1
在
web.xml
文件中配置
问题
:
为什么
DelegatingFilterProxy
的
fifilter-name
必须是
springSecurityFilterChain?
![](https://img-blog.csdnimg.cn/7e658e589832410f8ce04fbb5139730a.png)
DelegatingFilterProxy
并不是真正的
Filter
,在其
initFilterBean
方法中会从
WebApplicationContext
根据
delegate来获取到
protected void initFilterBean() throws ServletException {
synchronized (this.delegateMonitor) {
if (this.delegate == null) {
// If no target bean name specified, use filter name.
if (this.targetBeanName == null) {
this.targetBeanName = getFilterName();
}
// Fetch Spring root application context and initialize the delegate early,
// if possible. If the root application context will be started after this
// filter proxy, we'll have to resort to lazy initialization.
WebApplicationContext wac = findWebApplicationContext();
if (wac != null) {
this.delegate = initDelegate(wac);
}
}
}
}
在上这代码中
this.targetBeanName=getFilterName()
就是获取名称叫做
springSecurityFilterChain
通过在
doFilter
就去中我们会发现真正干活的其实是
delegate
这个
Filter,
而
delegate
其实就是
FilterChainProxy
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
// Lazily initialize the delegate if necessary.
Filter delegateToUse = this.delegate;
if (delegateToUse == null) {
synchronized (this.delegateMonitor) {
delegateToUse = this.delegate;
if (delegateToUse == null) {
WebApplicationContext wac = findWebApplicationContext();
if (wac == null) {
throw new IllegalStateException("No WebApplicationContext found: " +
"no ContextLoaderListener or DispatcherServlet registered?");
}
delegateToUse = initDelegate(wac);
}
this.delegate = delegateToUse;
}
}
// Let the delegate perform the actual doFilter operation.
invokeDelegate(delegateToUse, request, response, filterChain);
}
FilterChainProxy
是
spring
在解析配置文件时装配到上下文中,并且
beanName
为
springSecurityFilterChain
, 因此在web.xml
中需要配置
fifilter-name
为
springSecurityFilterChain
2.
在
spring-security.xml
文件中配置
在配置文件中我们主要使用标签来过多成配置
<!-- 配置不拦截的资源 -->
<security:http pattern="/login.jsp" security="none"/>
<security:http pattern="/failer.jsp" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<security:http auto-config="true" use-expressions="false">
<security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/>
<security:form-login
login-page="/login.jsp"
login-processing-url="/login.do"
default-target-url="/index.jsp"
authentication-failure-url="/failer.jsp"
authentication-success-forward-url="/pages/main.jsp"
/>
</security:http>
http
标签是自定义标签,我们可以在
spring-security-confifig
包中查看
http\://www.springframework.org/schema/security=org.springframework.security.config.SecurityNamespaceHandler
继续查看
SecurityNamespaceHandler
类,在其
init
方法
public void init() {
loadParsers();
}
在
loadParsers()
方法中,指定由
HttpSecurityBeanDefifinitionParser
进行解析
parsers.put(Elements.HTTP, new HttpSecurityBeanDefinitionParser());
在
HttpSecurityBeanDefifinitionParser
完成具体解析的
parse
方法中
registerFilterChainProxyIfNecessary(pc, pc.extractSource(element));
这里就是注册了名为
springSecurityFilterChain
的
fifilterChainProxy
类
接下我们在看一下注册一系列
Filter
的地方
createFilterChain
,在这个方法中我们重点关注
AuthenticationConfigBuilder authBldr = new AuthenticationConfigBuilder(element,
forceAutoConfig, pc, httpBldr.getSessionCreationPolicy(),
httpBldr.getRequestCache(), authenticationManager,
httpBldr.getSessionStrategy(), portMapper, portResolver,
httpBldr.getCsrfLogoutHandler());
我们可以查看
AuthenticationConfifigBuilder
创建代码
public AuthenticationConfigBuilder(Element element, boolean forceAutoConfig,
ParserContext pc, SessionCreationPolicy sessionPolicy,
BeanReference requestCache, BeanReference authenticationManager,
BeanReference sessionStrategy, BeanReference portMapper,
BeanReference portResolver, BeanMetadataElement csrfLogoutHandler) {
this.httpElt = element;
this.pc = pc;
this.requestCache = requestCache;
autoConfig = forceAutoConfig
| "true".equals(element.getAttribute(ATT_AUTO_CONFIG));
this.allowSessionCreation = sessionPolicy != SessionCreationPolicy.NEVER
&& sessionPolicy != SessionCreationPolicy.STATELESS;
this.portMapper = portMapper;
this.portResolver = portResolver;
this.csrfLogoutHandler = csrfLogoutHandler;
createAnonymousFilter();
createRememberMeFilter(authenticationManager);
createBasicFilter(authenticationManager);
createFormLoginFilter(sessionStrategy, authenticationManager);
createOpenIDLoginFilter(sessionStrategy, authenticationManager);
createX509Filter(authenticationManager);
createJeeFilter(authenticationManager);
createLogoutFilter();
createLoginPageFilterIfNeeded();
createUserDetailsServiceFactory();
createExceptionTranslationFilter();
}