spring securityty过滤器类简介
1. security与oauth2的关系
security是一个安全访问控制解决方案的框架,对访问访问权限进行控制,包括了用户认证-鉴权(Authentication)和用户授权(Authorization)两个部分.用户认证就是验证用户"是谁",是否是此系统的合法用户.通常使用用户名密码来完成.授权发生在鉴权后,是鉴定用户"是否可以"执行某个操作.
2. spring security主要类详解
spring security主要分为两大块 , security为主的授权,鉴权;security实现的OAuth2协议的第三方应用授权.
security的最主要的类
| 类名 | 解释 |
|---|---|
AbstractAuthenticationProcessingFilter |
根拦截器 所有请求都会先进这个拦截器 |
ExceptionTranslationFilter |
异常拦截器 |
AbstractAuthenticationProcessingFilter |
认证拦截器父类 |
UsernamePasswordAuthenticationFilter |
默认的用户名密码认证拦截器 |
ProviderManager |
管理所有认证方法 |
AuthenticationProvider |
认证方法的父类 |
AbstractAuthenticationProcessingFilter类负责认证, 即登录, 内部调用ProviderManager,ProviderManager根据配置决定调用哪个AuthenticationProvider
OAuth2的主要类
| 类名 | 解释 |
|---|---|
AuthorizationEndpoint |
oauth/authorize方法入口 |
TokenEndpoint |
oauth/token方法入口 |
CompositeTokenGranter |
遍历各个认证模式 |
AbstractTokenGranter |
验证认证模式与调用 |
ResourceOwnerPasswordTokenGranter |
password认证模式类 |
拦截器执行顺序
| Alias | Filter Class | Namespace Element or Attribute |
|---|---|---|
| CHANNEL_FILTER | ChannelProcessingFilter |
http/intercept-url@requires-channel |
| SECURITY_CONTEXT_FILTER | SecurityContextPersistenceFilter |
http |
| CONCURRENT_SESSION_FILTER | ConcurrentSessionFilter |
session-management/concurrency-control |
| HEADERS_FILTER | HeaderWriterFilter |
http/headers |
| CSRF_FILTER | CsrfFilter |
http/csrf |
| LOGOUT_FILTER | LogoutFilter |
http/logout |
| X509_FILTER | X509AuthenticationFilter |
http/x509 |
| PRE_AUTH_FILTER | AbstractPreAuthenticatedProcessingFilter Subclasses |
N/A |
| CAS_FILTER | CasAuthenticationFilter |
N/A |
| FORM_LOGIN_FILTER | UsernamePasswordAuthenticationFilter |
http/form-login |
| BASIC_AUTH_FILTER | BasicAuthenticationFilter |
http/http-basic |
| SERVLET_API_SUPPORT_FILTER | SecurityContextHolderAwareRequestFilter |
http/@servlet-api-provision |
| JAAS_API_SUPPORT_FILTER | JaasApiIntegrationFilter |
http/@jaas-api-provision |
| REMEMBER_ME_FILTER | RememberMeAuthenticationFilter |
http/remember-me |
| ANONYMOUS_FILTER | AnonymousAuthenticationFilter |
http/anonymous |
| SESSION_MANAGEMENT_FILTER | SessionManagementFilter |
session-management |
| EXCEPTION_TRANSLATION_FILTER | ExceptionTranslationFilter |
http |
| FILTER_SECURITY_INTERCEPTOR | FilterSecurityInterceptor |
http |
| SWITCH_USER_FILTER | SwitchUserFilter |
N/A |
