Java-Security(六):Spring Security启动加载MySecurityConfig(WebSecurityConfigurerAdapter)/WebSecurity/HttpSecurity(xxxConfigurer、filters)流程
@Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); // 基于token,所以不需要session http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); http.authorizeRequests() .antMatchers("/", "/*.html", "/favicon.ico", "/css/**", "/js/**", "/fonts/**", "/layui/**", "/img/**", "/v2/api-docs/**", "/swagger-resources/**", "/webjars/**", "/pages/**", "/druid/**", "/statics/**") .permitAll().anyRequest().authenticated(); http.formLogin()/*.loginPage("/login.html")*/.loginProcessingUrl("/login") .successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler); // .and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint); http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler); // 解决不允许显示在iframe的问题 http.headers().frameOptions().disable(); http.headers().cacheControl(); http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class); }
2)'configure(WebSecurity web)'实现对WebSecurity配置;
3)’configure(AuthenticationManagerBuilder auth)‘实现对Authentication配置;
@Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder()); }
实际上,这个WebSecurityConfigurerAdapter就是为了干预HttpSecurity/WebSecurity/AuthenticationManagerBuilder,用来根据使用Spring Security的开发人员可以自己通过配置达到自己想要的功能效果。
SpringBoot如何启动SpringSecurity?
如果是SpringBoot项目依赖了Spring Security相关依赖,就会自动加载执行SecurityFilterAutoConfiguration配置类,而SecurityFilterAutoConfiguration加载之前会先加载执(@AutoConfigureAfter({SecurityAutoConfiguration.class}))SecurityAutoConfiguration,在SecurityAutoConfiguraiton生效时它会导入WebSecurityEnableConfiguration
EnableWebSecurity主要是加载了三个类:
Spring Security启动流程
在项目启动中,HttpSecurity中会加载一个Configurers,它们就是实现了AbstractInterceptUrlConfigurer的Configurer类,之后会根据xxxConfigurer后#configure(HttpSecurity http)会加载Configurer对应的Filters列表中:
HttpBasicConfigurer->BasicAuthenticationFilter
LogoutConfigurer->LogoutFilter
RequestCacheConfigurer->RequestCacheAwareFilter
RememberMeConfigurer->RememberMeAuthenticationFilter
ServletApiConfigurer->SecurityContextHolderAwareRequestFilter
DefaultLoginPageConfigurer->DefaultLoginPageGeneratingFilter
SessionManagementConfigurer->SessionManagementFilter
PortMapperConfigurer->无
ExceptionHandlingConfigurer->ExceptionTranslationFilter
HeadersConfigurer->HeaderWriterFilter
CsrfConfigurer->CsrfFilter
ImplicitGrantConfigurer->OAuth2AuthorizationRequestRedirectFilter
AnonymousConfigurer->AnonymousAuthenticationFilter
JeeConfigurer->J2eePreAuthenticatedProcessingFilter
ChannelSecurityConfigurer->ChannelProcessingFilter
CorsConfigurer->CorsFilter
SecurityContextConfigurer->SecurityContextPersistenceFilter
FormLoginConfigurer->DefaultLoginPageGeneratingFilter
OAuth2LoginConfigurer->OAuth2LoginAuthenticationFilter
OpenIDLoginConfigurer->OpenIDAuthenticationFilter
X509Configurer->X509AuthenticationFilter
UrlAuthorizationConfigurer->FilterSecurityInterceptor
ExpressionUrlAuthorizationConfigurer->FilterSecurityInterceptor
SecurityConfigurer:
SecurityBuilder:
WebSecurity是一个securityBuilder,内部维护着securityBuilder的列表,存储securityBuilder,这里主要是存储HttpSecurity。
很多官方类是XXXConfigurer,这些都是SecurityConfigurer。这些SecurityConfigurer的configure()方法,都会把对应filter添加到HttpSecurity
参考:
基础才是编程人员应该深入研究的问题,比如:
1)List/Set/Map内部组成原理|区别
2)mysql索引存储结构&如何调优/b-tree特点、计算复杂度及影响复杂度的因素。。。
3)JVM运行组成与原理及调优
4)Java类加载器运行原理
5)Java中GC过程原理|使用的回收算法原理
6)Redis中hash一致性实现及与hash其他区别
7)Java多线程、线程池开发、管理Lock与Synchroined区别
8)Spring IOC/AOP 原理;加载过程的。。。
【+加关注】。