spring ,spring security ,servlet 的整合原理
我们知道,spring对于自定义命名空间的解析是交给 类路径下的META-INF\spring.handlers文件中的handler进行解析,我们的spring security 命名空间的解析交给了SecurityNamespaceHandler解析器,进行解析处理为beanDefind。此时我们就将相关bean放到了spring 的容器中。
因为spring与servlet整合默认是将context放到了servlet的context中,当DelegatingFilterProxy这个过滤器通过获取servlet的context自然而然的就能获取servlet context中的属性----spring context,从而获取一个名指定名称的bean进行invoker进行拦截器链的一系列调用。
spring security的自定义命名空间的基本使用
一个完整的xml配置文件基本包含以下元素
url层面的安全
Web/HTTP Security - the most complex part. Sets up the filters and related service beans used to apply the framework authentication mechanisms, to secure URLs, render login and error pages and much more.
service层面的安全
Business Object (Method) Security - options for securing the service layer.
认证管理器
AuthenticationManager - handles authentication requests from other parts of the framework.
权限管理器
AccessDecisionManager - provides access decisions for web and method security. A default one will be registered, but you can also choose to use a custom one, declared using normal Spring bean syntax.
认证提供者
AuthenticationProviders - mechanisms against which the authentication manager authenticates users. The namespace provides supports for several standard options and also a means of adding custom beans declared using a traditional syntax.
用户详细信息,想到于是读取本地用户信息的service
UserDetailsService - closely related to authentication providers, but often also required by other beans.
下面我们在来看看命名空间元素和过滤器及service的对应关系:(出自spring security官网)
Alias | Filter Class | Namespace Element or Attribute |
---|---|---|
CHANNEL_FILTER |
|
|
SECURITY_CONTEXT_FILTER |
|
|
CONCURRENT_SESSION_FILTER |
|
|
HEADERS_FILTER |
|
|
CSRF_FILTER |
|
|
LOGOUT_FILTER |
|
|
X509_FILTER |
|
|
PRE_AUTH_FILTER |
| N/A |
CAS_FILTER |
| N/A |
FORM_LOGIN_FILTER |
|
|
BASIC_AUTH_FILTER |
|
|
SERVLET_API_SUPPORT_FILTER |
|
|
JAAS_API_SUPPORT_FILTER |
|
|
REMEMBER_ME_FILTER |
|
|
ANONYMOUS_FILTER |
|
|
SESSION_MANAGEMENT_FILTER |
|
|
EXCEPTION_TRANSLATION_FILTER |
|
|
FILTER_SECURITY_INTERCEPTOR |
|
|
SWITCH_USER_FILTER |
| N/A |
基本介绍到此为止,下一章讲解认证流程及授权流程。