springframework.security几个关键类及结构
-
1.
org.springframework.security.web.access.interceptFilterSecurityInterceptor
Filter
doFilter
FilterInvocation.invoke
beforeInvocation
SecurityContextHolder.getContext().getAuthentication()
authenticationManager.authenticate(authentication)
accessDecisionManager.decide(authenticated, object, attributes)
getChain().doFilter
afterInvocation
afterInvocationManager.decide(token.getSecurityContext().getAuthentication(), token.getSecureObject(), token.getAttributes(), returnedObject)
AbstractSecurityInterceptor
AuthenticationManager
AfterInvocationManager
AfterInvocationProviderManager
AccessDecisionManager
AbstractAccessDecisionManager
AffirmativeBased
ConsensusBased
UnanimousBased
-
2.
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor
org.aopalliance.intercept.MethodInterceptor
org.aopalliance.aop.Advice.Interceptor
org.aopalliance.aop.Advice
AbstractSecurityInterceptor
-
3.
org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor
MethodInterceptor
-
4.
AuthenticationEntryPoint
,主要是commence
方法统一异常,由用户自定义实现 -
5.
AuthenticationManager
, 用于验证,Processes an Authentication request
spring security过滤器设置先后顺序
FilterComparator
设置过滤器执行链
FilterComparator.Step order = new FilterComparator.Step(100, 100);
this.put(ChannelProcessingFilter.class, order.next());
this.put(ConcurrentSessionFilter.class, order.next());
this.put(WebAsyncManagerIntegrationFilter.class, order.next());
this.put(SecurityContextPersistenceFilter.class, order.next());
this.put(HeaderWriterFilter.class, order.next());
this.put(CorsFilter.class, order.next());
this.put(CsrfFilter.class, order.next());
this.put(LogoutFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter", order.next());
this.filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter", order.next());
this.put(X509AuthenticationFilter.class, order.next());
this.put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter", order.next());
this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter", order.next());
this.filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter", order.next());
this.put(UsernamePasswordAuthenticationFilter.class, order.next());
this.put(ConcurrentSessionFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());
this.put(DefaultLoginPageGeneratingFilter.class, order.next());
this.put(DefaultLogoutPageGeneratingFilter.class, order.next());
this.put(ConcurrentSessionFilter.class, order.next());
this.put(DigestAuthenticationFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter", order.next());
this.put(BasicAuthenticationFilter.class, order.next());
this.put(RequestCacheAwareFilter.class, order.next());
this.put(SecurityContextHolderAwareRequestFilter.class, order.next());
this.put(JaasApiIntegrationFilter.class, order.next());
this.put(RememberMeAuthenticationFilter.class, order.next());
this.put(AnonymousAuthenticationFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter", order.next());
this.put(SessionManagementFilter.class, order.next());
this.put(ExceptionTranslationFilter.class, order.next());
this.put(FilterSecurityInterceptor.class, order.next());
this.put(SwitchUserFilter.class, order.next());
oauth2关键类
OAuth2AuthenticationProcessingFilter
OAuth2的FilterdoFilter
tokenExtractor.extract
authenticationManager.authenticate
- 成功,
publishAuthenticationSuccess
和SecurityContextHolder.getContext().setAuthentication
- 失败,
authenticationEntryPoint.commence
OAuth2AuthenticationManager
ResourceServerTokenServices
DefaultTokenServices
实现类loadAuthentication
方法readAccessToken
方法TokenStore
依赖RedisTemplateTokenStore
实现类getAccessToken
方法removeRefreshToken
方法removeAccessToken
方法
ClientDetailsService
RedisClientDetailsService
,在Redis
中缓存JdbcClientDetailsService
维护的ClientDetails
JdbcClientDetailsService
,ClientDetails
最终存储于数据库中
BearerTokenExtractor
OAuth2AuthenticationEntryPoint
,统一的异常处理类