Spring Boot
的自动配置类。用于向Servlet
容器注册一个名称为securityFilterChainRegistration
的bean
, 实现类是DelegatingFilterProxyRegistrationBean
。该 bean
的目的是注册另外一个 Servlet Filter bean
到 Servlet 容器
,实现类为 DelegatingFilterProxy
。DelegatingFilterProxy Filter
其实是一个代理过滤器,它被 Servlet
容器用于处理请求时,会将任务委托给指定给自己另外一个Filter bean
。对于SecurityFilterAutoConfiguration
,来讲,这个被代理的Filter bean
的名字为springSecurityFilterChain
, 也就是 Spring Security Web
提供的用于请求安全处理的Filter bean
,其实现类是 FilterChainProxy
。
可以将 1 个
FilterChainProxy
理解为1 HttpFirewall
+n SecurityFilterChain
。
源代码
源代码版本 : Spring Boot 2.1.3 RELEASE
package org.springframework.boot.autoconfigure.security.servlet;
import java.util.EnumSet;
import java.util.stream.Collectors;
import javax.servlet.DispatcherType;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.web.servlet.DelegatingFilterProxyRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
@Configuration
// 仅在 Servlet 环境下生效
@ConditionalOnWebApplication(type = Type.SERVLET)
// 确保安全属性配置信息被加载并以bean形式被注册到容器
@EnableConfigurationProperties(SecurityProperties.class)
// 仅在特定类存在于 classpath 上时才生效
@ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class,
SessionCreationPolicy.class })
// 指定该配置类在 SecurityAutoConfiguration 配置类应用之后应用
@AutoConfigureAfter(SecurityAutoConfiguration.class)
public class SecurityFilterAutoConfiguration {
// 要注册到 Servlet 容器的 DelegatingFilterProxy Filter的
// 目标代理Filter bean的名称 :springSecurityFilterChain
private static final String DEFAULT_FILTER_NAME =
AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME;
// 定义一个 bean securityFilterChainRegistration,
// 该 bean 的目的是注册另外一个 bean 到 Servlet 容器 : 实现类为 DelegatingFilterProxy 的一个 Servlet Filter
// 该 DelegatingFilterProxy Filter 其实是一个代理过滤器,它被 Servlet 容器用于匹配特定URL模式的请求,
// 而它会将任务委托给指定给自己的名字为 springSecurityFilterChain 的 Filter, 也就是 Spring Security Web
// 提供的用于请求安全处理的一个 Filter bean,其实现类是 FilterChainProxy
// (可以将 1 个 FilterChainProxy 理解为 1 HttpFirewall + n SecurityFilterChain)
@Bean
@ConditionalOnBean(name = DEFAULT_FILTER_NAME)
public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(
SecurityProperties securityProperties) {
DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(
DEFAULT_FILTER_NAME);
registration.setOrder(securityProperties.getFilter().getOrder());
registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
return registration;
}
private EnumSet<DispatcherType> getDispatcherTypes(
SecurityProperties securityProperties) {
if (securityProperties.getFilter().getDispatcherTypes() == null) {
return null;
}
return securityProperties.getFilter().getDispatcherTypes().stream()
.map((type) -> DispatcherType.valueOf(type.name())).collect(Collectors
.collectingAndThen(Collectors.toSet(), EnumSet::copyOf));
}
}