Springsecurity之標籤解析

    注意：Springsecurity版本是4.3.x.RELEASE

    在Springsecurity源碼的config模塊的resources/META-INF下有spring.handlers和spring.schemas，spring.handlers的內容以下List-1所示：

    List-1

http\://www.springframework.org/schema/security=org.springframework.security.config.SecurityNamespaceHandler

    瞭解過Spring自定義註解的，應該知道NamespaceHandler是作什麼的，Spring框架在解析標籤時，會調用註冊了的對應的NamespaceHandler，下面咱們來看下SecurityNamespaceHandler。

    SecurityNamespaceHandler實現了接口NamespaceHandler，NamespaceHandler它三個方法，分別是init、parse、decorate，init方法就是一些初始化之類的。SecurityNamespaceHandler的init方法以下

    List-2

public void init() {
		loadParsers();
	}

	private void loadParsers() {
		// Parsers
		parsers.put(Elements.LDAP_PROVIDER, new LdapProviderBeanDefinitionParser());
		parsers.put(Elements.LDAP_SERVER, new LdapServerBeanDefinitionParser());
		parsers.put(Elements.LDAP_USER_SERVICE, new LdapUserServiceBeanDefinitionParser());
		parsers.put(Elements.USER_SERVICE, new UserServiceBeanDefinitionParser());
		parsers.put(Elements.JDBC_USER_SERVICE, new JdbcUserServiceBeanDefinitionParser());
		parsers.put(Elements.AUTHENTICATION_PROVIDER,
				new AuthenticationProviderBeanDefinitionParser());
		parsers.put(Elements.GLOBAL_METHOD_SECURITY,
				new GlobalMethodSecurityBeanDefinitionParser());
		parsers.put(Elements.AUTHENTICATION_MANAGER,
				new AuthenticationManagerBeanDefinitionParser());
		parsers.put(Elements.METHOD_SECURITY_METADATA_SOURCE,
				new MethodSecurityMetadataSourceBeanDefinitionParser());

		// Only load the web-namespace parsers if the web classes are available
		if (ClassUtils.isPresent(FILTER_CHAIN_PROXY_CLASSNAME, getClass()
				.getClassLoader())) {
			parsers.put(Elements.DEBUG, new DebugBeanDefinitionParser());
			parsers.put(Elements.HTTP, new HttpSecurityBeanDefinitionParser());
			parsers.put(Elements.HTTP_FIREWALL, new HttpFirewallBeanDefinitionParser());
			parsers.put(Elements.FILTER_SECURITY_METADATA_SOURCE,
					new FilterInvocationSecurityMetadataSourceParser());
			parsers.put(Elements.FILTER_CHAIN, new FilterChainBeanDefinitionParser());
			filterChainMapBDD = new FilterChainMapBeanDefinitionDecorator();
		}

		if (ClassUtils.isPresent(MESSAGE_CLASSNAME, getClass().getClassLoader())) {
			parsers.put(Elements.WEBSOCKET_MESSAGE_BROKER,
					new WebSocketMessageBrokerSecurityBeanDefinitionParser());
		}
	}

    解析咱們看到的http標籤使用的就是HttpSecurityBeanDefinitionParser，解析authentication-manager使用的就是AuthenticationManagerBeanDefinitionParser。來看下HttpSecurityBeanDefinitionParser的parser方法，以下圖1所示：

          

                                                                              圖1 

    圖1中的createFilterChain方法中，

       

                                                                            圖2 

    如圖2中所示的紅框內，就是獲取Filter，在拿到Filter以後，會對它們進行排序，這個看下SecurityFilters，以下List-3所示，排序是根據List-3中的屬性order的值進行排序的。

    List-3 

enum SecurityFilters {
	FIRST(Integer.MIN_VALUE),
	CHANNEL_FILTER,
	SECURITY_CONTEXT_FILTER,
	CONCURRENT_SESSION_FILTER,
	/** {@link WebAsyncManagerIntegrationFilter} */
	WEB_ASYNC_MANAGER_FILTER,
	HEADERS_FILTER,
	CORS_FILTER,
	CSRF_FILTER,
	LOGOUT_FILTER,
	X509_FILTER,
	PRE_AUTH_FILTER,
	CAS_FILTER,
	FORM_LOGIN_FILTER,
	OPENID_FILTER,
	LOGIN_PAGE_FILTER,
	DIGEST_AUTH_FILTER,
	BASIC_AUTH_FILTER,
	REQUEST_CACHE_FILTER,
	SERVLET_API_SUPPORT_FILTER,
	JAAS_API_SUPPORT_FILTER,
	REMEMBER_ME_FILTER,
	ANONYMOUS_FILTER,
	SESSION_MANAGEMENT_FILTER,
	EXCEPTION_TRANSLATION_FILTER,
	FILTER_SECURITY_INTERCEPTOR,
	SWITCH_USER_FILTER,
	LAST(Integer.MAX_VALUE);

	private static final int INTERVAL = 100;
	private final int order;

	private SecurityFilters() {
		order = ordinal() * INTERVAL;
	}

	private SecurityFilters(int order) {
		this.order = order;
	}

	public int getOrder() {
		return order;
	}
}