Spring-security源码-注解权限原理之MethodSecurityInterceptor(二十一)

合集 - spring-security源码阅读(28)

1.Spring-Security系列导航2021-11-152.spring-security使用-登录(一)2020-12-103.spring-security使用-自定义数据源(二)2020-12-224.spring-security使用-更友好的方式扩展登录AuthenticationProvider(三)2021-01-045.spring-security使用-获得当前用户信息(四)2021-01-056.spring-security使用-同一个账号只允许登录一次(五)2021-01-067.spring-security使用-session共享(六)2021-01-078.spring-security使用-安全防护HttpFirewall(七)2021-01-299.spring-security使用-权限控制(八)2021-11-0310.spring-security源码-初始化(九)2021-11-0411.spring-security源码-如何初始化SecurityFilterChain到Servlet2024-03-1012.spring-security源码-FilterChainProxy2024-03-1013.spring-security源码-Filter之WebAsyncManagerIntegrationFilter(十)2021-11-0914.Spring-security源码-Filter之SecurityContextPersistenceFilter(十一)2021-11-0915.Spring-security源码-Filter之HeaderWriterFilter(十二)2021-11-1016.Spring-security源码-Filter之LogoutFilter(十三)2021-11-1017.Spring-security源码-Filter之UsernamePasswordAuthenticationFilter(十四)2021-11-1018.Spring-security源码-Filter之ConcurrentSessionFilter(十五)2021-11-1019.Spring-security源码-Filter之SessionManagementFilter(十六)2021-11-1120.Spring-security源码-Filter之RememberMeAuthenticationFilter(十七)2021-11-1121.Spring-security源码-Filter之ExceptionTranslationFilter(十八)2021-11-1222.Spring-security源码-Filter之FilterSecurityInterceptor(十九)2021-11-1323.Spring-security源码-注解权限原理(二十)2021-11-13

24.Spring-security源码-注解权限原理之MethodSecurityInterceptor(二十一)2021-11-15

25.Spring-Security基于源码扩展-一套系统多套登录逻辑(二十二)2021-11-1526.Spring-Security基于源码扩展-自定义登录(二十三)2021-11-1527.Spring-Security基于源码扩展-自定义认证失败返回(二十四)2021-11-1528.Spring-Security基于源码扩展-自定义授权注解(二十五)2021-11-15

收起

文章主目录

• <1>
• <2>
• <3>
• <4>
• <5>

MethodSecurityInterceptor是Spring Security对于Spring Aop的切入逻辑

 @Override
    public Object invoke(MethodInvocation mi) throws Throwable {
        //<1>调用方法前的权限校验
        InterceptorStatusToken token = super.beforeInvocation(mi);
        Object result;
        try {
            result = mi.proceed();
        }
        finally {
            //允许重置ServletContext
            super.finallyInvocation(token);
        }
        //<5>调用方法后的权限校验
        return super.afterInvocation(token, result);
    }

回到顶部

<1>

org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation

    protected InterceptorStatusToken beforeInvocation(Object object) {
        Assert.notNull(object, "Object was null");
        if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
            throw new IllegalArgumentException("Security invocation attempted for object " + object.getClass().getName()
                    + " but AbstractSecurityInterceptor only configured to support secure objects of type: "
                    + getSecureObjectClass());
        }
        //<2>基于object获取对应的ConfigAttribute 也就是我们的权限配置 初始化处参考
        Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);
        //如果配有配置表示不需要权限校验
        if (CollectionUtils.isEmpty(attributes)) {
            Assert.isTrue(!this.rejectPublicInvocations,
                    () -> "Secure object invocation " + object
                            + " was denied as public invocations are not allowed via this interceptor. "
                            + "This indicates a configuration error because the "
                            + "rejectPublicInvocations property is set to 'true'");
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(LogMessage.format("Authorized public object %s", object));
            }
            publishEvent(new PublicInvocationEvent(object));
            return null; // no further work post-invocation
        }
        //如果未登录 抛出异常
        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            credentialsNotFound(this.messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound",
                    "An Authentication object was not found in the SecurityContext"), object, attributes);
        }
        //如果登录过期触发自动authenticationManager.authenticate 重新认证
        Authentication authenticated = authenticateIfRequired();
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(LogMessage.format("Authorizing %s with attributes %s", object, attributes));
        }
        // <3>现在有方法 和我们的权限配置则校验授权
        attemptAuthorization(object, attributes, authenticated);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(LogMessage.format("Authorized %s with attributes %s", object, attributes));
        }
        if (this.publishAuthorizationSuccess) {
            publishEvent(new AuthorizedEvent(object, attributes, authenticated));
        }

        // Attempt to run as a different user
        Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attributes);
        if (runAs != null) {
            SecurityContext origCtx = SecurityContextHolder.getContext();
            SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext());
            SecurityContextHolder.getContext().setAuthentication(runAs);

            if (this.logger.isDebugEnabled()) {
                this.logger.debug(LogMessage.format("Switched to RunAs authentication %s", runAs));
            }
            // need to revert to token.Authenticated post-invocation
            return new InterceptorStatusToken(origCtx, true, attributes, object);
        }
        this.logger.trace("Did not switch RunAs authentication since RunAsManager returned null");
        // no further work post-invocation
        return new InterceptorStatusToken(SecurityContextHolder.getContext(), false, attributes, object);

    }

回到顶部

<2>

org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource#getAttributes

@Override
    public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
        //方法和class作为cacheKey
        DelegatingMethodSecurityMetadataSource.DefaultCacheKey cacheKey = new DelegatingMethodSecurityMetadataSource.DefaultCacheKey(method, targetClass);
        //同步锁
        synchronized (this.attributeCache) {
            //先判断cache是否有
            Collection<ConfigAttribute> cached = this.attributeCache.get(cacheKey);
            // 如果有直接返回
            if (cached != null) {
                return cached;
            }
            //遍历MethodSecurityMetadataSource 解析注解获得ConfigAttribute
            Collection<ConfigAttribute> attributes = null;
            for (MethodSecurityMetadataSource s : this.methodSecurityMetadataSources) {
                attributes = s.getAttributes(method, targetClass);
                if (attributes != null && !attributes.isEmpty()) {
                    break;
                }
            }
            // Put it in the cache.
            if (attributes == null || attributes.isEmpty()) {
                this.attributeCache.put(cacheKey, NULL_CONFIG_ATTRIBUTE);
                return NULL_CONFIG_ATTRIBUTE;
            }
            this.attributeCache.put(cacheKey, attributes);
            return attributes;
        }
    }

回到顶部

<3>

org.springframework.security.access.intercept.AbstractSecurityInterceptor#attemptAuthorization

 private void attemptAuthorization(Object object, Collection<ConfigAttribute> attributes,
                                      Authentication authenticated) {
        try {
            //<4>交给accessDecisionManager处理 初始化处参考
            this.accessDecisionManager.decide(authenticated, object, attributes);
        }
        catch (AccessDeniedException ex) {//针对授权不过的抛出异常
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(LogMessage.format("Failed to authorize %s with attributes %s using %s", object,
                        attributes, this.accessDecisionManager));
            }
            else if (this.logger.isDebugEnabled()) {
                this.logger.debug(LogMessage.format("Failed to authorize %s with attributes %s", object, attributes));
            }
            publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated, ex));
            throw ex;
        }
    }

回到顶部

<4>

 @Override
    @SuppressWarnings({ "rawtypes", "unchecked" })
    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
            throws AccessDeniedException {
        int deny = 0;
        //遍历voter 调用vote方法进行处理
        for (AccessDecisionVoter voter : getDecisionVoters()) {
            int result = voter.vote(authentication, object, configAttributes);
            switch (result) {
                //授权通过直接返回
                case AccessDecisionVoter.ACCESS_GRANTED:
                    return;
                    //针对授权不过 返回ACCESS_DENIED
                case AccessDecisionVoter.ACCESS_DENIED:
                    deny++;
                    break;
                default:
                    break;
            }
        }
        if (deny > 0) {
            throw new AccessDeniedException(
                    this.messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access is denied"));
        }
        // To get this far, every AccessDecisionVoter abstained
        checkAllowIfAllAbstainDecisions();
    }

回到顶部

<5>

    protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
        if (token == null) {
            // public object
            return returnedObject;
        }
        finallyInvocation(token); // continue to clean in this method for passivity
        if (this.afterInvocationManager != null) {
            // Attempt after invocation handling
            try {
                returnedObject = this.afterInvocationManager.decide(token.getSecurityContext().getAuthentication(),
                        token.getSecureObject(), token.getAttributes(), returnedObject);
            }
            catch (AccessDeniedException ex) {
                publishEvent(new AuthorizationFailureEvent(token.getSecureObject(), token.getAttributes(),
                        token.getSecurityContext().getAuthentication(), ex));
                throw ex;
            }
        }
        return returnedObject;
    }