视频教程地址: https://www.bilibili.com/video/BV1kT4y1F7Tc
代码地址: https://gitee.com/crazyliyang/video-teaching
1. 从SpringSecurityDemo项目启动的DEBUG日志中Copy出来的日志信息, 如下是相关部分:
o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: any request,
[
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3104351d,
org.springframework.security.web.context.SecurityContextPersistenceFilter@782168b7,
org.springframework.security.web.header.HeaderWriterFilter@1698d7c0,
org.springframework.security.web.csrf.CsrfFilter@4e628b52,
org.springframework.security.web.authentication.logout.LogoutFilter@40d10481,
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@7ac9af2a,
org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@6daf2337,
org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@77d18d0b,
org.springframework.security.web.authentication.www.BasicAuthenticationFilter@1e6cc850,
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@7435a578,
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@23e44287,
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7a344b65,
org.springframework.security.web.session.SessionManagementFilter@87abc48,
org.springframework.security.web.access.ExceptionTranslationFilter@73ba6fe6,
org.springframework.security.web.access.intercept.FilterSecurityInterceptor@5c645b43
]
Spring Security的过滤器日志log打印顺序与实际配置顺序符合,也就意味着WebAsyncManagerIntegrationFilter是整个过滤器链的第一个过滤器,而FilterSecurityInterceptor则是末置的过滤器。另外通过观察过滤器的名称,和所在的包名,可以大致地分析出他们各自的作用,如UsernamePasswordAuthenticationFilter明显便是与使用用户名和密码登录相关的过滤器,而FilterSecurityInterceptor我们似乎看不出它的作用,但是其位于web.access包下,大致可以分析出他与访问限制相关, 我们对其中关键的过滤器进行一些源码分析先大致介绍下每个过滤器的作用:
- WebAsyncManagerIntegrationFilter Web异步管理集成过滤器, 使得异步线程可以从SecurityContextHolder中获取上下文信息 ( 异步操作我们先不关注, 先关注重点内容 )
- SecurityContextPersistenceFilter 两个主要职责:请求来临时,创建SecurityContext安全上下文信息,请求结束时清空SecurityContextHolder。
- HeaderWriterFilter (文档中并未介绍,非核心过滤器) 用来给http响应添加一些Header,比如X-Frame-Options, X-XSS-Protection*,X-Content-Type-Options.