spring security筆記
spring security core
核心概念
- Principal: 認證主體
- Authentication:認證信息。集成Principal。
- GrantedAuthority 受權信息
- SecurityContext:SecurityContextHolder持有對應上下文信息。對應全局或線程級 SecurityContextHolder.getContext().setAuthentication(anAuthentication);
- Token,TokenService
- UserDetails, AuthenticationUserDetailsService, UserDetailsService
- SessionRegistry
認證過程相關類
- AuthenticationManager
- AuthenticationProvider
- SecurityMetadataSource
- ConfigAttribute, PreInvocationAttribute, PostInvocationAttributePreInvocationAttribute
- AuthenticationTrustResolver
- AuthenticationEventPublisher
TODO詳細待展開web
用戶權限等維護相關類
- GroupManager
- UserDetailsManager
- MutableUserDetails
訪問控制相關類
-
AccessDecisionManager 檢查受權信息redis
- AffirmativeBased 至少一個投票者經過
- ConsensusBased 多數投票者經過
- UnanimousBased 沒有投出過拒絕票
- AccessDecisionVoter 具體針對每類權限的判斷vote(Authentication authentication, S object,Collection<ConfigAttribute> attributes)
AccessDecisionVoter子類:
RoleVoter (org.springframework.security.access.vote)
RoleHierarchyVoter (org.springframework.security.access.vote)
ScopeVoter (org.springframework.security.oauth2.provider.vote)
WebExpressionVoter (org.springframework.security.web.access.expression)
ClientScopeVoter (org.springframework.security.oauth2.provider.vote)
Jsr250Voter (org.springframework.security.access.annotation)
AuthenticatedVoter (org.springframework.security.access.vote)
AbstractAclVoter (org.springframework.security.access.vote)
PreInvocationAuthorizationAdviceVoter (org.springframework.security.access.prepost)
- SecurityMetadataSource 包含相似role權限信息。能夠獲取對象關聯的權限角色
- ConfigAttribute 用字符串表示具體權限角色類型。
- PermissionEvaluator 能夠用於相似ACL的細粒度的檢查
spring security web
主要概念
- SecurityFilterChain 包含針對一組請求包含的過濾器。
- FilterChainProxy 做爲security web的filter入口。包含一組SecurityFilterChain。針對請求選擇對應的一組過濾器SecurityFilterChain進行攔截調用。都是安全相關的攔截。
好比獲取token時,token的過濾器包含加載認證信息的過濾器。資源訪問請求的過濾器則不包含,可是包含檢查token的過濾器。 - AuthenticationEntryPoint 對某種認證模式的失敗進行處理,針對響應設置對應的header等。好比針對Basic返回提示認證的信息和表單模式提交重定向到登錄首頁。
AuthenticationEntryPoint子類: Http401AuthenticationEntryPoint (org.springframework.boot.autoconfigure.security) DelegatingAuthenticationEntryPoint (org.springframework.security.web.authentication) BasicAuthenticationEntryPoint (org.springframework.security.web.authentication.www) DigestAuthenticationEntryPoint (org.springframework.security.web.authentication.www) Http403ForbiddenEntryPoint (org.springframework.security.web.authentication) LoginUrlAuthenticationEntryPoint (org.springframework.security.web.authentication) OAuth2AuthenticationEntryPoint (org.springframework.security.oauth2.provider.error) HttpStatusEntryPoint (org.springframework.security.web.authentication)
- RedirectStrategy
- PortResolver
認證主要類
- AuthenticationSuccessHandler,AuthenticationFailureHandler
- RememberMeServices
-
Basic相關spring
- BasicAuthenticationFilter
- BasicAuthenticationEntryPoint
-
Digest相關express
- DigestAuthenticationFilter
- DigestAuthenticationEntryPoint
訪問控制相關類
- FilterSecurityInterceptor 經過實現Filter,在調用前調用AccessDecisionManager#decide判斷是否容許訪問
spring security oauth2
核心類
- TokenGranter 按照不一樣方式對token受權。包含五種token生成方式。AuthorizationCode, Implicit, client_credentials, refreshToken, password
- ClientDetails 認證的客戶信息。包含擴展的Map字段additionalInformation
- ClientDetailsService 加載客戶信息
- ClientRegistrationService 維護客戶信息。包含增刪改等操做。
- OAuth2RequestFactory
token相關
- TokenStore token存儲。包括內存,redis,jdbc,jwt,jwk等。
- TokenEnhancer token加強。能夠擴展token附加信息。好比租戶id。
- OAuth2AccessToken accessToken信息
- AuthorizationServerTokenServices 按照認證信息獲取accessToken
大致是TokenGranter調用AuthorizationServerTokenServices,AuthorizationServerTokenServices調用TokenStore - ResourceServerTokenServices 資源服務器訪問時,經過accessToken加載認證信息.
- AccessTokenConverter 相似token的序列化和反序列化
端點類
- TokenEndpoint 獲取token端點
- CheckTokenEndpoint 檢查token端點
消息執行過程
- 請求過濾器鏈。web原始的過濾器鏈爲tomcat的ApplicationFilterChain。裏面的springSecurityFilterChain做爲web包的DelegatingFilterProxy會代理調用security包的FilterChainProxy。構建VirtualFilterChain調用additionalFilters中的filter。而後繼續未完成的原始filter鏈ApplicationFilterChain。
chain = {FilterChainProxy$VirtualFilterChain@10122}
originalChain = {ApplicationFilterChain@10132}
filters = {ApplicationFilterConfig[10]@10359}
0 = {ApplicationFilterConfig@10362} 指標統計 "ApplicationFilterConfig[name=metricsFilter, filterClass=org.springframework.boot.actuate.autoconfigure.MetricsFilter]"
1 = {ApplicationFilterConfig@10363} 設置編碼 "ApplicationFilterConfig[name=characterEncodingFilter, filterClass=org.springframework.boot.web.filter.OrderedCharacterEncodingFilter]"
2 = {ApplicationFilterConfig@10364} sleuth消息跟蹤 "ApplicationFilterConfig[name=traceFilter, filterClass=org.springframework.cloud.sleuth.instrument.web.TraceFilter]"
3 = {ApplicationFilterConfig@10365} method轉換 "ApplicationFilterConfig[name=hiddenHttpMethodFilter, filterClass=org.springframework.boot.web.filter.OrderedHiddenHttpMethodFilter]"
4 = {ApplicationFilterConfig@10366} 支持http的put和patch獲取form的參數 "ApplicationFilterConfig[name=httpPutFormContentFilter, filterClass=org.springframework.boot.web.filter.OrderedHttpPutFormContentFilter]"
5 = {ApplicationFilterConfig@10367} 上下文設置 "ApplicationFilterConfig[name=requestContextFilter, filterClass=org.springframework.boot.web.filter.OrderedRequestContextFilter]"
6 = {ApplicationFilterConfig@10368} 代理調用springSecurityFilterChain TODO "ApplicationFilterConfig[name=springSecurityFilterChain, filterClass=org.springframework.boot.web.servlet.DelegatingFilterProxyRegistrationBean$1]"
7 = {ApplicationFilterConfig@10369} 消息調用記錄,相似接口日誌 "ApplicationFilterConfig[name=webRequestLoggingFilter, filterClass=org.springframework.boot.actuate.trace.WebRequestTraceFilter]"
8 = {ApplicationFilterConfig@10370} 響應頭加入header:X-Application-Context "ApplicationFilterConfig[name=applicationContextIdFilter, filterClass=org.springframework.boot.web.filter.ApplicationContextHeaderFilter]"
9 = {ApplicationFilterConfig@10371} WebSocket支持 "ApplicationFilterConfig[name=Tomcat WebSocket (JSR356) Filter, filterClass=org.apache.tomcat.websocket.server.WsFilter]"
pos = 7
n = 10
servlet = {DispatcherServlet@10361}
servletSupportsAsync = true
additionalFilters = {ArrayList@10344} size = 11
0 = WebAsyncManager加入SecurityContext上下文攔截處理 {WebAsyncManagerIntegrationFilter@10127}
1 = SecurityContext獲取和持久化,好比session中。{SecurityContextPersistenceFilter@10125}
2 = 支持向response寫入header {HeaderWriterFilter@10124}
3 = 支持登出操做 {LogoutFilter@10123}
4 = 有token則認證 {OAuth2AuthenticationProcessingFilter@10118}
5 = 獲取認證跳轉前緩存的請求{RequestCacheAwareFilter@10353}
6 = 請求對象中包裝認證對象從spring security獲取而不是web容器{SecurityContextHolderAwareRequestFilter@10354}
7 = 沒認證時,設置上下文爲匿名用戶對象{AnonymousAuthenticationFilter@10355}
8 = 用戶關聯session控制 {SessionManagementFilter@10356}
9 = filter異常處理。前面filter的異常,此時處理不了,好比認證過程 {ExceptionTranslationFilter@10357}
10 = 安全攔截器TODO {FilterSecurityInterceptor@10358}
firewalledRequest = {RequestWrapper@10179} "FirewalledRequest[ org.apache.catalina.connector.RequestFacade@5a96a1]"
size = 11
currentPosition = 5
debug = true
spring boot配置
- AuthorizationServerEndpointsConfiguration 加載自定義的AuthorizationServerConfigurer來設置共享的一個AuthorizationServerEndpointsConfigurer, 調用自定義的AuthorizationServerConfigurer的configure(AuthorizationServerEndpointsConfigurer endpoints)
- AuthorizationServerSecurityConfiguration加載自定義的AuthorizationServerConfigurer來設置spring 容器中的ClientDetailsServiceConfigurer。調用自定義的AuthorizationServerConfigurer的configure(ClientDetailsServiceConfigurer clients)
-
WebSecurityConfiguration加載全部SecurityConfigurer配置,並配置,但未實例化構建。WebSecurityConfiguration加載springSecurityFilterChain的Bean時,構建Filter對象。此時調用前面的SecurityConfigurer列表的init,調用configure(HttpSecurity http).apache
- 構建過程會建立AuthorizationServerSecurityConfigurer,
- AuthorizationServerSecurityConfiguration做爲一個SecurityConfigurer, 會調用AuthorizationServerConfigurer的configure(AuthorizationServerSecurityConfigurer oauthServer)
WebSecurityConfiguration 加載安全配置
具體springSecurityFilterChain()會將全部SecurityConfigurer 加載到WebSecurity中,進行構建緩存
SecurityConfigurer子類
SecurityConfigurerAdapter (org.springframework.security.config.annotation)
ClientDetailsServiceConfigurer (org.springframework.security.oauth2.config.annotation.configurers)
OAuth2ClientAuthenticationConfigurer in SsoSecurityConfigurer (org.springframework.boot.autoconfigure.security.oauth2.client)
UserDetailsAwareConfigurer (org.springframework.security.config.annotation.authentication.configurers.userdetails)
AbstractDaoAuthenticationConfigurer (org.springframework.security.config.annotation.authentication.configurers.userdetails)
DaoAuthenticationConfigurer (org.springframework.security.config.annotation.authentication.configurers.userdetails)
UserDetailsServiceConfigurer (org.springframework.security.config.annotation.authentication.configurers.userdetails)
UserDetailsManagerConfigurer (org.springframework.security.config.annotation.authentication.configurers.provisioning)
JdbcUserDetailsManagerConfigurer (org.springframework.security.config.annotation.authentication.configurers.provisioning)
InMemoryUserDetailsManagerConfigurer (org.springframework.security.config.annotation.authentication.configurers.provisioning)
DefaultInMemoryUserDetailsManagerConfigurer in AuthenticationManagerConfiguration (org.springframework.boot.autoconfigure.security)
ResourceServerSecurityConfigurer (org.springframework.security.oauth2.config.annotation.web.configurers)
AbstractHttpConfigurer (org.springframework.security.config.annotation.web.configurers)
HttpBasicConfigurer (org.springframework.security.config.annotation.web.configurers)
LogoutConfigurer (org.springframework.security.config.annotation.web.configurers)
RememberMeConfigurer (org.springframework.security.config.annotation.web.configurers)
RequestCacheConfigurer (org.springframework.security.config.annotation.web.configurers)
ServletApiConfigurer (org.springframework.security.config.annotation.web.configurers)
DefaultLoginPageConfigurer (org.springframework.security.config.annotation.web.configurers)
SessionManagementConfigurer (org.springframework.security.config.annotation.web.configurers)
PortMapperConfigurer (org.springframework.security.config.annotation.web.configurers)
ExceptionHandlingConfigurer (org.springframework.security.config.annotation.web.configurers)
HeadersConfigurer (org.springframework.security.config.annotation.web.configurers)
CsrfConfigurer (org.springframework.security.config.annotation.web.configurers)
JeeConfigurer (org.springframework.security.config.annotation.web.configurers)
AnonymousConfigurer (org.springframework.security.config.annotation.web.configurers)
ChannelSecurityConfigurer (org.springframework.security.config.annotation.web.configurers)
CorsConfigurer (org.springframework.security.config.annotation.web.configurers)
SecurityContextConfigurer (org.springframework.security.config.annotation.web.configurers)
X509Configurer (org.springframework.security.config.annotation.web.configurers)
AbstractAuthenticationFilterConfigurer (org.springframework.security.config.annotation.web.configurers)
FormLoginConfigurer (org.springframework.security.config.annotation.web.configurers)
OpenIDLoginConfigurer (org.springframework.security.config.annotation.web.configurers.openid)
AbstractInterceptUrlConfigurer (org.springframework.security.config.annotation.web.configurers)
UrlAuthorizationConfigurer (org.springframework.security.config.annotation.web.configurers)
ExpressionUrlAuthorizationConfigurer (org.springframework.security.config.annotation.web.configurers)
AuthorizationServerSecurityConfigurer (org.springframework.security.oauth2.config.annotation.web.configurers)
ClientDetailsServiceBuilder (org.springframework.security.oauth2.config.annotation.builders)
JdbcClientDetailsServiceBuilder (org.springframework.security.oauth2.config.annotation.builders)
1 in ClientDetailsServiceBuilder (org.springframework.security.oauth2.config.annotation.builders)
InMemoryClientDetailsServiceBuilder (org.springframework.security.oauth2.config.annotation.builders)
LdapAuthenticationProviderConfigurer (org.springframework.security.config.annotation.authentication.configurers.ldap)
WebSecurityConfigurer (org.springframework.security.config.annotation.web)
WebSecurityConfigurerAdapter (org.springframework.security.config.annotation.web.configuration)
1 in WebSecurityConfiguration (org.springframework.security.config.annotation.web.configuration)
ResourceServerConfiguration (org.springframework.security.oauth2.config.annotation.web.configuration)
ApplicationNoWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
ManagementWebSecurityConfigurerAdapter in ManagementWebSecurityAutoConfiguration (org.springframework.boot.actuate.autoconfigure)
AuthorizationServerSecurityConfiguration (org.springframework.security.oauth2.config.annotation.web.configuration)
H2ConsoleSecurityConfigurer in H2ConsoleSecurityConfiguration in H2ConsoleAutoConfiguration (org.springframework.boot.autoconfigure.h2)
OAuth2SsoDefaultConfiguration (org.springframework.boot.autoconfigure.security.oauth2.client)
ApplicationWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
IgnoredPathsWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
GlobalAuthenticationConfigurerAdapter (org.springframework.security.config.annotation.authentication.configurers)
InitializeAuthenticationProviderBeanManagerConfigurer (org.springframework.security.config.annotation.authentication.configuration)
InitializeUserDetailsBeanManagerConfigurer (org.springframework.security.config.annotation.authentication.configuration)
InitializeUserDetailsManagerConfigurer in InitializeAuthenticationProviderBeanManagerConfigurer (org.springframework.security.config.annotation.authentication.configuration)
SpringBootAuthenticationConfigurerAdapter in AuthenticationManagerConfiguration (org.springframework.boot.autoconfigure.security)
BootGlobalAuthenticationConfigurationAdapter in BootGlobalAuthenticationConfiguration (org.springframework.boot.autoconfigure.security)
InitializeUserDetailsManagerConfigurer in InitializeUserDetailsBeanManagerConfigurer (org.springframework.security.config.annotation.authentication.configuration)
EnableGlobalAuthenticationAutowiredConfigurer in AuthenticationConfiguration (org.springframework.security.config.annotation.authentication.configuration)
WebSecurityConfigurer子類
WebSecurityConfigurerAdapter (org.springframework.security.config.annotation.web.configuration)
WebSecurityConfiguration (com.huawei.billingcloud.sysmgmt.oauth)
1 in WebSecurityConfiguration (org.springframework.security.config.annotation.web.configuration)
ResourceServerConfiguration (org.springframework.security.oauth2.config.annotation.web.configuration)
ApplicationNoWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
ManagementWebSecurityConfigurerAdapter in ManagementWebSecurityAutoConfiguration (org.springframework.boot.actuate.autoconfigure)
AuthorizationServerSecurityConfiguration (org.springframework.security.oauth2.config.annotation.web.configuration)
H2ConsoleSecurityConfigurer in H2ConsoleSecurityConfiguration in H2ConsoleAutoConfiguration (org.springframework.boot.autoconfigure.h2)
OAuth2SsoDefaultConfiguration (org.springframework.boot.autoconfigure.security.oauth2.client)
ApplicationWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
IgnoredPathsWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
ResourceServerConfiguration 加載資源服務器配置ResourceServerConfigurer。
同時自身做爲一個WebSecurityConfigurer被上面的WebSecurityConfiguration加載tomcat
RestTemplate 默認converter
0 = {ByteArrayHttpMessageConverter@8484}
1 = {StringHttpMessageConverter@8485}
2 = {ResourceHttpMessageConverter@8486}
3 = {SourceHttpMessageConverter@8487}
4 = {AllEncompassingFormHttpMessageConverter@8488}
5 = {Jaxb2RootElementHttpMessageConverter@8489}
6 = {MappingJackson2HttpMessageConverter@8490}
0 = {SpringBootWebSecurityConfiguration$IgnoredPathsWebSecurityConfigurerAdapter@11234}
1 = {ResourceServerConfiguration$$EnhancerBySpringCGLIB$$c6c322ec@8468}
2 = {SpringBootWebSecurityConfiguration$ApplicationNoWebSecurityConfigurerAdapter$$EnhancerBySpringCGLIB$$a64c52f7@11230}
啓動配置
0 = {SpringBootWebSecurityConfiguration$IgnoredPathsWebSecurityConfigurerAdapter@13290}
1 = {AuthorizationServerSecurityConfiguration$$EnhancerBySpringCGLIB$$2aaaf2bf@9227}
2 = {WebSecurityConfiguration$$EnhancerBySpringCGLIB$$f14e4087@13291}
3 = {SpringBootWebSecurityConfiguration$ApplicationNoWebSecurityConfigurerAdapter$$EnhancerBySpringCGLIB$$a7a04c53@13292}
相關文章
- 1. 【筆記】Spring Security Oauth2
- 2. Spring Security 2.0學習筆記
- 3. spring security學習筆記
- 4. Spring security學習筆記-1
- 5. spring-security上手筆記
- 6. 【Spring Security OAuth2筆記系列】- spring security - 小結
- 7. Spring Security 隨記
- 8. 【Spring Security OAuth2筆記系列】- Security控制受權- Spring Security源碼解析
- 9. Spring security 學習使用筆記
- 10. Spring Security筆記:HTTP Basic 認證
- 更多相關文章...
- • ASP.NET Razor - 標記 - ASP.NET 教程
- • ADO 添加記錄 - ADO 教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 【筆記】Spring Security Oauth2
- 2. Spring Security 2.0學習筆記
- 3. spring security學習筆記
- 4. Spring security學習筆記-1
- 5. spring-security上手筆記
- 6. 【Spring Security OAuth2筆記系列】- spring security - 小結
- 7. Spring Security 隨記
- 8. 【Spring Security OAuth2筆記系列】- Security控制受權- Spring Security源碼解析
- 9. Spring security 學習使用筆記
- 10. Spring Security筆記:HTTP Basic 認證