spring security 5.x 原理
- 服务器启动
AbstractSecurityWebApplicationInitializer implements WebApplicationInitializer (简单的说SpringServletContainerInitializer会扫描WebApplicationInitializer实现并实例化执行onStartup(ServletContext servletContext),可通过这种方式配置{@code DispatcherServlet}, {@code FrameworkServlet}, {@code ContextLoaderListener} and {@code DelegatingFilterProxy})
spring security 通过这种方式将DelegatingFilterProxy
过滤器注册到servletContext
- security生效原理
然后通过DelegatingFilterProxy代理执行security 过滤链
DelegatingFilterProxy中包含spring上下文容器,以及DelegatingFilterProxy beanName,可以从spring容器中通过beanName实例化DelegatingFilterProxy。
通过FilterChainProxy代理执行具体的过滤器
public void doFilter(ServletRequest request, ServletResponse response)
throws IOException, ServletException {
if (currentPosition == size) {
if (logger.isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)
+ " reached end of additional filter chain; proceeding with original chain");
}
// Deactivate path stripping as we exit the security filter chain
this.firewalledRequest.reset();
originalChain.doFilter(request, response);
}
else {
currentPosition++;
Filter nextFilter = additionalFilters.get(currentPosition - 1);
if (logger.isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)
+ " at position " + currentPosition + " of " + size
+ " in additional filter chain; firing Filter: '"
+ nextFilter.getClass().getSimpleName() + "'");
}
nextFilter.doFilter(request, response, this);
}
}
}