Spring Security 過濾流程
經過Debug,最原始的過濾器鏈是Tomcat的ApplicationFilterChain。java
org.apache.catalina.core.ApplicationFilterChain
implements
javax.servlet.FilterChain {
// 實例是一個 DispatchServlet
private Servlet servlet;
// 過濾器數組
private ApplicationFilterConfig[] filters = new ApplicationFilterConfig[0];
// 當前的過濾器位置
private int pos;
// 過濾器總數
private int n;
public void doFilter(ServletRequest request, ServletResponse response) {
internalDoFilter(request,response);
}
private void internalDoFilter(ServletRequest request, ServletResponse response) {
if (pos < n) {
ApplicationFilterConfig filterConfig = filters[pos++];
Filter filter = filterConfig.getFilter();
filter.doFilter(request, response, this);
}
}
}
這裏面有6個過濾器,分別是web
0 ApplicationFilterConfig[name=characterEncodingFilter, filterClass=org.springframework.boot.web.servlet.filter.OrderedCharacterEncodingFilter] 1 ApplicationFilterConfig[name=hiddenHttpMethodFilter, filterClass=org.springframework.boot.web.servlet.filter.OrderedHiddenHttpMethodFilter] 2 ApplicationFilterConfig[name=httpPutFormContentFilter, filterClass=org.springframework.boot.web.servlet.filter.OrderedHttpPutFormContentFilter] 3 ApplicationFilterConfig[name=requestContextFilter, filterClass=org.springframework.boot.web.servlet.filter.OrderedRequestContextFilter] 4 ApplicationFilterConfig[name=springSecurityFilterChain, filterClass=org.springframework.boot.web.servlet.DelegatingFilterProxyRegistrationBean$1] 5 ApplicationFilterConfig[name=Tomcat WebSocket (JSR356) Filter, filterClass=org.apache.tomcat.websocket.server.WsFilter]
Spring boot 以「springSecurityFilterChain」爲名字,向容器注入DelegatingFilterProxyRegistrationBean,這個bean被包裝成ApplicationFilterConfig, 以便經過getFilter()獲取Filter。spring
這裏應該是動態代理(這個暫時沒想清楚),當調用filter.doFilter的時候,這個filter其實是DelegatingFilterProxy。apache
public class DelegatingFilterProxy extends GenericFilterBean {
private volatile Filter delegate;
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) {
Filter delegateToUse = this.delegate;
invokeDelegate(delegateToUse, request, response, filterChain);
}
protected void invokeDelegate(
Filter delegate, ServletRequest request, ServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
delegate.doFilter(request, response, filterChain);
}
}
這裏的 delegate 毫無疑問是 FilterChainProxy。數組
FilterChainProxy就帶着一開始的ApplicationFilterChain,開始本身的過濾生涯,doFilter...tomcat
public class FilterChainProxy extends GenericFilterBean {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
doFilterInternal(request, response, chain);
}
private void doFilterInternal(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// wrap
FirewalledRequest fwRequest = firewall
.getFirewalledRequest((HttpServletRequest) request);
HttpServletResponse fwResponse = firewall
.getFirewalledResponse((HttpServletResponse) response);
// 根據請求匹配 security 過濾器
List<Filter> filters = getFilters(fwRequest);
// 若是沒有配置 security 過濾器
if (filters == null || filters.size() == 0) {
// reset
fwRequest.reset();
// 那麼繼續原始的過濾器鏈 ApplicationFilterChain
chain.doFilter(fwRequest, fwResponse);
}
VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters);
vfc.doFilter(fwRequest, fwResponse);
}
}
沒錯,FilterChainProxy根據請求,匹配到好多security過濾器,並用他們建立出一條新的過濾鏈 VirtualFilterChain。websocket
private static class VirtualFilterChain implements FilterChain {
// 原始的 ApplicationFilterChain
private final FilterChain originalChain;
// security filters
private final List<Filter> additionalFilters;
private final FirewalledRequest firewalledRequest;
private final int size;
private int currentPosition = 0;
v
@Override
public void doFilter(ServletRequest request, ServletResponse response)
throws IOException, ServletException {
// VirtualFilterChain 過濾完成
if (currentPosition == size) {
// reset
this.firewalledRequest.reset();
// 繼續原始鏈
originalChain.doFilter(request, response);
}
// 執行過濾器
else {
currentPosition++;
Filter nextFilter = additionalFilters.get(currentPosition - 1);
nextFilter.doFilter(request, response, this);
}
}
}
而這條新過濾鏈的過濾器數組,正是socket
additionalFilters = {ArrayList@6631} size = 13
0 = {WebAsyncManagerIntegrationFilter@6634}
1 = {SecurityContextPersistenceFilter@6471}
2 = {HeaderWriterFilter@6470}
3 = {CsrfFilter@6469}
4 = {LogoutFilter@6468}
5 = {CustomUsernamePasswordAuthenticationFilter@6467}
6 = {UsernamePasswordAuthenticationFilter@6466}
7 = {RequestCacheAwareFilter@6465}
8 = {SecurityContextHolderAwareRequestFilter@6462}
9 = {AnonymousAuthenticationFilter@6458}
10 = {SessionManagementFilter@6457}
12 = {FilterSecurityInterceptor@6635}
11 = {ExceptionTranslationFilter@6455}
相關文章
- 1. 淺析Spring Security過濾流程
- 2. Spring Security的過濾器鏈
- 3. spring security 過濾器鏈
- 4. spring security 核心過濾器
- 5. 【SpringSecurity】Spring Security過濾器鏈
- 6. spring security過濾器順序
- 7. Spring Security 流程
- 8. spring security過濾器鏈及認證流程
- 9. Spring Security入門(1-12)Spring Security 的過濾器機制
- 10. Spring Security 實戰乾貨:圖解Spring Security的過濾器體系
- 更多相關文章...
- • PHP 過濾 unserialize() - PHP 7 新特性
- • jQuery Mobile 過濾 - jQuery Mobile 教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • Java 8 Stream 教程
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 在windows下的虛擬機中,安裝華爲電腦的deepin操作系統
- 2. 強烈推薦款下載不限速解析神器
- 3. 【區塊鏈技術】孫宇晨:區塊鏈技術帶來金融服務的信任變革
- 4. 搜索引起的鏈接分析-計算網頁的重要性
- 5. TiDB x 微衆銀行 | 耗時降低 58%,分佈式架構助力實現普惠金融
- 6. 《數字孿生體技術白皮書》重磅發佈(附完整版下載)
- 7. 雙十一「避坑」指南:區塊鏈電子合同爲電商交易保駕護航!
- 8. 區塊鏈產業,怎樣「鏈」住未來?
- 9. OpenglRipper使用教程
- 10. springcloud請求一次好用一次不好用zuul Name or service not known
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 淺析Spring Security過濾流程
- 2. Spring Security的過濾器鏈
- 3. spring security 過濾器鏈
- 4. spring security 核心過濾器
- 5. 【SpringSecurity】Spring Security過濾器鏈
- 6. spring security過濾器順序
- 7. Spring Security 流程
- 8. spring security過濾器鏈及認證流程
- 9. Spring Security入門(1-12)Spring Security 的過濾器機制
- 10. Spring Security 實戰乾貨:圖解Spring Security的過濾器體系