHolder中設置SecurityContext，而且當Web請求結束時（可使用下一個Web請求準備好），能夠將對SecurityContext的任何更改複製到HttpSession。
• ConcurrentSessionFilter, because it uses the SecurityContextHolder functionality and needs to update the SessionRegistry to reflect ongoing requests from the principal
• ConcurrentSessionFilter，由於它使用SecurityContextHolder功能並須要更新SessionRegistry以反映來自主體的持續請求
• Authentication processing mechanisms - UsernamePasswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter etc - so that the SecurityContextHolder can be modified to contain a valid Authentication request token
• 身份驗證處理機制 - UsernamePasswordAuthenticationFilter，CasAuthenticationFilter，BasicAuthenticationFilter等 - 以即可以修改SecurityContextHolder以包含有效的身份驗證請求令牌
• The SecurityContextHolderAwareRequestFilter, if you are using it to install a Spring Security aware HttpServletRequestWrapper into your servlet container
• SecurityContextHolderAwareRequestFilter，若是您使用它將Spring安全感知HttpServletRequestWrapper安裝到您的servlet容器中
• The JaasApiIntegrationFilter, if a JaasAuthenticationToken is in the SecurityContextHolder this will process the FilterChain as the Subject in the JaasAuthenticationToken
• JaasApiIntegrationFilter，若是JaasAuthenticationToken位於SecurityContextHolder中，則會將FilterChain做爲JaasAuthenticationToken中的Subject進行處理
• RememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a suitable remembered Authentication object will be put there
• RememberMeAuthenticationFilter，這樣若是沒有更早的身份驗證處理機制更新SecurityContextHolder，而且請求提供了一個啓用記住我服務的cookie，那麼一個合適的記憶身份驗證對象將放在那裏
• AnonymousAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, an anonymous Authentication object will be put there
• AnonymousAuthenticationFilter，這樣若是沒有更早的身份驗證處理機制更新SecurityContextHolder，那麼匿名身份驗證對象將被放在那裏
• ExceptionTranslationFilter, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriate AuthenticationEntryPoint can be launched
• ExceptionTranslationFilter，用於捕獲任何Spring Security異常，以即可以返回HTTP錯誤響應或啓動相應的AuthenticationEntryPoint
• FilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied
• FilterSecurityInterceptor，用於保護Web URI並在訪問被拒絕時引起異常