spring security 5.x 原理

• 服务器启动
  AbstractSecurityWebApplicationInitializer implements WebApplicationInitializer (简单的说SpringServletContainerInitializer会扫描WebApplicationInitializer实现并实例化执行onStartup(ServletContext servletContext),可通过这种方式配置{@code DispatcherServlet}, {@code FrameworkServlet}, {@code ContextLoaderListener} and {@code DelegatingFilterProxy})

spring security 通过这种方式将DelegatingFilterProxy过滤器注册到servletContext

• security生效原理
  然后通过DelegatingFilterProxy代理执行security 过滤链
  DelegatingFilterProxy中包含spring上下文容器，以及DelegatingFilterProxy beanName，可以从spring容器中通过beanName实例化DelegatingFilterProxy。

通过FilterChainProxy代理执行具体的过滤器

public void doFilter(ServletRequest request, ServletResponse response)
				throws IOException, ServletException {
			if (currentPosition == size) {
				if (logger.isDebugEnabled()) {
					logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)
							+ " reached end of additional filter chain; proceeding with original chain");
				}

				// Deactivate path stripping as we exit the security filter chain
				this.firewalledRequest.reset();

				originalChain.doFilter(request, response);
			}
			else {
				currentPosition++;

				Filter nextFilter = additionalFilters.get(currentPosition - 1);

				if (logger.isDebugEnabled()) {
					logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)
							+ " at position " + currentPosition + " of " + size
							+ " in additional filter chain; firing Filter: '"
							+ nextFilter.getClass().getSimpleName() + "'");
				}

				nextFilter.doFilter(request, response, this);
			}
		}
	}