Spring Security学习小记

本文中用到的Spring Security版本为 5.3.4.RELEASE 。

以下多数内容为阅读官方文档（https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5）的总结。

1 What

Spring Security provides comprehensive support for authentication, authorization, and protection against common exploits. It also provides integration with other libraries to simplify its usage. 即提供认证、授权、漏洞保护（如CSRF、XSS漏洞预防、密码保存策略等）。

认证（Authentication）和授权（Authorization）：

Authentication is how we verify the identity of who is trying to access a particular resource. A common way to authenticate users is by requiring the user to enter a username and password. Once authentication is performed we know the identity and can perform authorization.

注：SpringSecurity依赖于Servlet，并不依赖于SpringMVC。

 

2 主要功能

功能

Spring Security主要提供authenticate、authorize两个功能：

前者通常用于根据前端传的principal、crendential信息（通常是username、password）去校验该用户是否存在。若存在则将针对该用户的授权信息GrandAuthority返回给调用者；

后者通常是根据前端传的GrandAuthority信息（在前者认证通过后得到）判断该用户是否有权访问某种资源，如某个接口、某个图片等。授权实际上包括三个方面的内容（具体见后面的 Expression-Based Access Control 一节）：

who (Authentication)：谁能访问，也就是校验访问者是否能访问某个URL，称为Web Request Security。通常是要求用户已登录并校验token是否有效，若有效则提取出Authentication信息，也即该用户的角色等相关信息。

where (MethodInvocation)：能访问哪个方法，该方法通常是与某个URL对应的handler方法。称为Method Invocation Security。

what (SomeDomainObject)：能访问什么数据，称为Domain Object Security或Access Controll List（ACL），如学生是否能查询某个课程。在我们之前的实践中通常who、where的授权用框架功能实现，而what由开发者在handler方法内部自己实现。

总结而言，包括功能权限（可访问哪些接口）和数据权限（可访问哪些数据）的控制。

异常处理

Authenticate出异常抛AuthenticationException：如用户名或密码未传、密码不正确等。

Authorize异常抛AccessDeniedException：如当前用户认证了，但没有访问某个接口所需的角色，从而没有访问权限。

对于这两种异常，用户可以自己在onFailureHanlder中处理。实际上，它们也都会在ExceptionTranslationFilter中被translate，因此可以在ExceptionTranslationFilter中做一些文章（如对返回的异常进行统一处理）。需要注意的是，ExceptionTranslationFilter不会处理这两种异常之外的异常。相关源码：

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        try {
            chain.doFilter(request, response);

            logger.debug("Chain processed normally");
        }
        catch (IOException ex) {
            throw ex;
        }
        catch (Exception ex) {
            // Try to extract a SpringSecurityException from the stacktrace
            Throwable[] causeChain = throwableAnalyzer.determineCauseChain(ex);
            RuntimeException ase = (AuthenticationException) throwableAnalyzer
                    .getFirstThrowableOfType(AuthenticationException.class, causeChain);

            if (ase == null) {
                ase = (AccessDeniedException) throwableAnalyzer.getFirstThrowableOfType(
                        AccessDeniedException.class, causeChain);
            }

            if (ase != null) {
                if (response.isCommitted()) {
                    throw new ServletException("Unable to handle the Spring Security Exception because the response is already committed.", ex);
                }
                handleSpringSecurityException(request, response, chain, ase);
            }
            else {
                // Rethrow ServletExceptions and RuntimeExceptions as-is
                if (ex instanceof ServletException) {
                    throw (ServletException) ex;
                }
                else if (ex instanceof RuntimeException) {
                    throw (RuntimeException) ex;
                }

                // Wrap other Exceptions. This shouldn't actually happen
                // as we've already covered all the possibilities for doFilter
                throw new RuntimeException(ex);
            }
        }
    }



private void handleSpringSecurityException(HttpServletRequest request,
            HttpServletResponse response, FilterChain chain, RuntimeException exception)
            throws IOException, ServletException {
        if (exception instanceof AuthenticationException) {
            logger.debug(
                    "Authentication exception occurred; redirecting to authentication entry point",
                    exception);

            sendStartAuthentication(request, response, chain,
                    (AuthenticationException) exception);
        }
        else if (exception instanceof AccessDeniedException) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authenticationTrustResolver.isAnonymous(authentication) || authenticationTrustResolver.isRememberMe(authentication)) {
                logger.debug(
                        "Access is denied (user is " + (authenticationTrustResolver.isAnonymous(authentication) ? "anonymous" : "not fully authenticated") + "); redirecting to authentication entry point",
                        exception);

                sendStartAuthentication(
                        request,
                        response,
                        chain,
                        new InsufficientAuthenticationException(
                            messages.getMessage(
                                "ExceptionTranslationFilter.insufficientAuthentication",
                                "Full authentication is required to access this resource")));
            }
            else {
                logger.debug(
                        "Access is denied (user is not anonymous); delegating to AccessDeniedHandler",
                        exception);

                accessDeniedHandler.handle(request, response,
                        (AccessDeniedException) exception);
            }
        }
    }

实现

Authentication基于servlet filter实现；Authorization基于Spring Intercepter实现。

  

Integrations

参阅：https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#integrations

Spring Security与很多现有Servlet或Spring Framework 的功能（具体如下图所示的）无缝集成。包括：

 

这里介绍其中几种：

Servlet API Integration

Servlet 2.5+ ：（实现类为 org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper）

 HttpServletRequest.getRemoteUser()  will return the result of  SecurityContextHolder.getContext().getAuthentication().getName() 

 HttpServletRequest.getUserPrincipal()  will return the result of  SecurityContextHolder.getContext().getAuthentication() 

 HttpServletRequest.isUserInRole(String)  will return the result of  SecurityContextHolder.getContext().getAuthentication().getAuthorities() ，这个用得较多。

Servlet 3+ ：（实现类为 org.springframework.security.web.servletapi.HttpServlet3RequestFactory）

 HttpServletRequest.authenticate(HttpServletRequest,HttpServletResponse) ：used to ensure that a user is authenticated. If they are not authenticated, the configured AuthenticationEntryPoint will be used to request the user to authenticate (i.e. redirect to the login page).

 HttpServletRequest.login(String,String) ：used to authenticate the user with the current AuthenticationManager

 HttpServletRequest.logout() ：used to log the current user out. Typically this means that the SecurityContextHolder will be cleared out, the HttpSession will be invalidated, any "Remember Me" authentication will be cleaned up, etc.

 HttpServletRequest.startAsync() ：Puts this request into asynchronous mode, and initializes its AsyncContext with the original (unwrapped) ServletRequest and ServletResponse objects.

Servlet 3.1 ：

 HttpServletRequest.changeSessionId() 

 

Spring MVC Integration

@AuthenticationPrincipal：通过该注解可以自动将值注入方法参数，等价于 SecurityContextHolder.getContext().getAuthentication().getPrincipal() 

示例：通过@AuthenticationPrincipal直接向Handler方法注入Security信息

@RequestMapping("/messages/inbox")
public ModelAndView findMessagesForUser(@AuthenticationPrincipal CustomUser customUser) {

    // .. find messages for this user and return them ...
}

上例等价于通过SecurityContext来获取：

 CustomerUser customUser = (CustomerUser)SecurityContextHolder.getContext().getAuthentication().getPrincipal(); 

 

 

3 原理

参阅官方文档：https://spring.io/projects/spring-security#learn、https://spring.io/guides/topicals/spring-security-architecture

3.1 Spring Security Filter

如图，实际上只会有一个filter（Spring Security中称为FilterChainProxy）被真正加入到Servlet Container的filter chain中。使用SpringSecurity时指定的各种业务filter（如authentication filter、authorization filter）并不会成为真正的Servlet filter，而是作为逻辑filter组成一个filter chain（即FilterChainProxy#VirtualFilterChain），这个chain会被FilterChainProxy.doFilter调用。

FilterChainProxy：注册到Servlet Container的filter chain，实际上还被DelegatingFilterProxy wrap。如上图左边所示。

SecurityFilterChain：SpringSecurity中用户添加的各种filter组成逻辑filter，包装成SecurityFilterChain保存在FilterChainProxy对象中，可以有多个SecurityFilterChain（List<SecurityChain> filterChains）。如上图右边所示。用户可以添加自定义的SecurityFilterChain，未自定义则默认初始化DefaultSecurityFilterChain。

FilterChainProxy#VirtualFilterChain：请求到来时FilterChainProxy.doFilter方法从DefaultSecurityFilterChain获取match当前request的filter列表并包装成VirtualFilterChain，通过VirtualFilterChain依次调用各filter。

可以看出，与普通的filter一样，Spring Security Filter是在DispatcherServlet之前起作用的。

相关源码：

/*
 * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.web;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.firewall.FirewalledRequest;
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.web.filter.DelegatingFilterProxy;
import org.springframework.web.filter.GenericFilterBean;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.*;

/**
 * Delegates {@code Filter} requests to a list of Spring-managed filter beans. As of
 * version 2.0, you shouldn't need to explicitly configure a {@code FilterChainProxy} bean
 * in your application context unless you need very fine control over the filter chain
 * contents. Most cases should be adequately covered by the default
 * {@code <security:http />} namespace configuration options.
 * <p>
 * The {@code FilterChainProxy} is linked into the servlet container filter chain by
 * adding a standard Spring {@link DelegatingFilterProxy} declaration in the application
 * {@code web.xml} file.
 *
 * <h2>Configuration</h2>
 * <p>
 * As of version 3.1, {@code FilterChainProxy} is configured using a list of
 * {@link SecurityFilterChain} instances, each of which contains a {@link RequestMatcher}
 * and a list of filters which should be applied to matching requests. Most applications
 * will only contain a single filter chain, and if you are using the namespace, you don't
 * have to set the chains explicitly. If you require finer-grained control, you can make
 * use of the {@code <filter-chain>} namespace element. This defines a URI pattern
 * and the list of filters (as comma-separated bean names) which should be applied to
 * requests which match the pattern. An example configuration might look like this:
 *
 * <pre>
 *  &lt;bean id="myfilterChainProxy" class="org.springframework.security.util.FilterChainProxy"&gt;
 *      &lt;constructor-arg&gt;
 *          &lt;util:list&gt;
 *              &lt;security:filter-chain pattern="/do/not/filter*" filters="none"/&gt;
 *              &lt;security:filter-chain pattern="/**" filters="filter1,filter2,filter3"/&gt;
 *          &lt;/util:list&gt;
 *      &lt;/constructor-arg&gt;
 *  &lt;/bean&gt;
 * </pre>
 *
 * The names "filter1", "filter2", "filter3" should be the bean names of {@code Filter}
 * instances defined in the application context. The order of the names defines the order
 * in which the filters will be applied. As shown above, use of the value "none" for the
 * "filters" can be used to exclude a request pattern from the security filter chain
 * entirely. Please consult the security namespace schema file for a full list of
 * available configuration options.
 *
 * <h2>Request Handling</h2>
 * <p>
 * Each possible pattern that the {@code FilterChainProxy} should service must be entered.
 * The first match for a given request will be used to define all of the {@code Filter}s
 * that apply to that request. This means you must put most specific matches at the top of
 * the list, and ensure all {@code Filter}s that should apply for a given matcher are
 * entered against the respective entry. The {@code FilterChainProxy} will not iterate
 * through the remainder of the map entries to locate additional {@code Filter}s.
 * <p>
 * {@code FilterChainProxy} respects normal handling of {@code Filter}s that elect not to
 * call
 * {@link javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)}
 * , in that the remainder of the original or {@code FilterChainProxy}-declared filter
 * chain will not be called.
 *
 * <h3>Request Firewalling</h3>
 *
 * An {@link HttpFirewall} instance is used to validate incoming requests and create a
 * wrapped request which provides consistent path values for matching against. See
 * {@link StrictHttpFirewall}, for more information on the type of attacks which the
 * default implementation protects against. A custom implementation can be injected to
 * provide stricter control over the request contents or if an application needs to
 * support certain types of request which are rejected by default.
 * <p>
 * Note that this means that you must use the Spring Security filters in combination with
 * a {@code FilterChainProxy} if you want this protection. Don't define them explicitly in
 * your {@code web.xml} file.
 * <p>
 * {@code FilterChainProxy} will use the firewall instance to obtain both request and
 * response objects which will be fed down the filter chain, so it is also possible to use
 * this functionality to control the functionality of the response. When the request has
 * passed through the security filter chain, the {@code reset} method will be called. With
 * the default implementation this means that the original values of {@code servletPath}
 * and {@code pathInfo} will be returned thereafter, instead of the modified ones used for
 * security pattern matching.
 * <p>
 * Since this additional wrapping functionality is performed by the
 * {@code FilterChainProxy}, we don't recommend that you use multiple instances in the
 * same filter chain. It shouldn't be considered purely as a utility for wrapping filter
 * beans in a single {@code Filter} instance.
 *
 * <h2>Filter Lifecycle</h2>
 * <p>
 * Note the {@code Filter} lifecycle mismatch between the servlet container and IoC
 * container. As described in the {@link DelegatingFilterProxy} Javadocs, we recommend you
 * allow the IoC container to manage the lifecycle instead of the servlet container.
 * {@code FilterChainProxy} does not invoke the standard filter lifecycle methods on any
 * filter beans that you add to the application context.
 *
 * @author Carlos Sanchez
 * @author Ben Alex
 * @author Luke Taylor
 * @author Rob Winch
 */
public class FilterChainProxy extends GenericFilterBean {
    // ~ Static fields/initializers
    // =====================================================================================

    private static final Log logger = LogFactory.getLog(FilterChainProxy.class);

    // ~ Instance fields
    // ================================================================================================

    private final static String FILTER_APPLIED = FilterChainProxy.class.getName().concat(
            ".APPLIED");

    private List<SecurityFilterChain> filterChains;

    private FilterChainValidator filterChainValidator = new NullFilterChainValidator();

    private HttpFirewall firewall = new StrictHttpFirewall();

    // ~ Methods
    // ========================================================================================================

    public FilterChainProxy() {
    }

    public FilterChainProxy(SecurityFilterChain chain) {
        this(Arrays.asList(chain));
    }

    public FilterChainProxy(List<SecurityFilterChain> filterChains) {
        this.filterChains = filterChains;
    }

    @Override
    public void afterPropertiesSet() {
        filterChainValidator.validate(this);
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;
        if (clearContext) {
            try {
                request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
                doFilterInternal(request, response, chain);
            }
            finally {
                SecurityContextHolder.clearContext();
                request.removeAttribute(FILTER_APPLIED);
            }
        }
        else {
            doFilterInternal(request, response, chain);
        }
    }

    private void doFilterInternal(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        FirewalledRequest fwRequest = firewall
                .getFirewalledRequest((HttpServletRequest) request);
        HttpServletResponse fwResponse = firewall
                .getFirewalledResponse((HttpServletResponse) response);

        List<Filter> filters = getFilters(fwRequest);

        if (filters == null || filters.size() == 0) {
            if (logger.isDebugEnabled()) {
                logger.debug(UrlUtils.buildRequestUrl(fwRequest)
                        + (filters == null ? " has no matching filters"
                                : " has an empty filter list"));
            }

            fwRequest.reset();

            chain.doFilter(fwRequest, fwResponse);

            return;
        }

        VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters);
        vfc.doFilter(fwRequest, fwResponse);
    }

    /**
     * Returns the first filter chain matching the supplied URL.
     *
     * @param request the request to match
     * @return an ordered array of Filters defining the filter chain
     */
    private List<Filter> getFilters(HttpServletRequest request) {
        for (SecurityFilterChain chain : filterChains) {
            if (chain.matches(request)) {
                return chain.getFilters();
            }
        }

        return null;
    }

    /**
     * Convenience method, mainly for testing.
     *
     * @param url the URL
     * @return matching filter list
     */
    public List<Filter> getFilters(String url) {
        return getFilters(firewall.getFirewalledRequest((new FilterInvocation(url, null)
                .getRequest())));
    }

    /**
     * @return the list of {@code SecurityFilterChain}s which will be matched against and
     * applied to incoming requests.
     */
    public List<SecurityFilterChain> getFilterChains() {
        return Collections.unmodifiableList(filterChains);
    }

    /**
     * Used (internally) to specify a validation strategy for the filters in each
     * configured chain.
     *
     * @param filterChainValidator the validator instance which will be invoked on during
     * initialization to check the {@code FilterChainProxy} instance.
     */
    public void setFilterChainValidator(FilterChainValidator filterChainValidator) {
        this.filterChainValidator = filterChainValidator;
    }

    /**
     * Sets the "firewall" implementation which will be used to validate and wrap (or
     * potentially reject) the incoming requests. The default implementation should be
     * satisfactory for most requirements.
     *
     * @param firewall
     */
    public void setFirewall(HttpFirewall firewall) {
        this.firewall = firewall;
    }

    @Override
    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("FilterChainProxy[");
        sb.append("Filter Chains: ");
        sb.append(filterChains);
        sb.append("]");

        return sb.toString();
    }

    // ~ Inner Classes
    // ==================================================================================================

    /**
     * Internal {@code FilterChain} implementation that is used to pass a request through
     * the additional internal list of filters which match the request.
     */
    private static class VirtualFilterChain implements FilterChain {
        private final FilterChain originalChain;
        private final List<Filter> additionalFilters;
        private final FirewalledRequest firewalledRequest;
        private final int size;
        private int currentPosition = 0;

        private VirtualFilterChain(FirewalledRequest firewalledRequest,
                FilterChain chain, List<Filter> additionalFilters) {
            this.originalChain = chain;
            this.additionalFilters = additionalFilters;
            this.size = additionalFilters.size();
            this.firewalledRequest = firewalledRequest;
        }

        @Override
        public void doFilter(ServletRequest request, ServletResponse response)
                throws IOException, ServletException {
            if (currentPosition == size) {
                if (logger.isDebugEnabled()) {
                    logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)
                            + " reached end of additional filter chain; proceeding with original chain");
                }

                // Deactivate path stripping as we exit the security filter chain
                this.firewalledRequest.reset();

                originalChain.doFilter(request, response);
            }
            else {
                currentPosition++;

                Filter nextFilter = additionalFilters.get(currentPosition - 1);

                if (logger.isDebugEnabled()) {
                    logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)
                            + " at position " + currentPosition + " of " + size
                            + " in additional filter chain; firing Filter: '"
                            + nextFilter.getClass().getSimpleName() + "'");
                }

                nextFilter.doFilter(request, response, this);
            }
        }
    }

    public interface FilterChainValidator {
        void validate(FilterChainProxy filterChainProxy);
    }

    private static class NullFilterChainValidator implements FilterChainValidator {
        @Override
        public void validate(FilterChainProxy filterChainProxy) {
        }
    }

}

、

 

 

 默认的Spring Security Filter顺序（参阅：https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#servlet-security-filters）：

ChannelProcessingFilter

ConcurrentSessionFilter

WebAsyncManagerIntegrationFilter

SecurityContextPersistenceFilter

HeaderWriterFilter

CorsFilter

CsrfFilter

LogoutFilter

OAuth2AuthorizationRequestRedirectFilter

Saml2WebSsoAuthenticationRequestFilter

X509AuthenticationFilter

AbstractPreAuthenticatedProcessingFilter

CasAuthenticationFilter

OAuth2LoginAuthenticationFilter

Saml2WebSsoAuthenticationFilter

UsernamePasswordAuthenticationFilter

ConcurrentSessionFilter

OpenIDAuthenticationFilter

DefaultLoginPageGeneratingFilter

DefaultLogoutPageGeneratingFilter

DigestAuthenticationFilter

BearerTokenAuthenticationFilter

BasicAuthenticationFilter

RequestCacheAwareFilter

SecurityContextHolderAwareRequestFilter

JaasApiIntegrationFilter

RememberMeAuthenticationFilter

AnonymousAuthenticationFilter

OAuth2AuthorizationCodeGrantFilter

SessionManagementFilter

ExceptionTranslationFilter

FilterSecurityInterceptor

SwitchUserFilter

 

3.2 Authentication

参阅：https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#servlet-authentication

The Authentication serves two main purposes within Spring Security:

An input to AuthenticationManager to provide the credentials a user has provided to authenticate. When used in this scenario, isAuthenticated() returns false.

Represents the currently authenticated user. The current Authentication can be obtained from the SecurityContext.

The Authentication contains:

principal - identifies the user. When authenticating with a username/password this is often an instance of UserDetails.

credentials - Often a password. In many cases this will be cleared after the user is authenticated to ensure it is not leaked.

authorities - the GrantedAuthoritys are high level permissions the user is granted. A few examples are roles or scopes.

 主要执行流程：

先由ProcessingFilter预处理，处理通过则交由AuthenticationManager进一步处理；

AuthenticationManager的具体实现为ProviderManager，其内部包含若干AuthenticationProvider，会依次调用这些AuthenticationProvider进行authenticate操作；

若authenticate成功则交由AuthenticationSuccessHanlder进一步处理；

上述过程中出错则交由AuthenticationFailureHanlder处理。

示意图：（from https://www.cnkirito.moe/categories/Spring-Security/ ）

  、 

相关代码：

AbstractAuthenticationProcessingFilter

ProviderManager

AuthenticationProcider

 

3.3 Authorization

参阅：https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#servlet-authorization

Authorization是通过Spring 拦截器来实现的。

 

3.3.0 启用/配置（GlobalMethodSecurityConfiguration）

参阅：https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#ns-global-method

通过 @EnableGlobalMethodSecurity 来启用authorize功能，该注解会去加载 GlobalMethodSecurityConfiguration 配置类，后者会进行包括但不限于如下内容的配置：

GlobalMethodSecurityConfiguration

afterInvocationManager

authenticationManager

methodSecurityMetadataSource

runAsManager

MethodSecurityExpressionHandler

PermissionEvaluator

RoleHierarchy

源码：

/*
 * Copyright 2002-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.config.annotation.method.configuration;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;

import org.aopalliance.intercept.MethodInterceptor;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.springframework.beans.factory.SmartInitializingSingleton;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.AdviceMode;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ImportAware;
import org.springframework.core.annotation.AnnotationAttributes;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.core.type.AnnotationMetadata;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.AfterInvocationProvider;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource;
import org.springframework.security.access.annotation.Jsr250Voter;
import org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory;
import org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice;
import org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.intercept.AfterInvocationManager;
import org.springframework.security.access.intercept.AfterInvocationProviderManager;
import org.springframework.security.access.intercept.RunAsManager;
import org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor;
import org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor;
import org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource;
import org.springframework.security.access.method.MethodSecurityMetadataSource;
import org.springframework.security.access.prepost.PostInvocationAdviceProvider;
import org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice;
import org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter;
import org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.access.vote.AuthenticatedVoter;
import org.springframework.security.access.vote.RoleVoter;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.core.GrantedAuthorityDefaults;
import org.springframework.util.Assert;

/**
 * Base {@link Configuration} for enabling global method security. Classes may extend this
 * class to customize the defaults, but must be sure to specify the
 * {@link EnableGlobalMethodSecurity} annotation on the subclass.
 *
 * @author Rob Winch
 * @author Eddú Meléndez
 * @since 3.2
 * @see EnableGlobalMethodSecurity
 */
@Configuration
public class GlobalMethodSecurityConfiguration
        implements ImportAware, SmartInitializingSingleton {
    private static final Log logger = LogFactory
            .getLog(GlobalMethodSecurityConfiguration.class);
    private ObjectPostProcessor<Object> objectPostProcessor = new ObjectPostProcessor<Object>() {
        public <T> T postProcess(T object) {
            throw new IllegalStateException(ObjectPostProcessor.class.getName()
                    + " is a required bean. Ensure you have used @"
                    + EnableGlobalMethodSecurity.class.getName());
        }
    };
    private DefaultMethodSecurityExpressionHandler defaultMethodExpressionHandler = new DefaultMethodSecurityExpressionHandler();
    private AuthenticationManager authenticationManager;
    private AuthenticationManagerBuilder auth;
    private boolean disableAuthenticationRegistry;
    private AnnotationAttributes enableMethodSecurity;
    private ApplicationContext context;
    private MethodSecurityExpressionHandler expressionHandler;
    private Jsr250MethodSecurityMetadataSource jsr250MethodSecurityMetadataSource;
    private MethodSecurityInterceptor methodSecurityInterceptor;

    /**
     * Creates the default MethodInterceptor which is a MethodSecurityInterceptor using
     * the following methods to construct it.
     * <ul>
     * <li>{@link #accessDecisionManager()}</li>
     * <li>{@link #afterInvocationManager()}</li>
     * <li>{@link #authenticationManager()}</li>
     * <li>{@link #methodSecurityMetadataSource()}</li>
     * <li>{@link #runAsManager()}</li>
     *
     * </ul>
     *
     * <p>
     * Subclasses can override this method to provide a different
     * {@link MethodInterceptor}.
     * </p>
     *
     * @return
     * @throws Exception
     */
    @Bean
    public MethodInterceptor methodSecurityInterceptor() throws Exception {
        this.methodSecurityInterceptor = isAspectJ()
                ? new AspectJMethodSecurityInterceptor()
                : new MethodSecurityInterceptor();
        methodSecurityInterceptor.setAccessDecisionManager(accessDecisionManager());
        methodSecurityInterceptor.setAfterInvocationManager(afterInvocationManager());
        methodSecurityInterceptor
                .setSecurityMetadataSource(methodSecurityMetadataSource());
        RunAsManager runAsManager = runAsManager();
        if (runAsManager != null) {
            methodSecurityInterceptor.setRunAsManager(runAsManager);
        }

        return this.methodSecurityInterceptor;
    }

    /*
     * (non-Javadoc)
     *
     * @see org.springframework.beans.factory.SmartInitializingSingleton#
     * afterSingletonsInstantiated()
     */
    @Override
    public void afterSingletonsInstantiated() {
        try {
            initializeMethodSecurityInterceptor();
        }
        catch (Exception e) {
            throw new RuntimeException(e);
        }

        PermissionEvaluator permissionEvaluator = getSingleBeanOrNull(
                PermissionEvaluator.class);
        if (permissionEvaluator != null) {
            this.defaultMethodExpressionHandler
                    .setPermissionEvaluator(permissionEvaluator);
        }

        RoleHierarchy roleHierarchy = getSingleBeanOrNull(RoleHierarchy.class);
        if (roleHierarchy != null) {
            this.defaultMethodExpressionHandler.setRoleHierarchy(roleHierarchy);
        }

        AuthenticationTrustResolver trustResolver = getSingleBeanOrNull(
                AuthenticationTrustResolver.class);
        if (trustResolver != null) {
            this.defaultMethodExpressionHandler.setTrustResolver(trustResolver);
        }

        GrantedAuthorityDefaults grantedAuthorityDefaults = getSingleBeanOrNull(
                GrantedAuthorityDefaults.class);
        if (grantedAuthorityDefaults != null) {
            this.defaultMethodExpressionHandler.setDefaultRolePrefix(
                    grantedAuthorityDefaults.getRolePrefix());
        }
    }

    private <T> T getSingleBeanOrNull(Class<T> type) {
        String[] beanNamesForType = this.context.getBeanNamesForType(type);
        if (beanNamesForType == null || beanNamesForType.length != 1) {
            return null;
        }
        return this.context.getBean(beanNamesForType[0], type);
    }

    private void initializeMethodSecurityInterceptor() throws Exception {
        if(this.methodSecurityInterceptor == null) {
            return;
        }
        this.methodSecurityInterceptor.setAuthenticationManager(authenticationManager());
    }

    /**
     * Provide a custom {@link AfterInvocationManager} for the default implementation of
     * {@link #methodSecurityInterceptor()}. The default is null if pre post is not
     * enabled. Otherwise, it returns a {@link AfterInvocationProviderManager}.
     *
     * <p>
     * Subclasses should override this method to provide a custom
     * {@link AfterInvocationManager}
     * </p>
     *
     * @return
     */
    protected AfterInvocationManager afterInvocationManager() {
        if (prePostEnabled()) {
            AfterInvocationProviderManager invocationProviderManager = new AfterInvocationProviderManager();
            ExpressionBasedPostInvocationAdvice postAdvice = new ExpressionBasedPostInvocationAdvice(
                    getExpressionHandler());
            PostInvocationAdviceProvider postInvocationAdviceProvider = new PostInvocationAdviceProvider(
                    postAdvice);
            List<AfterInvocationProvider> afterInvocationProviders = new ArrayList<>();
            afterInvocationProviders.add(postInvocationAdviceProvider);
            invocationProviderManager.setProviders(afterInvocationProviders);
            return invocationProviderManager;
        }
        return null;
    }

    /**
     * Provide a custom {@link RunAsManager} for the default implementation of
     * {@link #methodSecurityInterceptor()}. The default is null.
     *
     * @return
     */
    protected RunAsManager runAsManager() {
        return null;
    }

    /**
     * Allows subclasses to provide a custom {@link AccessDecisionManager}. The default is
     * a {@link AffirmativeBased} with the following voters:
     *
     * <ul>
     * <li>{@link PreInvocationAuthorizationAdviceVoter}</li>
     * <li>{@link RoleVoter}</li>
     * <li>{@link AuthenticatedVoter}</li>
     * </ul>
     *
     * @return
     */
    protected AccessDecisionManager accessDecisionManager() {
        List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList<AccessDecisionVoter<? extends Object>>();
        ExpressionBasedPreInvocationAdvice expressionAdvice = new ExpressionBasedPreInvocationAdvice();
        expressionAdvice.setExpressionHandler(getExpressionHandler());
        if (prePostEnabled()) {
            decisionVoters
                    .add(new PreInvocationAuthorizationAdviceVoter(expressionAdvice));
        }
        if (jsr250Enabled()) {
            decisionVoters.add(new Jsr250Voter());
        }
        decisionVoters.add(new RoleVoter());
        decisionVoters.add(new AuthenticatedVoter());
        return new AffirmativeBased(decisionVoters);
    }

    /**
     * Provide a {@link MethodSecurityExpressionHandler} that is registered with the
     * {@link ExpressionBasedPreInvocationAdvice}. The default is
     * {@link DefaultMethodSecurityExpressionHandler} which optionally will Autowire an
     * {@link AuthenticationTrustResolver}.
     *
     * <p>
     * Subclasses may override this method to provide a custom
     * {@link MethodSecurityExpressionHandler}
     * </p>
     *
     * @return
     */
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return defaultMethodExpressionHandler;
    }

    /**
     * Gets the {@link MethodSecurityExpressionHandler} or creates it using
     * {@link #expressionHandler}.
     *
     * @return a non {@code null} {@link MethodSecurityExpressionHandler}
     */
    protected final MethodSecurityExpressionHandler getExpressionHandler() {
        if (expressionHandler == null) {
            expressionHandler = createExpressionHandler();
        }
        return expressionHandler;
    }

    /**
     * Provides a custom {@link MethodSecurityMetadataSource} that is registered with the
     * {@link #methodSecurityMetadataSource()}. Default is null.
     *
     * @return a custom {@link MethodSecurityMetadataSource} that is registered with the
     * {@link #methodSecurityMetadataSource()}
     */
    protected MethodSecurityMetadataSource customMethodSecurityMetadataSource() {
        return null;
    }

    /**
     * Allows providing a custom {@link AuthenticationManager}. The default is to use any
     * authentication mechanisms registered by
     * {@link #configure(AuthenticationManagerBuilder)}. If
     * {@link #configure(AuthenticationManagerBuilder)} was not overridden, then an
     * {@link AuthenticationManager} is attempted to be autowired by type.
     *
     * @return
     */
    protected AuthenticationManager authenticationManager() throws Exception {
        if (authenticationManager == null) {
            DefaultAuthenticationEventPublisher eventPublisher = objectPostProcessor
                    .postProcess(new DefaultAuthenticationEventPublisher());
            auth = new AuthenticationManagerBuilder(objectPostProcessor);
            auth.authenticationEventPublisher(eventPublisher);
            configure(auth);
            if (disableAuthenticationRegistry) {
                authenticationManager = getAuthenticationConfiguration()
                        .getAuthenticationManager();
            }
            else {
                authenticationManager = auth.build();
            }
        }
        return authenticationManager;
    }

    /**
     * Sub classes can override this method to register different types of authentication.
     * If not overridden, {@link #configure(AuthenticationManagerBuilder)} will attempt to
     * autowire by type.
     *
     * @param auth the {@link AuthenticationManagerBuilder} used to register different
     * authentication mechanisms for the global method security.
     * @throws Exception
     */
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        this.disableAuthenticationRegistry = true;
    }

    /**
     * Provides the default {@link MethodSecurityMetadataSource} that will be used. It
     * creates a {@link DelegatingMethodSecurityMetadataSource} based upon
     * {@link #customMethodSecurityMetadataSource()} and the attributes on
     * {@link EnableGlobalMethodSecurity}.
     *
     * @return
     */
    @Bean
    public MethodSecurityMetadataSource methodSecurityMetadataSource() {
        List<MethodSecurityMetadataSource> sources = new ArrayList<>();
        ExpressionBasedAnnotationAttributeFactory attributeFactory = new ExpressionBasedAnnotationAttributeFactory(
                getExpressionHandler());
        MethodSecurityMetadataSource customMethodSecurityMetadataSource = customMethodSecurityMetadataSource();
        if (customMethodSecurityMetadataSource != null) {
            sources.add(customMethodSecurityMetadataSource);
        }
        if (prePostEnabled()) {
            sources.add(new PrePostAnnotationSecurityMetadataSource(attributeFactory));
        }
        if (securedEnabled()) {
            sources.add(new SecuredAnnotationSecurityMetadataSource());
        }
        if (jsr250Enabled()) {
            GrantedAuthorityDefaults grantedAuthorityDefaults =
                    getSingleBeanOrNull(GrantedAuthorityDefaults.class);
            if (grantedAuthorityDefaults != null) {
                this.jsr250MethodSecurityMetadataSource.setDefaultRolePrefix(
                        grantedAuthorityDefaults.getRolePrefix());
            }
            sources.add(jsr250MethodSecurityMetadataSource);
        }
        return new DelegatingMethodSecurityMetadataSource(sources);
    }

    /**
     * Creates the {@link PreInvocationAuthorizationAdvice} to be used. The default is
     * {@link ExpressionBasedPreInvocationAdvice}.
     *
     * @return
     */
    @Bean
    public PreInvocationAuthorizationAdvice preInvocationAuthorizationAdvice() {
        ExpressionBasedPreInvocationAdvice preInvocationAdvice = new ExpressionBasedPreInvocationAdvice();
        preInvocationAdvice.setExpressionHandler(getExpressionHandler());
        return preInvocationAdvice;
    }

    /**
     * Obtains the attributes from {@link EnableGlobalMethodSecurity} if this class was
     * imported using the {@link EnableGlobalMethodSecurity} annotation.
     */
    public final void setImportMetadata(AnnotationMetadata importMetadata) {
        Map<String, Object> annotationAttributes = importMetadata
                .getAnnotationAttributes(EnableGlobalMethodSecurity.class.getName());
        enableMethodSecurity = AnnotationAttributes.fromMap(annotationAttributes);
    }

    @Autowired(required = false)
    public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
        this.objectPostProcessor = objectPostProcessor;
        this.defaultMethodExpressionHandler = objectPostProcessor
                .postProcess(defaultMethodExpressionHandler);
    }

    @Autowired(required = false)
    public void setJsr250MethodSecurityMetadataSource(
            Jsr250MethodSecurityMetadataSource jsr250MethodSecurityMetadataSource) {
        this.jsr250MethodSecurityMetadataSource = jsr250MethodSecurityMetadataSource;
    }

    @Autowired(required = false)
    public void setMethodSecurityExpressionHandler(
            List<MethodSecurityExpressionHandler> handlers) {
        if (handlers.size() != 1) {
            logger.debug("Not autowiring MethodSecurityExpressionHandler since size != 1. Got "
                    + handlers);
            return;
        }
        this.expressionHandler = handlers.get(0);
    }

    @Autowired
    public void setApplicationContext(ApplicationContext context) {
        this.context = context;
    }

    private AuthenticationConfiguration getAuthenticationConfiguration() {
        return context.getBean(AuthenticationConfiguration.class);
    }

    private boolean prePostEnabled() {
        return enableMethodSecurity().getBoolean("prePostEnabled");
    }

    private boolean securedEnabled() {
        return enableMethodSecurity().getBoolean("securedEnabled");
    }

    private boolean jsr250Enabled() {
        return enableMethodSecurity().getBoolean("jsr250Enabled");
    }

    private int order() {
        return (Integer) enableMethodSecurity().get("order");
    }

    private boolean isAspectJ() {
        return enableMethodSecurity().getEnum("mode") == AdviceMode.ASPECTJ;
    }

    private AnnotationAttributes enableMethodSecurity() {
        if (enableMethodSecurity == null) {
            // if it is null look at this instance (i.e. a subclass was used)
            EnableGlobalMethodSecurity methodSecurityAnnotation = AnnotationUtils
                    .findAnnotation(getClass(), EnableGlobalMethodSecurity.class);
            Assert.notNull(methodSecurityAnnotation,
                    EnableGlobalMethodSecurity.class.getName() + " is required");
            Map<String, Object> methodSecurityAttrs = AnnotationUtils
                    .getAnnotationAttributes(methodSecurityAnnotation);
            this.enableMethodSecurity = AnnotationAttributes.fromMap(methodSecurityAttrs);
        }
        return this.enableMethodSecurity;
    }
}

 

3.3.1 Pre-Invocation Handling

Spring Security provides interceptors which control access to secure objects such as method invocations or web requests. A pre-invocation decision on whether the invocation is allowed to proceed is made by the AccessDecisionManager.

即在目标handler方法被调用前的处理，如校验当前用户角色是否有权访问目标handler方法。

相关代码类及依次的调用关系：

AbstractSecurityInterceptor#beforeInvocation，源码：

/*
 * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.access.intercept;

import java.util.Collection;
import java.util.HashSet;
import java.util.Set;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.event.AuthenticationCredentialsNotFoundEvent;
import org.springframework.security.access.event.AuthorizationFailureEvent;
import org.springframework.security.access.event.AuthorizedEvent;
import org.springframework.security.access.event.PublicInvocationEvent;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;

/**
 * Abstract class that implements security interception for secure objects.
 * <p>
 * The <code>AbstractSecurityInterceptor</code> will ensure the proper startup
 * configuration of the security interceptor. It will also implement the proper handling
 * of secure object invocations, namely:
 * <ol>
 * <li>Obtain the {@link Authentication} object from the {@link SecurityContextHolder}.</li>
 * <li>Determine if the request relates to a secured or public invocation by looking up
 * the secure object request against the {@link SecurityMetadataSource}.</li>
 * <li>For an invocation that is secured (there is a list of <code>ConfigAttribute</code>s
 * for the secure object invocation):
 * <ol type="a">
 * <li>If either the
 * {@link org.springframework.security.core.Authentication#isAuthenticated()} returns
 * <code>false</code>, or the {@link #alwaysReauthenticate} is <code>true</code>,
 * authenticate the request against the configured {@link AuthenticationManager}. When
 * authenticated, replace the <code>Authentication</code> object on the
 * <code>SecurityContextHolder</code> with the returned value.</li>
 * <li>Authorize the request against the configured {@link AccessDecisionManager}.</li>
 * <li>Perform any run-as replacement via the configured {@link RunAsManager}.</li>
 * <li>Pass control back to the concrete subclass, which will actually proceed with
 * executing the object. A {@link InterceptorStatusToken} is returned so that after the
 * subclass has finished proceeding with execution of the object, its finally clause can
 * ensure the <code>AbstractSecurityInterceptor</code> is re-called and tidies up
 * correctly using {@link #finallyInvocation(InterceptorStatusToken)}.</li>
 * <li>The concrete subclass will re-call the <code>AbstractSecurityInterceptor</code> via
 * the {@link #afterInvocation(InterceptorStatusToken, Object)} method.</li>
 * <li>If the <code>RunAsManager</code> replaced the <code>Authentication</code> object,
 * return the <code>SecurityContextHolder</code> to the object that existed after the call
 * to <code>AuthenticationManager</code>.</li>
 * <li>If an <code>AfterInvocationManager</code> is defined, invoke the invocation manager
 * and allow it to replace the object due to be returned to the caller.</li>
 * </ol>
 * </li>
 * <li>For an invocation that is public (there are no <code>ConfigAttribute</code>s for
 * the secure object invocation):
 * <ol type="a">
 * <li>As described above, the concrete subclass will be returned an
 * <code>InterceptorStatusToken</code> which is subsequently re-presented to the
 * <code>AbstractSecurityInterceptor</code> after the secure object has been executed. The
 * <code>AbstractSecurityInterceptor</code> will take no further action when its
 * {@link #afterInvocation(InterceptorStatusToken, Object)} is called.</li>
 * </ol>
 * </li>
 * <li>Control again returns to the concrete subclass, along with the <code>Object</code>
 * that should be returned to the caller. The subclass will then return that result or
 * exception to the original caller.</li>
 * </ol>
 *
 * @author Ben Alex
 * @author Rob Winch
 */
public abstract class AbstractSecurityInterceptor implements InitializingBean,
        ApplicationEventPublisherAware, MessageSourceAware {
    // ~ Static fields/initializers
    // =====================================================================================

    protected final Log logger = LogFactory.getLog(getClass());

    // ~ Instance fields
    // ================================================================================================

    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
    private ApplicationEventPublisher eventPublisher;
    private AccessDecisionManager accessDecisionManager;
    private AfterInvocationManager afterInvocationManager;
    private AuthenticationManager authenticationManager = new NoOpAuthenticationManager();
    private RunAsManager runAsManager = new NullRunAsManager();

    private boolean alwaysReauthenticate = false;
    private boolean rejectPublicInvocations = false;
    private boolean validateConfigAttributes = true;
    private boolean publishAuthorizationSuccess = false;

    // ~ Methods
    // ========================================================================================================

    public void afterPropertiesSet() throws Exception {
        Assert.notNull(getSecureObjectClass(),
                "Subclass must provide a non-null response to getSecureObjectClass()");
        Assert.notNull(this.messages, "A message source must be set");
        Assert.notNull(this.authenticationManager, "An AuthenticationManager is required");
        Assert.notNull(this.accessDecisionManager, "An AccessDecisionManager is required");
        Assert.notNull(this.runAsManager, "A RunAsManager is required");
        Assert.notNull(this.obtainSecurityMetadataSource(),
                "An SecurityMetadataSource is required");
        Assert.isTrue(this.obtainSecurityMetadataSource()
                .supports(getSecureObjectClass()),
                "SecurityMetadataSource does not support secure object class: "
                        + getSecureObjectClass());
        Assert.isTrue(this.runAsManager.supports(getSecureObjectClass()),
                "RunAsManager does not support secure object class: "
                        + getSecureObjectClass());
        Assert.isTrue(this.accessDecisionManager.supports(getSecureObjectClass()),
                "AccessDecisionManager does not support secure object class: "
                        + getSecureObjectClass());

        if (this.afterInvocationManager != null) {
            Assert.isTrue(this.afterInvocationManager.supports(getSecureObjectClass()),
                    "AfterInvocationManager does not support secure object class: "
                            + getSecureObjectClass());
        }

        if (this.validateConfigAttributes) {
            Collection<ConfigAttribute> attributeDefs = this
                    .obtainSecurityMetadataSource().getAllConfigAttributes();

            if (attributeDefs == null) {
                logger.warn("Could not validate configuration attributes as the SecurityMetadataSource did not return "
                        + "any attributes from getAllConfigAttributes()");
                return;
            }

            Set<ConfigAttribute> unsupportedAttrs = new HashSet<>();

            for (ConfigAttribute attr : attributeDefs) {
                if (!this.runAsManager.supports(attr)
                        && !this.accessDecisionManager.supports(attr)
                        && ((this.afterInvocationManager == null) || !this.afterInvocationManager
                                .supports(attr))) {
                    unsupportedAttrs.add(attr);
                }
            }

            if (unsupportedAttrs.size() != 0) {
                throw new IllegalArgumentException(
                        "Unsupported configuration attributes: " + unsupportedAttrs);
            }

            logger.debug("Validated configuration attributes");
        }
    }

    protected InterceptorStatusToken beforeInvocation(Object object) {
        Assert.notNull(object, "Object was null");
        final boolean debug = logger.isDebugEnabled();

        if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
            throw new IllegalArgumentException(
                    "Security invocation attempted for object "
                            + object.getClass().getName()
                            + " but AbstractSecurityInterceptor only configured to support secure objects of type: "
                            + getSecureObjectClass());
        }

        Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource()
                .getAttributes(object);

        if (attributes == null || attributes.isEmpty()) {
            if (rejectPublicInvocations) {
                throw new IllegalArgumentException(
                        "Secure object invocation "
                                + object
                                + " was denied as public invocations are not allowed via this interceptor. "
                                + "This indicates a configuration error because the "
                                + "rejectPublicInvocations property is set to 'true'");
            }

            if (debug) {
                logger.debug("Public object - authentication not attempted");
            }

            publishEvent(new PublicInvocationEvent(object));

            return null; // no further work post-invocation
        }

        if (debug) {
            logger.debug("Secure object: " + object + "; Attributes: " + attributes);
        }

        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            credentialsNotFound(messages.getMessage(
                    "AbstractSecurityInterceptor.authenticationNotFound",
                    "An Authentication object was not found in the SecurityContext"),
                    object, attributes);
        }

        Authentication authenticated = authenticateIfRequired();

        // Attempt authorization
        try {
            this.accessDecisionManager.decide(authenticated, object, attributes);
        }
        catch (AccessDeniedException accessDeniedException) {
            publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated,
                    accessDeniedException));

            throw accessDeniedException;
        }

        if (debug) {
            logger.debug("Authorization successful");
        }

        if (publishAuthorizationSuccess) {
            publishEvent(new AuthorizedEvent(object, attributes, authenticated));
        }

        // Attempt to run as a different user
        Authentication runAs = this.runAsManager.buildRunAs(authenticated, object,
                attributes);

        if (runAs == null) {
            if (debug) {
                logger.debug("RunAsManager did not change Authentication object");
            }

            // no further work post-invocation
            return new InterceptorStatusToken(SecurityContextHolder.getContext(), false,
                    attributes, object);
        }
        else {
            if (debug) {
                logger.debug("Switching to RunAs Authentication: " + runAs);
            }

            SecurityContext origCtx = SecurityContextHolder.getContext();
            SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext());
            SecurityContextHolder.getContext().setAuthentication(runAs);

            // need to revert to token.Authenticated post-invocation
            return new InterceptorStatusToken(origCtx, true, attributes, object);
        }
    }

    /**
     * Cleans up the work of the <tt>AbstractSecurityInterceptor</tt> after the secure
     * object invocation has been completed. This method should be invoked after the
     * secure object invocation and before afterInvocation regardless of the secure object
     * invocation returning successfully (i.e. it should be done in a finally block).
     *
     * @param token as returned by the {@link #beforeInvocation(Object)} method
     */
    protected void finallyInvocation(InterceptorStatusToken token) {
        if (token != null && token.isContextHolderRefreshRequired()) {
            if (logger.isDebugEnabled()) {
                logger.debug("Reverting to original Authentication: "
                        + token.getSecurityContext().getAuthentication());
            }

            SecurityContextHolder.setContext(token.getSecurityContext());
        }
    }

    /**
     * Completes the work of the <tt>AbstractSecurityInterceptor</tt> after the secure
     * object invocation has been completed.
     *
     * @param token as returned by the {@link #beforeInvocation(Object)} method
     * @param returnedObject any object returned from the secure object invocation (may be
     * <tt>null</tt>)
     * @return the object the secure object invocation should ultimately return to its
     * caller (may be <tt>null</tt>)
     */
    protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
        if (token == null) {
            // public object
            return returnedObject;
        }

        finallyInvocation(token); // continue to clean in this method for passivity

        if (afterInvocationManager != null) {
            // Attempt after invocation handling
            try {
                returnedObject = afterInvocationManager.decide(token.getSecurityContext()
                        .getAuthentication(), token.getSecureObject(), token
                        .getAttributes(), returnedObject);
            }
            catch (AccessDeniedException accessDeniedException) {
                AuthorizationFailureEvent event = new AuthorizationFailureEvent(
                        token.getSecureObject(), token.getAttributes(), token
                                .getSecurityContext().getAuthentication(),
                        accessDeniedException);
                publishEvent(event);

                throw accessDeniedException;
            }
        }

        return returnedObject;
    }

    /**
     * Checks the current authentication token and passes it to the AuthenticationManager
     * if {@link org.springframework.security.core.Authentication#isAuthenticated()}
     * returns false or the property <tt>alwaysReauthenticate</tt> has been set to true.
     *
     * @return an authenticated <tt>Authentication</tt> object.
     */
    private Authentication authenticateIfRequired() {
        Authentication authentication = SecurityContextHolder.getContext()
                .getAuthentication();

        if (authentication.isAuthenticated() && !alwaysReauthenticate) {
            if (logger.isDebugEnabled()) {
                logger.debug("Previously Authenticated: " + authentication);
            }

            return authentication;
        }

        authentication = authenticationManager.authenticate(authentication);

        // We don't authenticated.setAuthentication(true), because each provider should do
        // that
        if (logger.isDebugEnabled()) {
            logger.debug("Successfully Authenticated: " + authentication);
        }

        SecurityContextHolder.getContext().setAuthentication(authentication);

        return authentication;
    }

    /**
     * Helper method which generates an exception containing the passed reason, and
     * publishes an event to the application context.
     * <p>
     * Always throws an exception.
     *
     * @param reason to be provided in the exception detail
     * @param secureObject that was being called
     * @param configAttribs that were defined for the secureObject
     */
    private void credentialsNotFound(String reason, Object secureObject,
            Collection<ConfigAttribute> configAttribs) {
        AuthenticationCredentialsNotFoundException exception = new AuthenticationCredentialsNotFoundException(
                reason);

        AuthenticationCredentialsNotFoundEvent event = new AuthenticationCredentialsNotFoundEvent(
                secureObject, configAttribs, exception);
        publishEvent(event);

        throw exception;
    }

    public AccessDecisionManager getAccessDecisionManager() {
        return accessDecisionManager;
    }

    public AfterInvocationManager getAfterInvocationManager() {
        return afterInvocationManager;
    }

    public AuthenticationManager getAuthenticationManager() {
        return this.authenticationManager;
    }

    public RunAsManager getRunAsManager() {
        return runAsManager;
    }

    /**
     * Indicates the type of secure objects the subclass will be presenting to the
     * abstract parent for processing. This is used to ensure collaborators wired to the
     * {@code AbstractSecurityInterceptor} all support the indicated secure object class.
     *
     * @return the type of secure object the subclass provides services for
     */
    public abstract Class<?> getSecureObjectClass();

    public boolean isAlwaysReauthenticate() {
        return alwaysReauthenticate;
    }

    public boolean isRejectPublicInvocations() {
        return rejectPublicInvocations;
    }

    public boolean isValidateConfigAttributes() {
        return validateConfigAttributes;
    }

    public abstract SecurityMetadataSource obtainSecurityMetadataSource();

    public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) {
        this.accessDecisionManager = accessDecisionManager;
    }

    public void setAfterInvocationManager(AfterInvocationManager afterInvocationManager) {
        this.afterInvocationManager = afterInvocationManager;
    }

    /**
     * Indicates whether the <code>AbstractSecurityInterceptor</code> should ignore the
     * {@link Authentication#isAuthenticated()} property. Defaults to <code>false</code>,
     * meaning by default the <code>Authentication.isAuthenticated()</code> property is
     * trusted and re-authentication will not occur if the principal has already been
     * authenticated.
     *
     * @param alwaysReauthenticate <code>true</code> to force
     * <code>AbstractSecurityInterceptor</code> to disregard the value of
     * <code>Authentication.isAuthenticated()</code> and always re-authenticate the
     * request (defaults to <code>false</code>).
     */
    public void setAlwaysReauthenticate(boolean alwaysReauthenticate) {
        this.alwaysReauthenticate = alwaysReauthenticate;
    }

    public void setApplicationEventPublisher(
            ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    public void setAuthenticationManager(AuthenticationManager newManager) {
        this.authenticationManager = newManager;
    }

    public void setMessageSource(MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    /**
     * Only {@code AuthorizationFailureEvent} will be published. If you set this property
     * to {@code true}, {@code AuthorizedEvent}s will also be published.
     *
     * @param publishAuthorizationSuccess default value is {@code false}
     */
    public void setPublishAuthorizationSuccess(boolean publishAuthorizationSuccess) {
        this.publishAuthorizationSuccess = publishAuthorizationSuccess;
    }

    /**
     * By rejecting public invocations (and setting this property to <tt>true</tt>),
     * essentially you are ensuring that every secure object invocation advised by
     * <code>AbstractSecurityInterceptor</code> has a configuration attribute defined.
     * This is useful to ensure a "fail safe" mode where undeclared secure objects will be
     * rejected and configuration omissions detected early. An
     * <tt>IllegalArgumentException</tt> will be thrown by the
     * <tt>AbstractSecurityInterceptor</tt> if you set this property to <tt>true</tt> and
     * an attempt is made to invoke a secure object that has no configuration attributes.
     *
     * @param rejectPublicInvocations set to <code>true</code> to reject invocations of
     * secure objects that have no configuration attributes (by default it is
     * <code>false</code> which treats undeclared secure objects as "public" or
     * unauthorized).
     */
    public void setRejectPublicInvocations(boolean rejectPublicInvocations) {
        this.rejectPublicInvocations = rejectPublicInvocations;
    }

    public void setRunAsManager(RunAsManager runAsManager) {
        this.runAsManager = runAsManager;
    }

    public void setValidateConfigAttributes(boolean validateConfigAttributes) {
        this.validateConfigAttributes = validateConfigAttributes;
    }

    private void publishEvent(ApplicationEvent event) {
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(event);
        }
    }

    private static class NoOpAuthenticationManager implements AuthenticationManager {

        public Authentication authenticate(Authentication authentication)
                throws AuthenticationException {
            throw new AuthenticationServiceException("Cannot authenticate "
                    + authentication);
        }
    }
}

默认有两种实现：MethodSecurityInterceptor、AspectJSecurityInterceptor，前者用得最多，两者的区别：It would not be uncommon to use both types of security interceptors in the same application, with AspectJSecurityInterceptor being used for domain object instance security and the AOP Alliance MethodSecurityInterceptor being used for services layer security.

AccessDecisionManager#decide，类似于Authentication中的ProviderManager。decision有同意、拒绝、弃权三状态，该类的具体实现有：

AffirmativeBased（有1个同意则算同意），默认用这个

ConsensusBased（同意的比拒绝的多则算同意）

UnanimousBased（没有一个拒绝则算同意）

AccessDecisionVoter#vote，类似于Authentication中的AuthenticationProvider。具体实现主要有：

WebExpressionVoter

RoleVoter，实现如 RoleHierarchyVoter。Authorize时校验用户当前角色的用户是否有权访问接口时就是此Voter起作用的，若框架发现用户的authority值以"ROLE_"开头则会用此Voter，相关源码：

public class RoleVoter implements AccessDecisionVoter<Object> {
    // ~ Instance fields
    // ================================================================================================

    private String rolePrefix = "ROLE_";

    // ~ Methods
    // ========================================================================================================

    public String getRolePrefix() {
        return rolePrefix;
    }

    /**
     * Allows the default role prefix of <code>ROLE_</code> to be overridden. May be set
     * to an empty value, although this is usually not desirable.
     *
     * @param rolePrefix the new prefix
     */
    public void setRolePrefix(String rolePrefix) {
        this.rolePrefix = rolePrefix;
    }

    public boolean supports(ConfigAttribute attribute) {
        if ((attribute.getAttribute() != null)
                && attribute.getAttribute().startsWith(getRolePrefix())) {
            return true;
        }
        else {
            return false;
        }
    }

    /**
     * This implementation supports any type of class, because it does not query the
     * presented secure object.
     *
     * @param clazz the secure object
     *
     * @return always <code>true</code>
     */
    public boolean supports(Class<?> clazz) {
        return true;
    }

    public int vote(Authentication authentication, Object object,
            Collection<ConfigAttribute> attributes) {
        if(authentication == null) {
            return ACCESS_DENIED;
        }
        int result = ACCESS_ABSTAIN;
        Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);

        for (ConfigAttribute attribute : attributes) {
            if (this.supports(attribute)) {
                result = ACCESS_DENIED;

                // Attempt to find a matching granted authority
                for (GrantedAuthority authority : authorities) {
                    if (attribute.getAttribute().equals(authority.getAuthority())) {
                        return ACCESS_GRANTED;
                    }
                }
            }
        }

        return result;
    }

    Collection<? extends GrantedAuthority> extractAuthorities(
            Authentication authentication) {
        return authentication.getAuthorities();
    }
}

PreInvocationAuthorizationAdviceVoter、ExpressionBasedPreInvocationAdvice：handler方法上的 PreAuthorize("hasRole( "TEACHER" )")  就是由此完成自动校验的。这里所支持的SpringEL表达式见 org.springframwork.security. ore.authentication.SecurityExpressionOperations。将在后文Expression-Based Access Controller一节细说。

相关类及其间关系示意图：

 

 

3.3.2 After-Invocation Handling

Whilst the AccessDecisionManager is called by the AbstractSecurityInterceptor before proceeding with the secure object invocation, some applications need a way of modifying the object actually returned by the secure object invocation. Whilst you could easily implement your own AOP concern to achieve this, Spring Security provides a convenient hook that has several concrete implementations that integrate with its ACL capabilities.

即在目标handler方法被调用后且返回给调用者前的处理，如对方法返回的数据进行过滤。

相关类及其间关系示意图：

 

 

3.3.3 Hierarchical Roles

允许定义多个角色间的优先级关系，这样高优先级的角色自动包含低优先级的角色。

如当定义了ADMIN 包含 STUDENT角色时，对于要求有"STUDENT"角色才能访问的接口，拥有"ADMIN"角色的用户也能访问。

定义示例可参阅 RoleHierarchyImpl 类，示例：

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
    <constructor-arg ref="roleHierarchy" />
</bean>
<bean id="roleHierarchy"
        class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
        <value>
            ROLE_ADMIN > ROLE_STAFF
            ROLE_STAFF > ROLE_USER
            ROLE_USER > ROLE_GUEST
        </value>
    </property>
</bean>

 

 

3.3.4 Expression-Based Access Control

（参阅：https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#el-access）

Spring Security 3.0 introduced the ability to use Spring EL expressions as an authorization mechanism in addition to the simple use of configuration attributes and access-decision voters which have seen before. Expression-based access control is built on the same architecture but allows complicated Boolean logic to be encapsulated in a single expression.

即提供了诸如  @PreAuthorize(" hasRole('ADMIN') ")  这种authorization方式，注解中的参数支持Spring EL表达式，默认提供的表达式（包括 hasRole、hasAuthority、hasPermission等）定义见SecurityExpressionOperations接口。

相关接口或类：

interface SecurityExpressionOperations：定义支持的操作，这些操作作为Spring EL表达式。定义见源码：

/*
 * Copyright 2002-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.access.expression;

import org.springframework.security.core.Authentication;

/**
 * Standard interface for expression root objects used with expression-based security.
 *
 * @author Andrei Stefan
 * @author Luke Taylor
 * @since 3.1.1
 */
public interface SecurityExpressionOperations {

    /**
     * Gets the {@link Authentication} used for evaluating the expressions
     * @return the {@link Authentication} for evaluating the expressions
     */
    Authentication getAuthentication();

    /**
     * Determines if the {@link #getAuthentication()} has a particular authority within
     * {@link Authentication#getAuthorities()}.
     * @param authority the authority to test (i.e. "ROLE_USER")
     * @return true if the authority is found, else false
     */
    boolean hasAuthority(String authority);

    /**
     * Determines if the {@link #getAuthentication()} has any of the specified authorities
     * within {@link Authentication#getAuthorities()}.
     * @param authorities the authorities to test (i.e. "ROLE_USER", "ROLE_ADMIN")
     * @return true if any of the authorities is found, else false
     */
    boolean hasAnyAuthority(String... authorities);

    /**
     * <p>
     * Determines if the {@link #getAuthentication()} has a particular authority within
     * {@link Authentication#getAuthorities()}.
     * </p>
     * <p>
     * This is similar to {@link #hasAuthority(String)} except that this method implies
     * that the String passed in is a role. For example, if "USER" is passed in the
     * implementation may convert it to use "ROLE_USER" instead. The way in which the role
     * is converted may depend on the implementation settings.
     * </p>
     *
     * @param role the authority to test (i.e. "USER")
     * @return true if the authority is found, else false
     */
    boolean hasRole(String role);

    /**
     * <p>
     * Determines if the {@link #getAuthentication()} has any of the specified authorities
     * within {@link Authentication#getAuthorities()}.
     * </p>
     * <p>
     * This is a similar to hasAnyAuthority except that this method implies
     * that the String passed in is a role. For example, if "USER" is passed in the
     * implementation may convert it to use "ROLE_USER" instead. The way in which the role
     * is converted may depend on the implementation settings.
     * </p>
     *
     * @param roles the authorities to test (i.e. "USER", "ADMIN")
     * @return true if any of the authorities is found, else false
     */
    boolean hasAnyRole(String... roles);

    /**
     * Always grants access.
     * @return true
     */
    boolean permitAll();

    /**
     * Always denies access
     * @return false
     */
    boolean denyAll();

    /**
     * Determines if the {@link #getAuthentication()} is anonymous
     * @return true if the user is anonymous, else false
     */
    boolean isAnonymous();

    /**
     * Determines ifthe {@link #getAuthentication()} is authenticated
     * @return true if the {@link #getAuthentication()} is authenticated, else false
     */
    boolean isAuthenticated();

    /**
     * Determines if the {@link #getAuthentication()} was authenticated using remember me
     * @return true if the {@link #getAuthentication()} authenticated using remember me,
     * else false
     */
    boolean isRememberMe();

    /**
     * Determines if the {@link #getAuthentication()} authenticated without the use of
     * remember me
     * @return true if the {@link #getAuthentication()} authenticated without the use of
     * remember me, else false
     */
    boolean isFullyAuthenticated();

    /**
     * Determines if the {@link #getAuthentication()} has permission to access the target
     * given the permission
     * @param target the target domain object to check permission on
     * @param permission the permission to check on the domain object (i.e. "read",
     * "write", etc).
     * @return true if permission is granted to the {@link #getAuthentication()}, else
     * false
     */
    boolean hasPermission(Object target, Object permission);

    /**
     * Determines if the {@link #getAuthentication()} has permission to access the domain
     * object with a given id, type, and permission.
     * @param targetId the identifier of the domain object to determine access
     * @param targetType the type (i.e. com.example.domain.Message)
     * @param permission the perission to check on the domain object (i.e. "read",
     * "write", etc)
     * @return true if permission is granted to the {@link #getAuthentication()}, else
     * false
     */
    boolean hasPermission(Object targetId, String targetType, Object permission);

}

其中，hasPermission的实现中用到了PermissionEvaluator，后者需要用户自己实现，通常是与ACL结合。

abstract class SecurityExpressionRoot：上述 hasRole、hasAuthority等若干 expression 方法的具体实现者。开头中@PreAuthorize中的表达式最终解析为这里面的实现来判断是否成功。源码：

/*
 * Copyright 2002-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.access.expression;

import java.io.Serializable;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;

import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;

/**
 * Base root object for use in Spring Security expression evaluations.
 *
 * @author Luke Taylor
 * @since 3.0
 */
public abstract class SecurityExpressionRoot implements SecurityExpressionOperations {
    protected final Authentication authentication;
    private AuthenticationTrustResolver trustResolver;
    private RoleHierarchy roleHierarchy;
    private Set<String> roles;
    private String defaultRolePrefix = "ROLE_";

    /** Allows "permitAll" expression */
    public final boolean permitAll = true;

    /** Allows "denyAll" expression */
    public final boolean denyAll = false;
    private PermissionEvaluator permissionEvaluator;
    public final String read = "read";
    public final String write = "write";
    public final String create = "create";
    public final String delete = "delete";
    public final String admin = "administration";

    /**
     * Creates a new instance
     * @param authentication the {@link Authentication} to use. Cannot be null.
     */
    public SecurityExpressionRoot(Authentication authentication) {
        if (authentication == null) {
            throw new IllegalArgumentException("Authentication object cannot be null");
        }
        this.authentication = authentication;
    }

    public final boolean hasAuthority(String authority) {
        return hasAnyAuthority(authority);
    }

    public final boolean hasAnyAuthority(String... authorities) {
        return hasAnyAuthorityName(null, authorities);
    }

    public final boolean hasRole(String role) {
        return hasAnyRole(role);
    }

    public final boolean hasAnyRole(String... roles) {
        return hasAnyAuthorityName(defaultRolePrefix, roles);
    }

    private boolean hasAnyAuthorityName(String prefix, String... roles) {
        Set<String> roleSet = getAuthoritySet();

        for (String role : roles) {
            String defaultedRole = getRoleWithDefaultPrefix(prefix, role);
            if (roleSet.contains(defaultedRole)) {
                return true;
            }
        }

        return false;
    }

    public final Authentication getAuthentication() {
        return authentication;
    }

    public final boolean permitAll() {
        return true;
    }

    public final boolean denyAll() {
        return false;
    }

    public final boolean isAnonymous() {
        return trustResolver.isAnonymous(authentication);
    }

    public final boolean isAuthenticated() {
        return !isAnonymous();
    }

    public final boolean isRememberMe() {
        return trustResolver.isRememberMe(authentication);
    }

    public final boolean isFullyAuthenticated() {
        return !trustResolver.isAnonymous(authentication)
                && !trustResolver.isRememberMe(authentication);
    }

    /**
     * Convenience method to access {@link Authentication#getPrincipal()} from
     * {@link #getAuthentication()}
     * @return
     */
    public Object getPrincipal() {
        return authentication.getPrincipal();
    }

    public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
        this.trustResolver = trustResolver;
    }

    public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
        this.roleHierarchy = roleHierarchy;
    }

    /**
     * <p>
     * Sets the default prefix to be added to {@link #hasAnyRole(String...)} or
     * {@link #hasRole(String)}. For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN")
     * is passed in, then the role ROLE_ADMIN will be used when the defaultRolePrefix is
     * "ROLE_" (default).
     * </p>
     *
     * <p>
     * If null or empty, then no default role prefix is used.
     * </p>
     *
     * @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
     */
    public void setDefaultRolePrefix(String defaultRolePrefix) {
        this.defaultRolePrefix = defaultRolePrefix;
    }

    private Set<String> getAuthoritySet() {
        if (roles == null) {
            roles = new HashSet<>();
            Collection<? extends GrantedAuthority> userAuthorities = authentication
                    .getAuthorities();

            if (roleHierarchy != null) {
                userAuthorities = roleHierarchy
                        .getReachableGrantedAuthorities(userAuthorities);
            }

            roles = AuthorityUtils.authorityListToSet(userAuthorities);
        }

        return roles;
    }

    public boolean hasPermission(Object target, Object permission) {
        return permissionEvaluator.hasPermission(authentication, target, permission);
    }

    public boolean hasPermission(Object targetId, String targetType, Object permission) {
        return permissionEvaluator.hasPermission(authentication, (Serializable) targetId,
                targetType, permission);
    }

    public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
        this.permissionEvaluator = permissionEvaluator;
    }

    /**
     * Prefixes role with defaultRolePrefix if defaultRolePrefix is non-null and if role
     * does not already start with defaultRolePrefix.
     *
     * @param defaultRolePrefix
     * @param role
     * @return
     */
    private static String getRoleWithDefaultPrefix(String defaultRolePrefix, String role) {
        if (role == null) {
            return role;
        }
        if (defaultRolePrefix == null || defaultRolePrefix.length() == 0) {
            return role;
        }
        if (role.startsWith(defaultRolePrefix)) {
            return role;
        }
        return defaultRolePrefix + role;
    }
}

 

如前文所述，Authorize包括 who (Authentication)、where (MethodInvocation) 、what (SomeDomainObject) 三方面的内容，其中前两种用得最多且通常第二种为主第一种为辅，第三种较少用到。

下面的内容与这三方面的内容对应。

 

Web Security Expression

用于提供基于Web Request（即URL）的访问权限控制。

 Sets up the filters and related service beans used to apply the framework authentication mechanisms, to secure URLs, render login and error pages and much more.

在 WebSecurityExpressionRoot 中继承了SecurityExpressionRoot中的方法，还定义了 hasIpAddress 方法；可以在表达式中引用IoC容器中的Bean；可以引用PathVariable。示例：

@Component
public class WebSecurity {
        public boolean check(Authentication authentication, HttpServletRequest request) {
                ...
        }
        public boolean checkUserId(Authentication authentication, int id) {
                ...
        }
}



http
    .authorizeRequests(authorize -> authorize
        .antMatchers("/user/{userId}/**").access("hasIpAddress('192.168.1.0/24') and @webSecurity.check(authentication,request) and @webSecurity.checkUserId(authentication,#userId)")
        ...
    );

此方案的缺点是基于URL配置的权限规则通常很容易被绕过，例如对"/admin" 的限制可通过"/admin/"绕过，虽然可通配符或穷举可能的情况加以限制但比较冗余或麻烦，因此通常不仅在URL级别有限制，还结合下文所述的方案在handler方法级别进一步进行访问约束。

 

Method Security Expression

Securing the service layer.

From version 2.0 onwards Spring Security has improved support substantially for adding security to your service layer methods. It provides support for JSR-250 annotation security as well as the framework’s original @Secured annotation. From 3.0 you can also make use of new expression-based annotations. You can apply security to a single bean, using the intercept-methods element to decorate the bean declaration, or you can secure multiple beans across the entire service layer using the AspectJ style pointcuts.

这是最常用的authorize方式，SpringSecurity 3.0开始支持此方案。

需要先启用global-method-security：在主类或任何@Configuration类上加@EnableGlobalMethodSecurity(prePostEnabled = true)  。

1 上述配置指定启用pre、post注解功能，有四个相应注解：

 @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter 

使用示例：

 @PreAuthorize("hasRole('USER')") public void create(Contact contact); 

 @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); 

 @PreAuthorize("#contact.name == authentication.name") public void doSomething(Contact contact); 

 import org.springframework.security.access.method.P;   @PreAuthorize("#c.name == authentication.name") public void doSomething(@P("c") Contact contact); 

 @PreAuthorize("hasRole('USER')") @PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, 'admin')") public List<Contact> getAll(); 

2 也可通过 securedEnabled =true 指定启用@Secured注解功能。pre、post注解中的 @PreAuthorize("isAnonymous()") 、 @PreAuthorize("hasAuthority('ROLE_TELLER')") 在此功能下的等价写法为：

 @Secured("IS_AUTHENTICATED_ANONYMOUSLY") 、 @Secured("ROLE_TELLER") 

3 还可通过 jsr250Enabled = true 指定支持 JSR-250 注解，包括：@PostConstruct、@PermitAll等。

 

Domain Object Security(ACL)

参阅：

https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#domain-acls

https://www.jianshu.com/p/b971b4e6ec16

 

 

3.4 Protection Against Exploits

参阅：https://docs.spring.io/spring-security/site/docs/5.3.4.RELEASE/reference/html5/#servlet-exploits

防御的措施包括如下几部分。

 

CSRF Protection

 

Security HTTP Response Headers

包括：(详细用途见：https://www.cnblogs.com/z-sm/p/7581495.html)

X-Content-Type-Options

X-Frame-Options

X-XSS-Protection

Strict-Transport-Security

Content-Security-Policy

Content-Security-Policy-Report-Only

Referrer-Policy

Feature-Policy

Clear-Site-Data

 

HttpFirewall

当允许请求的URL中包含 //   /../   /*  等之类的字符串时，服务端所设置的URL匹配规则可能会被绕过，进而可能被恶意攻击。

SpringSecurity考虑了此情况，默认情况下当检测到了这些请求时会立即拒绝当前的请求。

其实现方式是定义了Firewall接口用来对request、response进行包装，内部会对URL进行检查；在FilterChainProxy#doInternal方法中会利用此Firewall来获取reques、response。默认采用的Firewall为StrictHttpFirewall，相关源码：

/*
 * Copyright 2012-2017 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.web.firewall;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

/**
 * <p>
 * A strict implementation of {@link HttpFirewall} that rejects any suspicious requests
 * with a {@link RequestRejectedException}.
 * </p>
 * <p>
 * The following rules are applied to the firewall:
 * </p>
 * <ul>
 * <li>
 * Rejects URLs that are not normalized to avoid bypassing security constraints. There is
 * no way to disable this as it is considered extremely risky to disable this constraint.
 * A few options to allow this behavior is to normalize the request prior to the firewall
 * or using {@link DefaultHttpFirewall} instead. Please keep in mind that normalizing the
 * request is fragile and why requests are rejected rather than normalized.
 * </li>
 * <li>
 * Rejects URLs that contain characters that are not printable ASCII characters. There is
 * no way to disable this as it is considered extremely risky to disable this constraint.
 * </li>
 * <li>
 * Rejects URLs that contain semicolons. See {@link #setAllowSemicolon(boolean)}
 * </li>
 * <li>
 * Rejects URLs that contain a URL encoded slash. See
 * {@link #setAllowUrlEncodedSlash(boolean)}
 * </li>
 * <li>
 * Rejects URLs that contain a backslash. See {@link #setAllowBackSlash(boolean)}
 * </li>
 * <li>
 * Rejects URLs that contain a URL encoded percent. See
 * {@link #setAllowUrlEncodedPercent(boolean)}
 * </li>
 * </ul>
 *
 * @see DefaultHttpFirewall
 * @author Rob Winch
 * @since 5.0.1
 */
public class StrictHttpFirewall implements HttpFirewall {
    private static final String ENCODED_PERCENT = "%25";

    private static final String PERCENT = "%";

    private static final List<String> FORBIDDEN_ENCODED_PERIOD = Collections.unmodifiableList(Arrays.asList("%2e", "%2E"));

    private static final List<String> FORBIDDEN_SEMICOLON = Collections.unmodifiableList(Arrays.asList(";", "%3b", "%3B"));

    private static final List<String> FORBIDDEN_FORWARDSLASH = Collections.unmodifiableList(Arrays.asList("%2f", "%2F"));

    private static final List<String> FORBIDDEN_BACKSLASH = Collections.unmodifiableList(Arrays.asList("\\", "%5c", "%5C"));

    private Set<String> encodedUrlBlacklist = new HashSet<String>();

    private Set<String> decodedUrlBlacklist = new HashSet<String>();

    public StrictHttpFirewall() {
        urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);
        urlBlacklistsAddAll(FORBIDDEN_FORWARDSLASH);
        urlBlacklistsAddAll(FORBIDDEN_BACKSLASH);

        this.encodedUrlBlacklist.add(ENCODED_PERCENT);
        this.encodedUrlBlacklist.addAll(FORBIDDEN_ENCODED_PERIOD);
        this.decodedUrlBlacklist.add(PERCENT);
    }

    /**
     * <p>
     * Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
     * is to disable this behavior because it is a common way of attempting to perform
     * <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File Download Attacks</a>.
     * It is also the source of many exploits which bypass URL based security.
     * </p>
     * <p>For example, the following CVEs are a subset of the issues related
     * to ambiguities in the Servlet Specification on how to treat semicolons that
     * led to CVEs:
     * </p>
     * <ul>
     *     <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>
     *     <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>
     *     <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>
     * </ul>
     *
     * <p>
     * If you are wanting to allow semicolons, please reconsider as it is a very common
     * source of security bypasses. A few common reasons users want semicolons and
     * alternatives are listed below:
     * </p>
     * <ul>
     * <li>Including the JSESSIONID in the path - You should not include session id (or
     * any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
     * </li>
     * <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider
     * using HTTP parameters instead.
     * </li>
     * </ul>
     *
     * @param allowSemicolon should semicolons be allowed in the URL. Default is false
     */
    public void setAllowSemicolon(boolean allowSemicolon) {
        if (allowSemicolon) {
            urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);
        } else {
            urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);
        }
    }

    /**
     * <p>
     * Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path
     * or not. The default is to not allow this behavior because it is a common way to
     * bypass URL based security.
     * </p>
     * <p>
     * For example, due to ambiguities in the servlet specification, the value is not
     * parsed consistently which results in different values in {@code HttpServletRequest}
     * path related values which allow bypassing certain security constraints.
     * </p>
     *
     * @param allowUrlEncodedSlash should a slash "/" that is URL encoded "%2F" be allowed
     * in the path or not. Default is false.
     */
    public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash) {
        if (allowUrlEncodedSlash) {
            urlBlacklistsRemoveAll(FORBIDDEN_FORWARDSLASH);
        } else {
            urlBlacklistsAddAll(FORBIDDEN_FORWARDSLASH);
        }
    }

    /**
     * <p>
     * Determines if a period "." that is URL encoded "%2E" should be allowed in the path
     * or not. The default is to not allow this behavior because it is a frequent source
     * of security exploits.
     * </p>
     * <p>
     * For example, due to ambiguities in the servlet specification a URL encoded period
     * might lead to bypassing security constraints through a directory traversal attack.
     * This is because the path is not parsed consistently which results  in different
     * values in {@code HttpServletRequest} path related values which allow bypassing
     * certain security constraints.
     * </p>
     *
     * @param allowUrlEncodedPeriod should a period "." that is URL encoded "%2E" be
     * allowed in the path or not. Default is false.
     */
    public void setAllowUrlEncodedPeriod(boolean allowUrlEncodedPeriod) {
        if (allowUrlEncodedPeriod) {
            this.encodedUrlBlacklist.removeAll(FORBIDDEN_ENCODED_PERIOD);
        } else {
            this.encodedUrlBlacklist.addAll(FORBIDDEN_ENCODED_PERIOD);
        }
    }

    /**
     * <p>
     * Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in
     * the path or not. The default is not to allow this behavior because it is a frequent
     * source of security exploits.
     * </p>
     * <p>
     * For example, due to ambiguities in the servlet specification a URL encoded period
     * might lead to bypassing security constraints through a directory traversal attack.
     * This is because the path is not parsed consistently which results  in different
     * values in {@code HttpServletRequest} path related values which allow bypassing
     * certain security constraints.
     * </p>
     *
     * @param allowBackSlash a backslash "\" or a URL encoded backslash "%5C" be allowed
     * in the path or not. Default is false
     */
    public void setAllowBackSlash(boolean allowBackSlash) {
        if (allowBackSlash) {
            urlBlacklistsRemoveAll(FORBIDDEN_BACKSLASH);
        } else {
            urlBlacklistsAddAll(FORBIDDEN_BACKSLASH);
        }
    }

    /**
     * <p>
     * Determines if a percent "%" that is URL encoded "%25" should be allowed in the path
     * or not. The default is not to allow this behavior because it is a frequent source
     * of security exploits.
     * </p>
     * <p>
     * For example, this can lead to exploits that involve double URL encoding that lead
     * to bypassing security constraints.
     * </p>
     *
     * @param allowUrlEncodedPercent if a percent "%" that is URL encoded "%25" should be
     * allowed in the path or not. Default is false
     */
    public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent) {
        if (allowUrlEncodedPercent) {
            this.encodedUrlBlacklist.remove(ENCODED_PERCENT);
            this.decodedUrlBlacklist.remove(PERCENT);
        } else {
            this.encodedUrlBlacklist.add(ENCODED_PERCENT);
            this.decodedUrlBlacklist.add(PERCENT);
        }
    }

    private void urlBlacklistsAddAll(Collection<String> values) {
        this.encodedUrlBlacklist.addAll(values);
        this.decodedUrlBlacklist.addAll(values);
    }

    private void urlBlacklistsRemoveAll(Collection<String> values) {
        this.encodedUrlBlacklist.removeAll(values);
        this.decodedUrlBlacklist.removeAll(values);
    }

    @Override
    public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException {
        rejectedBlacklistedUrls(request);

        if (!isNormalized(request)) {
            throw new RequestRejectedException("The request was rejected because the URL was not normalized.");
        }

        String requestUri = request.getRequestURI();
        if (!containsOnlyPrintableAsciiCharacters(requestUri)) {
            throw new RequestRejectedException("The requestURI was rejected because it can only contain printable ASCII characters.");
        }
        return new FirewalledRequest(request) {
            @Override
            public void reset() {
            }
        };
    }

    private void rejectedBlacklistedUrls(HttpServletRequest request) {
        for (String forbidden : this.encodedUrlBlacklist) {
            if (encodedUrlContains(request, forbidden)) {
                throw new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + forbidden + "\"");
            }
        }
        for (String forbidden : this.decodedUrlBlacklist) {
            if (decodedUrlContains(request, forbidden)) {
                throw new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + forbidden + "\"");
            }
        }
    }

    @Override
    public HttpServletResponse getFirewalledResponse(HttpServletResponse response) {
        return new FirewalledResponse(response);
    }

    private static boolean isNormalized(HttpServletRequest request) {
        if (!isNormalized(request.getRequestURI())) {
            return false;
        }
        if (!isNormalized(request.getContextPath())) {
            return false;
        }
        if (!isNormalized(request.getServletPath())) {
            return false;
        }
        if (!isNormalized(request.getPathInfo())) {
            return false;
        }
        return true;
    }

    private static boolean encodedUrlContains(HttpServletRequest request, String value) {
        if (valueContains(request.getContextPath(), value)) {
            return true;
        }
        return valueContains(request.getRequestURI(), value);
    }

    private static boolean decodedUrlContains(HttpServletRequest request, String value) {
        if (valueContains(request.getServletPath(), value)) {
            return true;
        }
        if (valueContains(request.getPathInfo(), value)) {
            return true;
        }
        return false;
    }

    private static boolean containsOnlyPrintableAsciiCharacters(String uri) {
        int length = uri.length();
        for (int i = 0; i < length; i++) {
            char c = uri.charAt(i);
            if (c < '\u0020' || c > '\u007e') {
                return false;
            }
        }

        return true;
    }

    private static boolean valueContains(String value, String contains) {
        return value != null && value.contains(contains);
    }

    /**
     * Checks whether a path is normalized (doesn't contain path traversal
     * sequences like "./", "/../" or "/.")
     *
     * @param path
     *            the path to test
     * @return true if the path doesn't contain any path-traversal character
     *         sequences.
     */
    private static boolean isNormalized(String path) {
        if (path == null) {
            return true;
        }

        if (path.indexOf("//") > -1) {
            return false;
        }

        for (int j = path.length(); j > 0;) {
            int i = path.lastIndexOf('/', j - 1);
            int gap = j - i;

            if (gap == 2 && path.charAt(i + 1) == '.') {
                // ".", "/./" or "/."
                return false;
            } else if (gap == 3 && path.charAt(i + 1) == '.' && path.charAt(i + 2) == '.') {
                return false;
            }

            j = i;
        }

        return true;
    }

}

该类默认不允许URL中出现 Semicolon（分号）、Period（句号）、Percent（百分号）、Slash（斜杠）、 BackSlash（反斜杠）及其相应的经URL编码的字符。