Spring Security【二】基本原理

视频链接：SpringSecurity框架教程
文章源码：https://github.com/geyiwei-suzhou/spring-security

基本原理

Spring Security本质是一个过滤器链

底层流程：重点看三个过滤器

• FilterSecurityInterceptor：是一个方法级的权限过滤器，基本位于过滤器的最底部

  public void invoke(FilterInvocation filterInvocation) throws IOException, ServletException {
  	if (isApplied(filterInvocation) && this.observeOncePerRequest) {
  		// filter already applied to this request and user wants us to observe
  		// once-per-request handling, so don't re-do security checking
  		filterInvocation.getChain().doFilter(filterInvocation.getRequest(), filterInvocation.getResponse());
  		return;
  	}
  	// first time this request being called, so perform security checking
  	if (filterInvocation.getRequest() != null && this.observeOncePerRequest) {
  		filterInvocation.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
  	}
  	InterceptorStatusToken token = super.beforeInvocation(filterInvocation);
  	try {
  		filterInvocation.getChain().doFilter(filterInvocation.getRequest(), filterInvocation.getResponse());
  	}
  	finally {
  		super.finallyInvocation(token);
  	}
  	super.afterInvocation(token, null);
  }
  

• ExceptionTranslationFilter：是一个异常过滤器，用来处理在认证授权过程中抛出的异常

  private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
  		throws IOException, ServletException {
  	try {
  		chain.doFilter(request, response);
  	}
  	catch (IOException ex) {
  		throw ex;
  	}
  	catch (Exception ex) {
  		// Try to extract a SpringSecurityException from the stacktrace
  		Throwable[] causeChain = this.throwableAnalyzer.determineCauseChain(ex);
  		RuntimeException securityException = (AuthenticationException) this.throwableAnalyzer
  				.getFirstThrowableOfType(AuthenticationException.class, causeChain);
  		if (securityException == null) {
  			securityException = (AccessDeniedException) this.throwableAnalyzer
  					.getFirstThrowableOfType(AccessDeniedException.class, causeChain);
  		}
  		if (securityException == null) {
  			rethrow(ex);
  		}
  		if (response.isCommitted()) {
  			throw new ServletException("Unable to handle the Spring Security Exception "
  					+ "because the response is already committed.", ex);
  		}
  		handleSpringSecurityException(request, response, chain, securityException);
  	}
  }
  

• UsernamePasswordAuthenticationFilter：对 /login 的post请求做拦截，校验表单中用户名、密码

  @Override
  public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
  		throws AuthenticationException {
  	if (this.postOnly && !request.getMethod().equals("POST")) {
  		throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
  	}
  	String username = obtainUsername(request);
  	username = (username != null) ? username : "";
  	username = username.trim();
  	String password = obtainPassword(request);
  	password = (password != null) ? password : "";
  	UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
  	// Allow subclasses to set the "details" property
  	setDetails(request, authRequest);
  	return this.getAuthenticationManager().authenticate(authRequest);
  }
  

  创建类继承UsernamePasswordAuthenticationFilter，重写三个方法：attemptAuthentication（获取用户名密码）、successfulAuthentication（校验成功调用方法）、unsuccessfulAuthentication（校验失败调用方法）

两个重要接口

• UserDetailsService：查询数据库接口，用于返回User对象（Spring Security提供的对象）
• PasswordEncoder：数据加密接口，用于返回User对象里面密码加密

流程图