Java-Security(六):Spring Security启动加载MySecurityConfig(WebSecurityConfigurerAdapter)/WebSecurity/HttpSecurity(xxxConfigurer、filters)流程

本章文件分为三个部分:

1)在进行Spring Security加载流程分析之前,我们需要先了解下WebSecurityConfigurerAdapter;

2)SpringBoot如何启动SpringSecurity?

3)Spring Security启动流程:MySecurityConfig(WebSecurityConfigurerAdapter)/WebSecurity/HttpSecurity(xxxConfigurer、filters)。

了解下WebSecurityConfigurerAdapter

该类是一个Spring Security Web配置适配器。在使用Spring Security项目中,如果想通过配置修改Spring Security中的一些可配置、可自定义替换的相关设置,都必须在项目中添加一个继承WebSecurityConfigurerAdapter的类MySecurityConfig。

WebSecurityConfigurerAdapter是一个抽象类,一般情况下继承了该类的配置类MySecurityConfig中可以通过重写:

1)’configure(HttpSecurity http)‘实现对HttpSecurity配置;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
  
    // 基于token,所以不需要session
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    http.authorizeRequests()
            .antMatchers("/", "/*.html", "/favicon.ico", "/css/**", "/js/**", "/fonts/**", "/layui/**", "/img/**",
                    "/v2/api-docs/**", "/swagger-resources/**", "/webjars/**", "/pages/**", "/druid/**",
                    "/statics/**")
            .permitAll().anyRequest().authenticated();
    http.formLogin()/*.loginPage("/login.html")*/.loginProcessingUrl("/login")
            .successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler);
            // .and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
    http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);
    // 解决不允许显示在iframe的问题
    http.headers().frameOptions().disable();
    http.headers().cacheControl();

    http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class);
}

2)'configure(WebSecurity web)'实现对WebSecurity配置;

3)’configure(AuthenticationManagerBuilder auth)‘实现对Authentication配置;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
    }

实际上,这个WebSecurityConfigurerAdapter就是为了干预HttpSecurity/WebSecurity/AuthenticationManagerBuilder,用来根据使用Spring Security的开发人员可以自己通过配置达到自己想要的功能效果。

SpringBoot如何启动SpringSecurity?

如果是SpringBoot项目依赖了Spring Security相关依赖,就会自动加载执行SecurityFilterAutoConfiguration配置类,而SecurityFilterAutoConfiguration加载之前会先加载执(@AutoConfigureAfter({SecurityAutoConfiguration.class}))SecurityAutoConfiguration,在SecurityAutoConfiguraiton生效时它会导入WebSecurityEnableConfiguration
EnableWebSecurity主要是加载了三个类:

<1>SpringWebMvcImportSelector的作用是判断当前的环境是否包含springmvc,因为spring security可以在非spring环境下使用,为了避免DispatcherServlet的重复配置,所以使用了这个注解来区分。
<2> WebSecurityConfiguration顾名思义,是用来配置web安全的,下面的小节会详细介绍。
<3>AuthenticationConfiguration权限配置相关类
而重点就是后两者!

Spring Security启动流程

在项目启动中,HttpSecurity中会加载一个Configurers,它们就是实现了AbstractInterceptUrlConfigurer的Configurer类,之后会根据xxxConfigurer后#configure(HttpSecurity http)会加载Configurer对应的Filters列表中:

HttpBasicConfigurer->BasicAuthenticationFilter
LogoutConfigurer->LogoutFilter
RequestCacheConfigurer->RequestCacheAwareFilter
RememberMeConfigurer->RememberMeAuthenticationFilter
ServletApiConfigurer->SecurityContextHolderAwareRequestFilter
DefaultLoginPageConfigurer->DefaultLoginPageGeneratingFilter
SessionManagementConfigurer->SessionManagementFilter
PortMapperConfigurer->无
ExceptionHandlingConfigurer->ExceptionTranslationFilter
HeadersConfigurer->HeaderWriterFilter
CsrfConfigurer->CsrfFilter
ImplicitGrantConfigurer->OAuth2AuthorizationRequestRedirectFilter
AnonymousConfigurer->AnonymousAuthenticationFilter
JeeConfigurer->J2eePreAuthenticatedProcessingFilter
ChannelSecurityConfigurer->ChannelProcessingFilter
CorsConfigurer->CorsFilter
SecurityContextConfigurer->SecurityContextPersistenceFilter
FormLoginConfigurer->DefaultLoginPageGeneratingFilter
OAuth2LoginConfigurer->OAuth2LoginAuthenticationFilter
OpenIDLoginConfigurer->OpenIDAuthenticationFilter
X509Configurer->X509AuthenticationFilter
UrlAuthorizationConfigurer->FilterSecurityInterceptor
ExpressionUrlAuthorizationConfigurer->FilterSecurityInterceptor

SecurityConfigurer:

 SecurityBuilder:

HttpSecurity是一个securityBuilder,HttpSecuirty内部维护了一个Filter的List集合,我们添加的各种安全配置器对应的Filter最终都会被加入到这个List集合中。
WebSecurity是一个securityBuilder,内部维护着securityBuilder的列表,存储securityBuilder,这里主要是存储HttpSecurity。
很多官方类是XXXConfigurer,这些都是SecurityConfigurer。这些SecurityConfigurer的configure()方法,都会把对应filter添加到HttpSecurity 

 

参考:

基于注解的Spring Security原理解析

Spring Security 实现原理的理解记录

SpringSecurity分析-1-启动加载

posted @ 2021-01-05 21:35  cctext  阅读(928)  评论(0编辑  收藏  举报