spring-security源码-如何初始化SecurityFilterChain到Servlet

合集 - spring-security源码阅读(28)

1.Spring-Security系列导航2021-11-152.spring-security使用-登录(一)2020-12-103.spring-security使用-自定义数据源(二)2020-12-224.spring-security使用-更友好的方式扩展登录AuthenticationProvider(三)2021-01-045.spring-security使用-获得当前用户信息(四)2021-01-056.spring-security使用-同一个账号只允许登录一次(五)2021-01-067.spring-security使用-session共享(六)2021-01-078.spring-security使用-安全防护HttpFirewall(七)2021-01-299.spring-security使用-权限控制(八)2021-11-0310.spring-security源码-初始化(九)2021-11-04

11.spring-security源码-如何初始化SecurityFilterChain到Servlet2024-03-10

12.spring-security源码-FilterChainProxy2024-03-1013.spring-security源码-Filter之WebAsyncManagerIntegrationFilter(十)2021-11-0914.Spring-security源码-Filter之SecurityContextPersistenceFilter(十一)2021-11-0915.Spring-security源码-Filter之HeaderWriterFilter(十二)2021-11-1016.Spring-security源码-Filter之LogoutFilter(十三)2021-11-1017.Spring-security源码-Filter之UsernamePasswordAuthenticationFilter(十四)2021-11-1018.Spring-security源码-Filter之ConcurrentSessionFilter(十五)2021-11-1019.Spring-security源码-Filter之SessionManagementFilter(十六)2021-11-1120.Spring-security源码-Filter之RememberMeAuthenticationFilter(十七)2021-11-1121.Spring-security源码-Filter之ExceptionTranslationFilter(十八)2021-11-1222.Spring-security源码-Filter之FilterSecurityInterceptor(十九)2021-11-1323.Spring-security源码-注解权限原理(二十)2021-11-1324.Spring-security源码-注解权限原理之MethodSecurityInterceptor(二十一)2021-11-1525.Spring-Security基于源码扩展-一套系统多套登录逻辑(二十二)2021-11-1526.Spring-Security基于源码扩展-自定义登录(二十三)2021-11-1527.Spring-Security基于源码扩展-自定义认证失败返回(二十四)2021-11-1528.Spring-Security基于源码扩展-自定义授权注解(二十五)2021-11-15

收起

文章主目录

• <3>
• <4>
• <5>
• <6>

1.SecurityFilterChain是由HttpSecurty根据各个config配置生成的Filter

SecurityFilterChain是接口,默认实现是由DefaultSecurityFilterChain

SecurityFilterChain只充当描述的作用，描述哪些url走这批filter

public final class DefaultSecurityFilterChain implements SecurityFilterChain {
    private static final Log logger = LogFactory.getLog(DefaultSecurityFilterChain.class);
    //匹配url 多套url登录逻辑由这里实现 默认/** 比如/product  /user 逻辑相互隔离
    private final RequestMatcher requestMatcher;
    //相关servlet
    private final List<Filter> filters;

    public DefaultSecurityFilterChain(RequestMatcher requestMatcher, Filter... filters) {
        this(requestMatcher, Arrays.asList(filters));
    }

    public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) {
        if (filters.isEmpty()) {
            logger.info(LogMessage.format("Will not secure %s", requestMatcher));
        } else {
            logger.info(LogMessage.format("Will secure %s with %s", requestMatcher, filters));
        }

        this.requestMatcher = requestMatcher;
        this.filters = new ArrayList(filters);
    }

    public RequestMatcher getRequestMatcher() {
        return this.requestMatcher;
    }

    public List<Filter> getFilters() {
        return this.filters;
    }

    public boolean matches(HttpServletRequest request) {
        return this.requestMatcher.matches(request);
    }

    public String toString() {
        return this.getClass().getSimpleName() + " [RequestMatcher=" + this.requestMatcher + ", Filters=" + this.filters + "]";
    }
}

2.初始化是通过

org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration 实现

@AutoConfiguration(after = SecurityAutoConfiguration.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
@EnableConfigurationProperties(SecurityProperties.class)
@ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class })
public class SecurityFilterAutoConfiguration {

    private static final String DEFAULT_FILTER_NAME = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME;

    //存在 springSecurityFilterChain
    @Bean
    @ConditionalOnBean(name = DEFAULT_FILTER_NAME)
    public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(
            SecurityProperties securityProperties) {
        //<3>
        DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(
                DEFAULT_FILTER_NAME);
        registration.setOrder(securityProperties.getFilter().getOrder());
        registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
        return registration;
    }

    private EnumSet<DispatcherType> getDispatcherTypes(SecurityProperties securityProperties) {
        if (securityProperties.getFilter().getDispatcherTypes() == null) {
            return null;
        }
        return securityProperties.getFilter()
            .getDispatcherTypes()
            .stream()
            .map((type) -> DispatcherType.valueOf(type.name()))
            .collect(Collectors.toCollection(() -> EnumSet.noneOf(DispatcherType.class)));
    }

}

回到顶部

<3>

委托给DelegatingFilterProxyRegistrationBean

他是 org.springframework.boot.web.servlet.AbstractFilterRegistrationBean的子类，用于注入自定义filter，实现了getFilter方法

org.springframework.boot.web.servlet.DelegatingFilterProxyRegistrationBean#getFilter

public DelegatingFilterProxy getFilter() {
         //<4>ServletFilter的实现类
        return new DelegatingFilterProxy(this.targetBeanName, this.getWebApplicationContext()) {
            protected void initFilterBean() throws ServletException {
            }
        };
    }

回到顶部

<4>

DelegatingFilterProxy就是sevletFilter的实现类

org.springframework.web.filter.DelegatingFilterProxy#doFilter

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        Filter delegateToUse = this.delegate;
        if (delegateToUse == null) {
            synchronized(this.delegateMonitor) {
                delegateToUse = this.delegate;
                if (delegateToUse == null) {
                    WebApplicationContext wac = this.findWebApplicationContext();
                    if (wac == null) {
                        throw new IllegalStateException("No WebApplicationContext found: no ContextLoaderListener or DispatcherServlet registered?");
                    }
                    //<5>delegate初始化
                    delegateToUse = this.initDelegate(wac);
                }

                this.delegate = delegateToUse;
            }
        }
       // <6>最终是委托给delegate执行的
        this.invokeDelegate(delegateToUse, request, response, filterChain);
    }

回到顶部

<5>

org.springframework.web.filter.DelegatingFilterProxy#initDelegate

   protected Filter initDelegate(WebApplicationContext wac) throws ServletException {
        String targetBeanName = this.getTargetBeanName();
        Assert.state(targetBeanName != null, "No target bean name set");
        //就是我们的 springSecurityFilterChain
        Filter delegate = (Filter)wac.getBean(targetBeanName, Filter.class);
        if (this.isTargetFilterLifecycle()) {
            delegate.init(this.getFilterConfig());
        }

        return delegate;
    }

 

回到顶部

<6>

org.springframework.web.filter.DelegatingFilterProxy#invokeDelegate

 protected void invokeDelegate(Filter delegate, ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        delegate.doFilter(request, response, filterChain);
    }