1.spring-security的过滤链组成与顺序
在org.springframework.security.config.annotation.web.builders.FilterComparator
构造函数 定义了security 过滤器的顺序。
从这里面我们也可以看到security 里面使用到的过滤器, 从名字上我们大概可以看出每个fileter的作用。(部分源码如下:)
FilterComparator() {
Step order = new Step(INITIAL_ORDER, ORDER_STEP);
put(ChannelProcessingFilter.class, order.next());
put(ConcurrentSessionFilter.class, order.next());
put(WebAsyncManagerIntegrationFilter.class, order.next());
put(SecurityContextPersistenceFilter.class, order.next());
put(HeaderWriterFilter.class, order.next());
put(CorsFilter.class, order.next());
put(CsrfFilter.class, order.next());
put(LogoutFilter.class, order.next());
filterToOrder.put(
"org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter",
order.next());
filterToOrder.put(
"org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter",
order.next());
......
}
2.接下来说说每个Filter是如何组装成一个过滤链的。
用org.springframework.security.web.authentication.logout.LogoutFilter举一个例子吧:
里面涉及到一个重要的类org.springframework.security.config.annotation.web.configurers.LogoutConfigurer。
主要源码如下:
public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends
AbstractHttpConfigurer<LogoutConfigurer<H>, H> {
@Override
public void configure(H http) throws Exception {
LogoutFilter logoutFilter = createLogoutFilter(http);//创建LogoutFilter
http.addFilter(logoutFilter);//通过这个方法,将logoutFilter加入过滤链中
}
}
再细看一下这个LogoutConfigurer的父类的父类SecurityConfigurerAdapter, 下面列出主要的源码。
public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>
implements SecurityConfigurer<O, B> {
public void configure(B builder) throws Exception {
//LogoutConfigurer实现的configure方法
}
public void setBuilder(B builder) {
this.securityBuilder = builder;
}
public B and() {
//这里面的作用就是 org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(HttpSecurity http)
//实例代码
// http
// .requestMatchers().antMatchers("/order/*").anyRequest()
// .and()
// .authorizeRequests()
//其实就是返回具体 HttpSecurity
return getBuilder();
}
protected final B getBuilder() {
if (securityBuilder == null) {
throw new IllegalStateException("securityBuilder cannot be null");
}
return securityBuilder;
}
}
最后返回到org.springframework.security.config.annotation.web.builders.HttpSecurity的logout()方法。
从下面代码顺序往下看就可以看出LogoutConfigurer被添加到了某个变量保存了起来,然后通过LogoutConfigurer.configure就将filter 放到了HttpSecurity的过滤链中。
public LogoutConfigurer<HttpSecurity> logout() throws Exception {
//添加LogoutConfigurer到
return getOrApply(new LogoutConfigurer<>());
}
private <C extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>> C getOrApply(
C configurer) throws Exception {
C existingConfig = (C) getConfigurer(configurer.getClass());
if (existingConfig != null) {
return existingConfig;
}
return apply(configurer);
}
public <C extends SecurityConfigurerAdapter<O, B>> C apply(C configurer)
throws Exception {
configurer.addObjectPostProcessor(objectPostProcessor);
configurer.setBuilder((B) this);
add(configurer);//这里可以看成addFilter,从广义上看的话。
return configurer;
}
然后有一个configurer.setBuilder((B) this);,就是将HttpSecurity设置到LogoutConfigurer的securityBuilder 成员变量里面,这里面的一个作用就是通过and()返回HttpSecurity。
比如: