springSecurity安全框架的學習和原理解讀
最近在公司的項目中使用了spring security框架,因此有機會來學習一下,公司的項目是使用springboot搭建 springBoot版本1.59html
spring security 版本4.2.3java
(我的理解可能會有誤差,但願有不正確之處,你們可以指出來,共同探討交流。)web
目錄spring
一、簡介數組
二、框架原理緩存
2、自定義安全配置的加載機制springboot
一、前提 基於自身業務須要session
四、舉例說明如何將一個Configurer轉換爲filter
1、Spring security框架簡介
一、簡介
一個可以爲基於Spring的企業應用系統提供聲明式的安全訪問控制解決方式的安全框架(簡單說是對訪問權限進行控制嘛),應用的安全性包括用戶認證(Authentication)和用戶受權(Authorization)兩個部分。用戶認證指的是驗證某個用戶是否爲系統中的合法主體,也就是說用戶可否訪問該系統。用戶認證通常要求用戶提供用戶名和密碼。系統經過校驗用戶名和密碼來完成認證過程。用戶受權指的是驗證某個用戶是否有權限執行某個操做。在一個系統中,不一樣用戶所具備的權限是不一樣的。好比對一個文件來講,有的用戶只能進行讀取,而有的用戶能夠進行修改。通常來講,系統會爲不一樣的用戶分配不一樣的角色,而每一個角色則對應一系列的權限。 spring security的主要核心功能爲 認證和受權,全部的架構也是基於這兩個核心功能去實現的。
二、框架原理
衆所周知 想要對對Web資源進行保護,最好的辦法莫過於Filter,要想對方法調用進行保護,最好的辦法莫過於AOP。因此springSecurity在咱們進行用戶認證以及授予權限的時候,經過各類各樣的攔截器來控制權限的訪問,從而實現安全。
以下爲其主要過濾器
- WebAsyncManagerIntegrationFilter
- SecurityContextPersistenceFilter
- HeaderWriterFilter
- CorsFilter
- LogoutFilter
- RequestCacheAwareFilter
- SecurityContextHolderAwareRequestFilter
- AnonymousAuthenticationFilter
- SessionManagementFilter
- ExceptionTranslationFilter
- FilterSecurityInterceptor
- UsernamePasswordAuthenticationFilter
- BasicAuthenticationFilter
三、框架的核心組件
- SecurityContextHolder:提供對SecurityContext的訪問
- SecurityContext,:持有Authentication對象和其餘可能須要的信息
- AuthenticationManager 其中能夠包含多個AuthenticationProvider
- ProviderManager對象爲AuthenticationManager接口的實現類
- AuthenticationProvider 主要用來進行認證操做的類 調用其中的authenticate()方法去進行認證操做
- Authentication:Spring Security方式的認證主體
- GrantedAuthority:對認證主題的應用層面的受權,含當前用戶的權限信息,一般使用角色表示
- UserDetails:構建Authentication對象必須的信息,能夠自定義,可能須要訪問DB獲得
- UserDetailsService:經過username構建UserDetails對象,經過loadUserByUsername根據userName獲取UserDetail對象 (能夠在這裏基於自身業務進行自定義的實現 如經過數據庫,xml,緩存獲取等)
2、自定義安全配置的加載機制
一、前提 基於自身業務須要
有關springSecrity安全框架的理解參考:springSecurity安全框架介紹
自定義了一個springSecurity安全框架的配置類 繼承WebSecurityConfigurerAdapter,重寫其中的方法configure,可是並不清楚自定義的類是如何被加載並起到做用,這裏一步步經過debug來了解其中的加載原理。
其實在咱們實現該類後,在web容器啓動的過程當中該類實例對象會被WebSecurityConfiguration類處理。
@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AccessDeniedHandler accessDeniedHandler;
@Autowired
private CustAuthenticationProvider custAuthenticationProvider;
// roles admin allow to access /admin/**
// roles user allow to access /user/**
// custom 403 access denied handler
//重寫了其中的configure()方法設置了不一樣url的不一樣訪問權限
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/home", "/about","/img/*").permitAll()
.antMatchers("/admin/**","/upload/**").hasAnyRole("ADMIN")
.antMatchers("/order/**").hasAnyRole("USER","ADMIN")
.antMatchers("/room/**").hasAnyRole("USER","ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll()
.and()
.exceptionHandling().accessDeniedHandler(accessDeniedHandler);
}
// create two users, admin and user
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth.inMemoryAuthentication()
// .withUser("user").password("user").roles("USER")
// .and()
// .withUser("admin").password("admin").roles("ADMIN");
// auth.jdbcAuthentication()
auth.authenticationProvider(custAuthenticationProvider);
}
二、WebSecurityConfiguration類
@Configuration
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
private WebSecurity webSecurity;
private Boolean debugEnabled;
private List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers;
private ClassLoader beanClassLoader;
...省略部分代碼
@Bean(
name = {"springSecurityFilterChain"}
)
public Filter springSecurityFilterChain() throws Exception {
boolean hasConfigurers = this.webSecurityConfigurers != null
&& !this.webSecurityConfigurers.isEmpty();
if(!hasConfigurers) {
WebSecurityConfigurerAdapter adapter = (WebSecurityConfigurerAdapter)
this.objectObjectPostProcessor
.postProcess(new WebSecurityConfigurerAdapter() {
});
this.webSecurity.apply(adapter);
}
return (Filter)this.webSecurity.build();
}
/*一、先執行該方法將咱們自定義springSecurity配置實例 (可能還有系統默認的有關安全的配置實例 ) 配置實例中含有咱們自定義業務的權限控制配置信息 放入到該對象的list數組中webSecurityConfigurers中 使用@Value註解來將實例對象做爲形參注入 */
@Autowired(
required = false
)
public void setFilterChainProxySecurityConfigurer(ObjectPostProcessor<Object> objectPostProcessor, @Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers) throws Exception {
//建立一個webSecurity對象
this.webSecurity = (WebSecurity)objectPostProcessor.postProcess(new WebSecurity(objectPostProcessor));
if(this.debugEnabled != null) {
this.webSecurity.debug(this.debugEnabled.booleanValue());
}
//對全部配置類的實例進行排序
Collections.sort(webSecurityConfigurers, WebSecurityConfiguration.AnnotationAwareOrderComparator.INSTANCE);
Integer previousOrder = null;
Object previousConfig = null;
//迭代全部配置類的實例 判斷其order必須惟一
Iterator var5;
SecurityConfigurer config;
for(var5 = webSecurityConfigurers.iterator(); var5.hasNext(); previousConfig = config) {
config = (SecurityConfigurer)var5.next();
Integer order = Integer.valueOf(WebSecurityConfiguration.AnnotationAwareOrderComparator.lookupOrder(config));
if(previousOrder != null && previousOrder.equals(order)) {
throw new IllegalStateException("@Order on WebSecurityConfigurers must be unique. Order of " + order + " was already used on " + previousConfig + ", so it cannot be used on " + config + " too.");
}
previousOrder = order;
}
//將全部的配置實例添加到建立的webSecutity對象中
var5 = webSecurityConfigurers.iterator();
while(var5.hasNext()) {
config = (SecurityConfigurer)var5.next();
this.webSecurity.apply(config);
}
//將webSercurityConfigures 實例放入該對象的webSecurityConfigurers屬性中
this.webSecurityConfigurers = webSecurityConfigurers;
}
}
2.一、 setFilterChainProxySecurityConfigurer()方法
@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers
該參數webSecurityConfigurers會將全部的配置實例放入該形參中
該方法中 主要執行以下
一、建立webSecurity對象
二、主要檢驗了配置實例的order順序(order惟一 不然會報錯)
三、將全部的配置實例存放進入到webSecurity對象中,其中配置實例中含有咱們自定義業務的權限控制配置信息
2.二、springSecurityFilterChain()方法
調用springSecurityFilterChain()方法,這個方法會判斷咱們上一個方法中有沒有獲取到webSecurityConfigurers,沒有的話這邊會建立一個WebSecurityConfigurerAdapter實例,並追加到websecurity中。接着調用websecurity的build方法。實際調用的是websecurity的父類AbstractSecurityBuilder的build方法 ,最終返回一個名稱爲springSecurityFilterChain的過濾器鏈。裏面有衆多Filter(springSecurity其實就是依靠不少的Filter來攔截url從而實現權限的控制的安全框架)
三、AbstractSecurityBuilder類
public abstract class AbstractSecurityBuilder<O> implements SecurityBuilder<O> {
private AtomicBoolean building = new AtomicBoolean();
private O object;
//調用build方法來返回過濾器鏈,仍是調用SecurityBuilder的dobuild()方法
public final O build() throws Exception {
if(this.building.compareAndSet(false, true)) {
this.object = this.doBuild();
return this.object;
} else {
throw new AlreadyBuiltException("This object has already been built");
}
}
//...省略部分代碼
}
3.1 調用子類的doBuild()方法
public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>> extends AbstractSecurityBuilder<O> {
private final Log logger;
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers;
private final List<SecurityConfigurer<O, B>> configurersAddedInInitializing;
private final Map<Class<? extends Object>, Object> sharedObjects;
private final boolean allowConfigurersOfSameType;
private AbstractConfiguredSecurityBuilder.BuildState buildState;
private ObjectPostProcessor<Object> objectPostProcessor;
//doBuild()核心方法 init(),configure(),perFormBuild()
protected final O doBuild() throws Exception {
LinkedHashMap var1 = this.configurers;
synchronized(this.configurers) {
this.buildState = AbstractConfiguredSecurityBuilder.BuildState.INITIALIZING;
this.beforeInit();
this.init();
this.buildState = AbstractConfiguredSecurityBuilder.BuildState.CONFIGURING;
this.beforeConfigure();
this.configure();
this.buildState = AbstractConfiguredSecurityBuilder.BuildState.BUILDING;
O result = this.performBuild();
this.buildState = AbstractConfiguredSecurityBuilder.BuildState.BUILT;
return result;
}
}
protected abstract O performBuild() throws Exception;
//調用init方法 調用配置類WebSecurityConfigurerAdapter的init()方法
private void init() throws Exception {
Collection<SecurityConfigurer<O, B>> configurers = this.getConfigurers();
Iterator var2 = configurers.iterator();
SecurityConfigurer configurer;
while(var2.hasNext()) {
configurer = (SecurityConfigurer)var2.next();
configurer.init(this);
}
var2 = this.configurersAddedInInitializing.iterator();
while(var2.hasNext()) {
configurer = (SecurityConfigurer)var2.next();
configurer.init(this);
}
}
private void configure() throws Exception {
Collection<SecurityConfigurer<O, B>> configurers = this.getConfigurers();
Iterator var2 = configurers.iterator();
while(var2.hasNext()) {
SecurityConfigurer<O, B> configurer = (SecurityConfigurer)var2.next();
configurer.configure(this);
}
}
private Collection<SecurityConfigurer<O, B>> getConfigurers() {
List<SecurityConfigurer<O, B>> result = new ArrayList();
Iterator var2 = this.configurers.values().iterator();
while(var2.hasNext()) {
List<SecurityConfigurer<O, B>> configs = (List)var2.next();
result.addAll(configs);
}
return result;
}
//...省略部分代碼
}
3.2 先調用本類的init()方法
build過程主要分三步,init->configure->peformBuild
- 1 init方法作了兩件事,一個就是調用getHttp()方法獲取一個http實例,並經過web.addSecurityFilterChainBuilder方法把獲取到的實例賦值給WebSecurity的securityFilterChainBuilders屬性,這個屬性在咱們執行build的時候會用到,第二個就是爲WebSecurity追加了一個postBuildAction,在build都完成後從http中拿出FilterSecurityInterceptor對象並賦值給WebSecurity。
- 2 getHttp()方法,這個方法在當咱們使用默認配置時(大多數狀況下)會爲咱們追加各類SecurityConfigurer的具體實現類到httpSecurity中,如exceptionHandling()方法會追加一個ExceptionHandlingConfigurer,sessionManagement()方法會追加一個SessionManagementConfigurer,securityContext()方法會追加一個SecurityContextConfigurer對象,這些SecurityConfigurer的具體實現類最終會爲咱們配置各類具體的filter。
- 3 另外getHttp()方法的最後會調用configure(http),這個方法也是咱們繼承WebSecurityConfigurerAdapter類後最可能會重寫的方法 。
- 4 configure(HttpSecurity http)方法,默認的configure(HttpSecurity http)方法繼續向httpSecurity類中追加SecurityConfigurer的具體實現類,如authorizeRequests()方法追加一個ExpressionUrlAuthorizationConfigurer,formLogin()方法追加一個FormLoginConfigurer。 其中ExpressionUrlAuthorizationConfigurer這個實現類比較重要,由於他會給咱們建立一個很是重要的對象FilterSecurityInterceptor對象,FormLoginConfigurer對象比較簡單,可是也會爲咱們提供一個在安全認證過程當中常常用到會用的一個Filter:UsernamePasswordAuthenticationFilter。
以上三個方法就是WebSecurityConfigurerAdapter類中init方法的主要邏輯,
public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigurer<WebSecurity> {
public void init(final WebSecurity web) throws Exception {
final HttpSecurity http = this.getHttp();
web.addSecurityFilterChainBuilder(http).postBuildAction(new Runnable() {
public void run() {
FilterSecurityInterceptor securityInterceptor = (FilterSecurityInterceptor)http.getSharedObject(FilterSecurityInterceptor.class);
web.securityInterceptor(securityInterceptor);
}
});
}
protected final HttpSecurity getHttp() throws Exception {
if(this.http != null) {
return this.http;
} else {
DefaultAuthenticationEventPublisher eventPublisher = (DefaultAuthenticationEventPublisher)this.objectPostProcessor.postProcess(new DefaultAuthenticationEventPublisher());
//添加認證的事件的發佈者
this.localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);
//獲取AuthenticationManager對象其中一至多個進行認證處理的對象實例,後面會進行講解
AuthenticationManager authenticationManager = this.authenticationManager();
this.authenticationBuilder.parentAuthenticationManager(authenticationManager);
Map<Class<? extends Object>, Object> sharedObjects = this.createSharedObjects();
this.http = new HttpSecurity(this.objectPostProcessor, this.authenticationBuilder, sharedObjects);
if(!this.disableDefaults) {
((HttpSecurity)((DefaultLoginPageConfigurer)((HttpSecurity)((HttpSecurity)((HttpSecurity)((HttpSecurity)((HttpSecurity)((HttpSecurity)((HttpSecurity)((HttpSecurity)this.http.csrf().and()).addFilter(new WebAsyncManagerIntegrationFilter()).exceptionHandling().and()).headers().and()).sessionManagement().and()).securityContext().and()).requestCache().and()).anonymous().and()).servletApi().and()).apply(new DefaultLoginPageConfigurer())).and()).logout();
ClassLoader classLoader = this.context.getClassLoader();
List<AbstractHttpConfigurer> defaultHttpConfigurers = SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);
Iterator var6 = defaultHttpConfigurers.iterator();
while(var6.hasNext()) {
AbstractHttpConfigurer configurer = (AbstractHttpConfigurer)var6.next();
this.http.apply(configurer);
}
}
//最終調用咱們的繼承的WebSecurityConfigurerAdapter中重寫的configure()
//將咱們業務相關的權限配置規則信息進行初始化操做
this.configure(this.http);
return this.http;
}
}
protected AuthenticationManager authenticationManager() throws Exception {
if(!this.authenticationManagerInitialized) {
this.configure(this.localConfigureAuthenticationBldr);
if(this.disableLocalConfigureAuthenticationBldr) {
this.authenticationManager = this.authenticationConfiguration.getAuthenticationManager();
} else {
this.authenticationManager = (AuthenticationManager)this.localConfigureAuthenticationBldr.build();
}
this.authenticationManagerInitialized = true;
}
return this.authenticationManager;
}
}
3.三、第二步configure
- configure方法最終也調用到了WebSecurityConfigurerAdapter的configure(WebSecurity web)方法,默認實現中這個是一個空方法,具體應用中也常常重寫這個方法來實現特定需求。
3.四、第三步 peformBuild
- 具體的實現邏輯在WebSecurity類中
- 這個方法中最主要的任務就是遍歷securityFilterChainBuilders屬性中的SecurityBuilder對象,並調用他的build方法。
這個securityFilterChainBuilders屬性咱們前面也有提到過,就是在WebSecurityConfigurerAdapter類的init方法中獲取http後賦值給了WebSecurity。所以這個地方就是調用httpSecurity的build方法。 - httpSecurity的build方式向其中追加一個個過濾器
public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter, WebSecurity> implements SecurityBuilder<Filter>, ApplicationContextAware {
...省略部分代碼
//調用該方法經過securityFilterChainBuilder.build()方法來建立securityFilter過濾器
//並添加到securityFilterChains對象中,包裝成FilterChainProxy 返回
protected Filter performBuild() throws Exception {
Assert.state(!this.securityFilterChainBuilders.isEmpty(), "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. More advanced users can invoke " + WebSecurity.class.getSimpleName() + ".addSecurityFilterChainBuilder directly");
int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();
List<SecurityFilterChain> securityFilterChains = new ArrayList(chainSize);
Iterator var3 = this.ignoredRequests.iterator();
while(var3.hasNext()) {
RequestMatcher ignoredRequest = (RequestMatcher)var3.next();
securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest, new Filter[0]));
}
var3 = this.securityFilterChainBuilders.iterator();
while(var3.hasNext()) {
SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder = (SecurityBuilder)var3.next();
securityFilterChains.add(securityFilterChainBuilder.build());
}
FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
if(this.httpFirewall != null) {
filterChainProxy.setFirewall(this.httpFirewall);
}
filterChainProxy.afterPropertiesSet();
Filter result = filterChainProxy;
if(this.debugEnabled) {
this.logger.warn("\n\n********************************************************************\n********** Security debugging is enabled. *************\n********** This may include sensitive information. *************\n********** Do not use in a production system! *************\n********************************************************************\n\n");
result = new DebugFilter(filterChainProxy);
}
this.postBuildAction.run();
return (Filter)result;
}
}
四、舉例說明如何將一個Configurer轉換爲filter
ExpressionUrlAuthorizationConfigurer的繼承關係
ExpressionUrlAuthorizationConfigurer->AbstractInterceptUrlConfigurer->AbstractHttpConfigurer->SecurityConfigurerAdapter->SecurityConfigurer
對應的init方法在SecurityConfigurerAdapter類中,是個空實現,什麼也沒有作,configure方法在SecurityConfigurerAdapter類中也有一個空實現,在AbstractInterceptUrlConfigurer類中進行了重寫
Abstractintercepturlconfigurer.java代碼
@Override
public void configure(H http) throws Exception {
FilterInvocationSecurityMetadataSource metadataSource = createMetadataSource(http);
if (metadataSource == null) {
return;
}
FilterSecurityInterceptor securityInterceptor = createFilterSecurityInterceptor(
http, metadataSource, http.getSharedObject(AuthenticationManager.class));
if (filterSecurityInterceptorOncePerRequest != null) {
securityInterceptor
.setObserveOncePerRequest(filterSecurityInterceptorOncePerRequest);
}
securityInterceptor = postProcess(securityInterceptor);
http.addFilter(securityInterceptor);
http.setSharedObject(FilterSecurityInterceptor.class, securityInterceptor);
}
...
private AccessDecisionManager createDefaultAccessDecisionManager(H http) {
AffirmativeBased result = new AffirmativeBased(getDecisionVoters(http));
return postProcess(result);
}
...
private FilterSecurityInterceptor createFilterSecurityInterceptor(H http, FilterInvocationSecurityMetadataSource metadataSource, AuthenticationManager authenticationManager) throws Exception {
FilterSecurityInterceptor securityInterceptor = new FilterSecurityInterceptor();
securityInterceptor.setSecurityMetadataSource(metadataSource);
securityInterceptor.setAccessDecisionManager(getAccessDecisionManager(http));
securityInterceptor.setAuthenticationManager(authenticationManager);
securityInterceptor.afterPropertiesSet();
return securityInterceptor;
}
4.一、 在這個類的configure中建立了一個FilterSecurityInterceptor,而且也能夠明確看到spring security默認給咱們建立的AccessDecisionManager是AffirmativeBased。
4.二、.最後再看下HttpSecurity類執行build的最後一步 performBuild,這個方法就是在HttpSecurity中實現的
Httpsecurity.java代碼
@Override
protected DefaultSecurityFilterChain performBuild() throws Exception {
Collections.sort(filters, comparator);
return new DefaultSecurityFilterChain(requestMatcher, filters);
}
能夠看到,這個類只是把咱們追加到HttpSecurity中的security進行了排序,用的排序類是FilterComparator,從而保證咱們的filter按照正確的順序執行。接着將filters構建成filterChian返回。在前面WebSecurity的performBuild方法中,這個返回值會被包裝成FilterChainProxy,並做爲WebSecurity的build方法的放回值。從而以springSecurityFilterChain這個名稱註冊到springContext中(在WebSecurityConfiguration中作的)
4.3.在WebSecurity的performBuild方法的最後一步還執行了一個postBuildAction.run,這個方法也是spring security給咱們提供的一個hooks,能夠在build完成後再作一些事情,好比咱們在WebSecurityConfigurerAdapter類的init方法中咱們利用這個hook在構建完成後將FilterSecurityInterceptor賦值給了webSecurity類的filterSecurityInterceptor屬性
3、用戶登陸的驗證和受權過程
一、用戶一次完整的登陸驗證和受權,是一個請求通過 層層攔截器從而實現權限控制,整個web端配置爲DelegatingFilterProxy(springSecurity的委託過濾其代理類 ),它並不實現真正的過濾,而是全部過濾器鏈的代理類,真正執行攔截處理的是由spring 容器管理的個個filter bean組成的filterChain.
調用實際的FilterChainProxy 的doFilterInternal()方法 去獲取全部的攔截器並進行過濾處理以下是DelegatingFilterProxy的doFilter()方法
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Filter delegateToUse = this.delegate;
if(delegateToUse == null) {
Object var5 = this.delegateMonitor;
synchronized(this.delegateMonitor) {
delegateToUse = this.delegate;
if(delegateToUse == null) {
WebApplicationContext wac = this.findWebApplicationContext();
if(wac == null) {
throw new IllegalStateException("No WebApplicationContext found: no ContextLoaderListener or DispatcherServlet registered?");
}
delegateToUse = this.initDelegate(wac);
}
this.delegate = delegateToUse;
}
}
//調用實際的FilterChainProxy 的doFilterInternal()方法 去獲取全部的攔截器並進行過濾處理
this.invokeDelegate(delegateToUse, request, response, filterChain);
}
調用實際的FilterChainProxy 的doFilter()方法 去獲取全部的攔截器並進行過濾處理。
二、FilterChainProxy類
最終調用FilterChainProxy 的doFilterInternal()方法,獲取全部的過濾器實例
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;
if(clearContext) {
try {
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
//doFilter 調用doFilterInternal方法
this.doFilterInternal(request, response, chain);
} finally {
SecurityContextHolder.clearContext();
request.removeAttribute(FILTER_APPLIED);
}
} else {
this.doFilterInternal(request, response, chain);
}
}
private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
FirewalledRequest fwRequest = this.firewall.getFirewalledRequest((HttpServletRequest)request);
HttpServletResponse fwResponse = this.firewall.getFirewalledResponse((HttpServletResponse)response);
//過去全部的過濾器
List<Filter> filters = this.getFilters((HttpServletRequest)fwRequest);
if(filters != null && filters.size() != 0) {
FilterChainProxy.VirtualFilterChain vfc = new FilterChainProxy.VirtualFilterChain(fwRequest, chain, filters);
vfc.doFilter(fwRequest, fwResponse);
} else {
if(logger.isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl(fwRequest) + (filters == null?" has no matching filters":" has an empty filter list"));
}
fwRequest.reset();
chain.doFilter(fwRequest, fwResponse);
}
}
private List<Filter> getFilters(HttpServletRequest request) {
//遍歷全部的matcher類 若是支持就繼續獲取
Iterator var2 = this.filterChains.iterator();
SecurityFilterChain chain;
do {
if(!var2.hasNext()) {
return null;
}
chain = (SecurityFilterChain)var2.next();
} while(!chain.matches(request));
//後去匹配中的全部過濾器
return chain.getFilters();
}
如上 實際上是獲取到本次請求的全部filter 並安裝指定順序進行執行doFilter()方法
這是筆者本次業務請求所要執行的全部過濾器
- WebAsyncManagerIntegrationFilter
- SecurityContextPersistenceFilter
- HeaderWriterFilter
- LogoutFilter
- UsernamePasswordAuthenticationFilter
- RequestCacheAwareFilter
- SecurityContextHolderAwareRequestFilter
- AnonymousAuthenticationFilter
- SessionManagementFilter
- ExceptionTranslationFilter
- FilterSecurityInterceptor
關於springSecutity攔截器的介紹請參考以下連接地址
http://www.javashuo.com/article/p-rgyffmcv-nn.html
http://blog.didispace.com/xjf-spring-security-4/
http://www.javashuo.com/article/p-hxvyosau-kd.html
http://www.javashuo.com/article/p-uwoputbo-mb.html
原文地址:https://blog.csdn.net/liushangzaibeijing/article/details/81220610相關文章
- 1. springSecurity安全框架的學習和原理解讀
- 2. SpringSecurity安全框架
- 3. springSecurity框架的原理
- 4. 安全框架Shiro和SpringSecurity的比較
- 5. 安全框架 SpringSecurity 和 Shiro 對比
- 6. SpringSecurity安全性框架實戰
- 7. SSM框架原理學習
- 8. SpringSecurity權限框架學習總結
- 9. SpringSecurity框架和使用
- 10. SpringBoot2.0 整合 SpringSecurity 框架,實現用戶權限安全管理
- 更多相關文章...
- • MyBatis的工作原理 - MyBatis教程
- • ASP.NET MVC - 安全 - ASP.NET 教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • 適用於PHP初學者的學習線路和建議
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 跳槽面試的幾個實用小技巧,不妨看看!
- 2. Mac實用技巧 |如何使用Mac系統中自帶的預覽工具將圖片變成黑白色?
- 3. Mac實用技巧 |如何使用Mac系統中自帶的預覽工具將圖片變成黑白色?
- 4. 如何使用Mac系統中自帶的預覽工具將圖片變成黑白色?
- 5. Mac OS非兼容Windows軟件運行解決方案——「以VMware & Microsoft Access爲例「
- 6. 封裝 pyinstaller -F -i b.ico excel.py
- 7. 數據庫作業三ER圖待完善
- 8. nvm安裝使用低版本node.js(非命令安裝)
- 9. 如何快速轉換圖片格式
- 10. 將表格內容分條轉換爲若干文檔
歡迎關注本站公眾號,獲取更多信息
