Websecurity类主要的继承关系为自Websecurity->AbstractConfiguredSecurityBuilder->AbstractSecurityBuilder,其中上一步调用的build方法就在AbstractSecurityBuilder中
SpringSecurity在这个类中实现了创建FilterChain的方法——performbuild
/***
*在生成发生后立即执行可运行文件*
*@参数后期生成操作
*@返回@link websecurity进行进一步的自定义
*/
@Override
protected Filter performBuild() throws Exception {
Assert.state(
!securityFilterChainBuilders.isEmpty(),
"At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. More advanced users can invoke "
+ WebSecurity.class.getSimpleName()
+ ".addSecurityFilterChainBuilder directly");
int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
List<SecurityFilterChain> securityFilterChains = new ArrayList<SecurityFilterChain>(
chainSize);
for (RequestMatcher ignoredRequest : ignoredRequests) {
securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
}
for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {
securityFilterChains.add(securityFilterChainBuilder.build());
}
FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
if (httpFirewall != null) {
filterChainProxy.setFirewall(httpFirewall);
}
filterChainProxy.afterPropertiesSet();
Filter result = filterChainProxy;
if (debugEnabled) {
logger.warn("\n\n"
+ "********************************************************************\n"
+ "********** Security debugging is enabled. *************\n"
+ "********** This may include sensitive information. *************\n"
+ "********** Do not use in a production system! *************\n"
+ "********************************************************************\n\n");
result = new DebugFilter(filterChainProxy);
}
postBuildAction.run();
return result;
}
在构建FilterChain的过程中,我们可以发现使用了两个关键的对象——ignoredRequest和securityFilterChainBuilders:
int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size(); List<SecurityFilterChain> securityFilterChains = new ArrayList<SecurityFilterChain>( chainSize);
int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
首先,我们来看一看securityFilterChainBuilders:
在WebSecurityConfigureAdapter类中的init方法中有如下语句:
final HttpSecurity http = getHttp(); web.addSecurityFilterChainBuilder(http)
也就是说,这个securityFilterChainBuilders中存放的是获取到的httpSecurity实例对象(此处应该注意的是虽然我们的http对象是通过一种"add"的形式添加到securityFilterChainBuilders中的,但是,通过阅读WebSecurityConfigureAdapter的getHttp()方法中的代码我们可以知道一个WebSecurityConfigureAdapter类中通过getHttp()方法只会获得一个http实例——)
之后我们通过阅读HttpSecurity类的代码可以知道,这个http实例中包含了我们创建过滤器链所需要的各种过滤器的配置类的实例;
那么,既然我们创建FilterChain所需要的配置实例已经包含