最近本来想研究下spring security oauth2的配置,可是oauth2的配置是基于spring security的,没办法只能先搞懂spring security的配置了
先说下spring security的工作流程
以上是我自己总结的spring security的流程图 如有不正确的地方还请及时指教。
看完流程图之后我们再来分析下spring security的主要类与方法
org.springframework.security.web
publicclass FilterChainProxy extends GenericFilterBean
public void doFilter(ServletRequest request, ServletResponse response ) throws IOException, ServletException{
if (currentPosition == size ) {
if (logger .isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl( firewalledRequest)
+ " reached end of additional filter chain; proceeding with original chain");
}
// Deactivate path stripping as we exit the security filter chain
this.firewalledRequest .reset();
originalChain.doFilter(request , response );
} else {
currentPosition++;
Filter nextFilter = additionalFilters .get(currentPosition - 1);
if (logger .isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl( firewalledRequest) + " at position " + currentPosition + " of "
+ size + " in additional filter chain; firing Filter: '"
+ nextFilter.getClass().getSimpleName() + "'" );
}
nextFilter.doFilter(request , response , this);
}
}
该类是spring在web.xml中注册的org.springframework.web.filter.DelegatingFilterProxy对象中管理所有spring拦截器的一个拦截链,该类的主要方法是doFilter
我们可以看到拦截链中注册的所有spring的拦截器
其中第4个UsernamePasswordAuthenticationFilter是我注册用来自定义处理登录请求的拦截器
"LogoutFilter"用于拦截登出请求
"RequestCacheAwareFilter"用于记录这次请求的信息(看了下代码可能是的)
"AnonymousAuthenticationFilter"用于获取用户访问是的权限 如果没有权限则新建一个anymouse
"ExceptionTranslationFilter"用于拦截异常的拦截器 主要作用是拦截access_denied等异常
"FilterSecurityInterceptor"用于权限校验,其中AccessDecisionManager在这里对访问的路径和用户权限进行控制,一旦拒绝访问则抛出access_denied异常被“ExceptionTranslationFilter ”捕获进而被accessdeniedhandle处理
"LogoutFilter"用于拦截登出请求
"RequestCacheAwareFilter"用于记录这次请求的信息(看了下代码可能是的)
"AnonymousAuthenticationFilter"用于获取用户访问是的权限 如果没有权限则新建一个anymouse
"ExceptionTranslationFilter"用于拦截异常的拦截器 主要作用是拦截access_denied等异常
"FilterSecurityInterceptor"用于权限校验,其中AccessDecisionManager在这里对访问的路径和用户权限进行控制,一旦拒绝访问则抛出access_denied异常被“ExceptionTranslationFilter ”捕获进而被accessdeniedhandle处理
注意spring默认的用户登录处理拦截器:
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
//~ Static fields/initializers =====================================================================================
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";
/**
* @deprecated If you want to retain the username, cache it in a customized {@code AuthenticationFailureHandler}
*/
@Deprecated
public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME" ;
private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY ;
private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY ;
private boolean postOnly = tru