Spring Security原理学习--核心过滤器Filter(二)

最新推荐文章于 2024-07-08 16:53:33 发布
最新推荐文章于 2024-07-08 16:53:33 发布
阅读量7.4k 收藏 16
点赞数 5
分类专栏: Spring Security Spring Web入门及源码学习
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq924862077/article/details/83040564
版权

在上一篇博客Spring Security原理学习--简介与示例(一)中已经简单介绍了Spring Security相关的东西, 这篇博客我们介绍一下Spring Security相关的实现机制  。首先Spring Security的认证功能是依赖Filter实现的,当然在认证功能基础上还提供了一些安全的验证等都是依赖Filter来实现完成的,如下截图Spring Security提供了13个功能Filter,并且是按照如下顺序依次执行的。当然配合Spring web的Filter注入实现,Spring Security提供了另外一个Filter的实现类FilterChainProxy,其对外包装了以下13个Filter,其实13个Filter是在接口SecurityFilterChain的实现类DefaultSecurityFilterChain中通过List保存的。

接下来我们依次介绍一下这个13个Filter。

1、WebAsyncManagerIntegrationFilter

public final class WebAsyncManagerIntegrationFilter extends OncePerRequestFilter {
	private static final Object CALLABLE_INTERCEPTOR_KEY = new Object();

	@Override
	protected void doFilterInternal(HttpServletRequest request,
			HttpServletResponse response, FilterChain filterChain)
			throws ServletException, IOException {
		WebAsyncManager asyncManager = WebAsyncUtils.getAsyncManager(request);

		SecurityContextCallableProcessingInterceptor securityProcessingInterceptor = (SecurityContextCallableProcessingInterceptor) asyncManager
				.getCallableInterceptor(CALLABLE_INTERCEPTOR_KEY);
		if (securityProcessingInterceptor == null) {
			asyncManager.registerCallableInterceptor(CALLABLE_INTERCEPTOR_KEY,
					new SecurityContextCallableProcessingInterceptor());
		}

		filterChain.doFilter(request, response);
	}
}
  • 根据请求封装获取WebAsyncManager
  • 从WebAsyncManager获取/注册SecurityContextCallableProcessingInterceptor

2、SecurityContextPersistenceFilter

两个主要职责:请求来临时,创建SecurityContext安全上下文信息,请求结束时清空SecurityContextHolder。

public class SecurityContextPersistenceFilter extends GenericFilterBean {

	static final String FILTER_APPLIED = "__spring_security_scpf_applied";

	private SecurityContextRepository repo;

	private boolean forceEagerSessionCreation = false;

	public SecurityContextPersistenceFilter() {
		this(new HttpSessionSecurityContextRepository());
	}

	public SecurityContextPersistenceFilter(SecurityContextRepository repo) {
		this.repo = repo;
	}

	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;
		
		//判断是否已经处理过
		if (request.getAttribute(FILTER_APPLIED) != null) {
			// ensure that filter is only applied once per request
			chain.doFilter(request, response);
			return;
		}

		final boolean debug = logger.isDebugEnabled();

		request.setAttribute(FILTER_APPLIED, Boolean.TRUE);

		if (forceEagerSessionCreation) {
			HttpSession session = request.getSession();

			if (debug && session.isNew()) {
				logger.debug("Eagerly created session: " + session.getId());
			}
		}

		HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request,
				response);
		//获取SecurityContext
		SecurityContext contextBeforeChainExecution = repo.loadContext(holder);

		try {
			SecurityContextHolder.setContext(contextBeforeChainExecution);

			chain.doFilter(holder.getRequest(), holder.getResponse());

		}
		finally {
			//结束后清理SecurityContext
			SecurityContext contextAfterChainExecution = SecurityContextHolder
					.getContext();
			// Crucial removal of SecurityContextHolder contents - do this before anything
			// else.
			SecurityContextHolder.clearContext();
			repo.saveContext(contextAfterChainExecution, holder.getRequest(),
					holder.getResponse());
			request.removeAttribute(FILTER_APPLIED);

			if (debug) {
				logger.debug("SecurityContextHolder now cleared, as request processing completed");
			}
		}
	}

	public void setForceEagerSessionCreation(boolean forceEagerSessionCreation) {
		this.forceEagerSessionCreation = forceEagerSessionCreation;
	}
}

3、HeaderWriterFilter

用来给http响应添加一些Header,比如X-Frame-Options, X-XSS-Protection*,X-Content-Type-Options.

public class HeaderWriterFilter extends OncePerRequestFilter {

	/**
	 * Collection of {@link HeaderWriter} instances to write out the headers to the
	 * response.
	 */
	private final List<HeaderWriter> headerWriters;

	/**
	 * Creates a new instance.
	 *
	 * @param headerWriters the {@link HeaderWriter} instances to write out headers to the
	 * {@link HttpServletResponse}.
	 */
	public HeaderWriterFilter(List<HeaderWriter> headerWriters) {
		Assert.notEmpty(headerWriters, "headerWriters cannot be null or empty");
		this.headerWriters = headerWriters;
	}

	@Override
	protected void doFilterInternal(HttpServletRequest request,
			HttpServletResponse response, FilterChain filterChain)
					throws ServletException, IOException {

		HeaderWriterResponse headerWriterResponse = new HeaderWriterResponse(request,
				response, this.headerWriters);
		try {
			filterChain.doFilter(request, headerWriterResponse);
		}
		finally {
			headerWriterResponse.writeHeaders();
		}
	}

	static class HeaderWriterResponse extends OnCommittedResponseWrapper {
		private final HttpServletRequest request;
		private final List<HeaderWriter> headerWriters;

		HeaderWriterResponse(HttpServletRequest request, HttpServletResponse response,
				List<HeaderWriter> headerWriters) {
			super(response);
			this.request = request;
			this.headerWriters = headerWriters;
		}

		/*
		 * (non-Javadoc)
		 *
		 * @see org.springframework.security.web.util.OnCommittedResponseWrapper#
		 * onResponseCommitted()
		 */
		@Override
		protected void onResponseCommitted() {
			writeHeaders();
			this.disableOnResponseCommitted();
		}

		protected void writeHeaders() {
			if (isDisableOnResponseCommitted()) {
				return;
			}
			for (HeaderWriter headerWriter : this.headerWriters) {
				headerWriter.writeHeaders(this.request, getHttpResponse());
			}
		}

		private HttpServletResponse getHttpResponse() {
			return (HttpServletResponse) getResponse();
		}
	}
}

4、LogoutFilter

退出拦截器,退出的简单操作就是删除Session,根据Spring Security初始化配置的退出地址来匹配请求。

public class LogoutFilter extends GenericFilterBean {

	// ~ Instance fields
	// ================================================================================================

	private RequestMatcher logoutRequestMatcher;

	private final List<LogoutHandler> handlers;
	private final LogoutSuccessHandler logoutSuccessHandler;

	// ~ Constructors
	// ===================================================================================================

	/**
	 * Constructor which takes a <tt>LogoutSuccessHandler</tt> instance to determine the
	 * target destination after logging out. The list of <tt>LogoutHandler</tt>s are
	 * intended to perform the actual logout functionality (such as clearing the security
	 * context, invalidating the session, etc.).
	 */
	public LogoutFilter(LogoutSuccessHandler logoutSuccessHandler,
			LogoutHandler... handlers) {
		Assert.notEmpty(handlers, "LogoutHandlers are required");
		this.handlers = Arrays.asList(handlers);
		Assert.notNull(logoutSuccessHandler, "logoutSuccessHandler cannot be null");
		this.logoutSuccessHandler = logoutSuccessHandler;
		setFilterProcessesUrl("/logout");
	}

	public LogoutFilter(String logoutSuccessUrl, LogoutHandler... handlers) {
		Assert.notEmpty(handlers, "LogoutHandlers are required");
		this.handlers = Arrays.asList(handlers);
		Assert.isTrue(
				!StringUtils.hasLength(logoutSuccessUrl)
						|| UrlUtils.isValidRedirectUrl(logoutSuccessUrl),
				logoutSuccessUrl + " isn't a valid redirect URL");
		SimpleUrlLogoutSuccessHandler urlLogoutSuccessHandler = new SimpleUrlLogoutSuccessHandler();
		if (StringUtils.hasText(logoutSuccessUrl)) {
			urlLogoutSuccessHandler.setDefaultTargetUrl(logoutSuccessUrl);
		}
		logoutSuccessHandler = urlLogoutSuccessHandler;
		setFilterProcessesUrl("/logout");
	}

	// ~ Methods
	// ========================================================================================================

	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;
        //判断是不是退出请求
		if (requiresLogout(request, response)) {
			Authentication auth = SecurityContextHolder.getContext().getAuthentication();

			if (logger.isDebugEnabled()) {
				logger.debug("Logging out user '" + auth
						+ "' and transferring to logout destination");
			}

			for (LogoutHandler handler : handlers) {
                //在logoutHandler中进行删除session操作
				handler.logout(request, response, auth);
			}

			logoutSuccessHandler.onLogoutSuccess(request, response, auth);

			return;
		}

		chain.doFilter(request, response);
	}

	/**
	 * Allow subclasses to modify when a logout should take place.
	 *
	 * @param request the request
	 * @param response the response
	 *
	 * @return <code>true</code> if logout should occur, <code>false</code> otherwise
	 */
	protected boolean requiresLogout(HttpServletRequest request,
			HttpServletResponse response) {
		return logoutRequestMatcher.matches(request);
	}

	public void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher) {
		Assert.notNull(logoutRequestMatcher, "logoutRequestMatcher cannot be null");
		this.logoutRequestMatcher = logoutRequestMatcher;
	}

	public void setFilterProcessesUrl(String filterProcessesUrl) {
		this.logoutRequestMatcher = new AntPathRequestMatcher(filterProcessesUrl);
	}
}

当判断请求是退出时,会调用LogoutHandler的logout删除session,具体实现在SecurityContextLogoutHandler的logout方法中。

public void logout(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) {
		Assert.notNull(request, "HttpServletRequest required");
		if (invalidateHttpSession) {
            //设置session无效
			HttpSession session = request.getSession(false);
			if (session != null) {
				logger.debug("Invalidating session: " + session.getId());
				session.invalidate();
			}
		}

		if (clearAuthentication) {
			SecurityContext context = SecurityContextHolder.getContext();
			context.setAuthentication(null);
		}
        //清理信息
		SecurityContextHolder.clearContext();
	}

5、UsernamePasswordAuthenticationFilter

        用户名和密码校验Filter,是特别重要的一个Filter,我们会在用户登录验证博客中专门进行分析学习一下,当然这个Filter只会对配置的登录请求/login进行业务处理,其他请求不做任何业务处理,其处理逻辑在父类AbstractAuthenticationProcessingFilter中。

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {

		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;
		//首先判断是不是登录请求,不是登录请求则直接跳过
		if (!requiresAuthentication(request, response)) {
			chain.doFilter(request, response);

			return;
		}
		//是登录请求进行校验工作
		//省略部分代码
		authResult = attemptAuthentication(request, response);
		//省略部分代码
		
	}

6、DefaultLoginPageGeneratingFilter

         当是登录地址请求,登录失败请求或者登出请求则跳转到登录页面。

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;

		boolean loginError = isErrorPage(request);
		boolean logoutSuccess = isLogoutSuccess(request);
        //登录请求,登录错误请求或者登出请求则返回登录页面
		if (isLoginUrlRequest(request) || loginError || logoutSuccess) {
			String loginPageHtml = generateLoginPageHtml(request, loginError,
					logoutSuccess);
			response.setContentType("text/html;charset=UTF-8");
			response.setContentLength(loginPageHtml.length());
			response.getWriter().write(loginPageHtml);

			return;
		}

		chain.doFilter(request, response);
	}

7、BasicAuthenticationFilter

        处理BASIC authentication认证方式,简单理解和UsernamePasswordAuthenticationFilter类似,不过UsernamePasswordAuthenticationFilter是通过表单提交的,而Authorization认证方式是将用户名密码数据添加到请求header中罢了。

@Override
	protected void doFilterInternal(HttpServletRequest request,
			HttpServletResponse response, FilterChain chain)
					throws IOException, ServletException {
		final boolean debug = this.logger.isDebugEnabled();
        //请求头中获取Authorization
		String header = request.getHeader("Authorization");
        //如果不存在或者不是以Basic开头直接跳过处理
		if (header == null || !header.startsWith("Basic ")) {
			chain.doFilter(request, response);
			return;
		}
        //从header中获取相关用户名密码数据进行验证
		try {
			String[] tokens = extractAndDecodeHeader(header, request);
			assert tokens.length == 2;

			String username = tokens[0];

			if (debug) {
				this.logger
						.debug("Basic Authentication Authorization header found for user '"
								+ username + "'");
			}

			if (authenticationIsRequired(username)) {
				UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
						username, tokens[1]);
				authRequest.setDetails(
						this.authenticationDetailsSource.buildDetails(request));
				Authentication authResult = this.authenticationManager
						.authenticate(authRequest);

				if (debug) {
					this.logger.debug("Authentication success: " + authResult);
				}

				SecurityContextHolder.getContext().setAuthentication(authResult);

				this.rememberMeServices.loginSuccess(request, response, authResult);

				onSuccessfulAuthentication(request, response, authResult);
			}

		}
		catch (AuthenticationException failed) {
			SecurityContextHolder.clearContext();

			if (debug) {
				this.logger.debug("Authentication request for failed: " + failed);
			}

			this.rememberMeServices.loginFail(request, response);

			onUnsuccessfulAuthentication(request, response, failed);

			if (this.ignoreFailure) {
				chain.doFilter(request, response);
			}
			else {
				this.authenticationEntryPoint.commence(request, response, failed);
			}

			return;
		}

		chain.doFilter(request, response);
	}

8、RequestCacheAwareFilter 

内部维护了一个RequestCache,用于缓存request请求

public class RequestCacheAwareFilter extends GenericFilterBean {

	private RequestCache requestCache;

	public RequestCacheAwareFilter() {
		this(new HttpSessionRequestCache());
	}

	public RequestCacheAwareFilter(RequestCache requestCache) {
		Assert.notNull(requestCache, "requestCache cannot be null");
		this.requestCache = requestCache;
	}

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {

		HttpServletRequest wrappedSavedRequest = requestCache.getMatchingRequest(
				(HttpServletRequest) request, (HttpServletResponse) response);

		chain.doFilter(wrappedSavedRequest == null ? request : wrappedSavedRequest,
				response);
	}

}

9、SecurityContextHolderAwareRequestFilter 

        此过滤器对ServletRequest进行了一次包装,使得request具有更加丰富的API

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		chain.doFilter(this.requestFactory.create((HttpServletRequest) req,
				(HttpServletResponse) res), res);
	}

10、AnonymousAuthenticationFilter

           匿名身份过滤器,这个过滤器个人认为很重要,需要将它与UsernamePasswordAuthenticationFilter 放在一起比较理解,spring security为了兼容未登录的访问,也走了一套认证流程,只不过是一个匿名的身份。

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {

		if (SecurityContextHolder.getContext().getAuthentication() == null) {
            //创建一个匿名身份
			SecurityContextHolder.getContext().setAuthentication(
					createAuthentication((HttpServletRequest) req));

			if (logger.isDebugEnabled()) {
				logger.debug("Populated SecurityContextHolder with anonymous token: '"
						+ SecurityContextHolder.getContext().getAuthentication() + "'");
			}
		}
		else {
			if (logger.isDebugEnabled()) {
				logger.debug("SecurityContextHolder not populated with anonymous token, as it already contained: '"
						+ SecurityContextHolder.getContext().getAuthentication() + "'");
			}
		}

		chain.doFilter(req, res);
	}

	protected Authentication createAuthentication(HttpServletRequest request) {
		AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key,
				principal, authorities);
		auth.setDetails(authenticationDetailsSource.buildDetails(request));

		return auth;
	}

11、SessionManagementFilter

           和session相关的过滤器,内部维护了一个SessionAuthenticationStrategy,两者组合使用,常用来防止session-fixation protection attack,以及限制同一用户开启多个会话的数量

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;

		if (request.getAttribute(FILTER_APPLIED) != null) {
			chain.doFilter(request, response);
			return;
		}

		request.setAttribute(FILTER_APPLIED, Boolean.TRUE);

		if (!securityContextRepository.containsContext(request)) {
			Authentication authentication = SecurityContextHolder.getContext()
					.getAuthentication();

			if (authentication != null && !trustResolver.isAnonymous(authentication)) {
				// The user has been authenticated during the current request, so call the
				// session strategy
				try {
					sessionAuthenticationStrategy.onAuthentication(authentication,
							request, response);
				}
				catch (SessionAuthenticationException e) {
					// The session strategy can reject the authentication
					logger.debug(
							"SessionAuthenticationStrategy rejected the authentication object",
							e);
					SecurityContextHolder.clearContext();
					failureHandler.onAuthenticationFailure(request, response, e);

					return;
				}
				// Eagerly save the security context to make it available for any possible
				// re-entrant
				// requests which may occur before the current request completes.
				// SEC-1396.
				securityContextRepository.saveContext(SecurityContextHolder.getContext(),
						request, response);
			}
			else {
				// No security context or authentication present. Check for a session
				// timeout
				if (request.getRequestedSessionId() != null
						&& !request.isRequestedSessionIdValid()) {
					if (logger.isDebugEnabled()) {
						logger.debug("Requested session ID "
								+ request.getRequestedSessionId() + " is invalid.");
					}

					if (invalidSessionStrategy != null) {
						invalidSessionStrategy
								.onInvalidSessionDetected(request, response);
						return;
					}
				}
			}
		}

		chain.doFilter(request, response);
	}

12、ExceptionTranslationFilter

        ExceptionTranslationFilter异常转换过滤器位于整个springSecurityFilterChain的后方,用来转换整个链路中出现的异常,将其转化,顾名思义,转化以意味本身并不处理。一般其只处理两大类异常:AccessDeniedException访问异常和AuthenticationException认证异常。这个过滤器非常重要,因为它将Java中的异常和HTTP的响应连接在了一起,这样在处理异常时,我们不用考虑密码错误该跳到什么页面,账号锁定该如何,只需要关注自己的业务逻辑,抛出相应的异常便可。如果该过滤器检测到AuthenticationException,则将会交给内部的AuthenticationEntryPoint去处理,如果检测到AccessDeniedException,需要先判断当前用户是不是匿名用户,如果是匿名访问,则和前面一样运行AuthenticationEntryPoint,否则会委托给AccessDeniedHandler去处理,而AccessDeniedHandler的默认实现,是AccessDeniedHandlerImpl。所以ExceptionTranslationFilter内部的AuthenticationEntryPoint是至关重要的,顾名思义:认证的入口点。

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;

		try {
			chain.doFilter(request, response);

			logger.debug("Chain processed normally");
		}
		catch (IOException ex) {
			throw ex;
		}
        //捕捉一些异常处理,身份校验判断错误会抛出异常,由这里处理
		catch (Exception ex) {
			// Try to extract a SpringSecurityException from the stacktrace
			Throwable[] causeChain = throwableAnalyzer.determineCauseChain(ex);
			RuntimeException ase = (AuthenticationException) throwableAnalyzer
					.getFirstThrowableOfType(AuthenticationException.class, causeChain);

			if (ase == null) {
				ase = (AccessDeniedException) throwableAnalyzer.getFirstThrowableOfType(
						AccessDeniedException.class, causeChain);
			}

			if (ase != null) {
				handleSpringSecurityException(request, response, chain, ase);
			}
			else {
				// Rethrow ServletExceptions and RuntimeExceptions as-is
				if (ex instanceof ServletException) {
					throw (ServletException) ex;
				}
				else if (ex instanceof RuntimeException) {
					throw (RuntimeException) ex;
				}

				// Wrap other Exceptions. This shouldn't actually happen
				// as we've already covered all the possibilities for doFilter
				throw new RuntimeException(ex);
			}
		}
	}

13、FilterSecurityInterceptor

        个人理解任务这个拦截器是Spring Security中最重要的,首先这个拦截器就是进行角色相关的处理,也是登录结果是否成功最后一个判断的拦截器,针对不需要认证和需要认证的请求会进行不同的验证处理,同样在登录博客中会对其做的功能进行详细的说明。

public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		FilterInvocation fi = new FilterInvocation(request, response, chain);

		invoke(fi);
	}

public void invoke(FilterInvocation fi) throws IOException, ServletException {
		if ((fi.getRequest() != null)
				&& (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
				&& observeOncePerRequest) {
			// filter already applied to this request and user wants us to observe
			// once-per-request handling, so don't re-do security checking
			fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
		}
		else {
			// first time this request being called, so perform security checking
			if (fi.getRequest() != null) {
				fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
			}
            //在执行请求调用之前进行验证处理
			InterceptorStatusToken token = super.beforeInvocation(fi);

			try {
				fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
			}
			finally {
				super.finallyInvocation(token);
			}

			super.afterInvocation(token, null);
		}
	}

 

军伟@
关注
专栏目录
全面解析Spring Security 过滤器链的机制和特性
08-18
Spring Security 中,过滤器链的机制可以分为两个部分:客户端(APP 和后台管理客户端)向应用程序发送请求,然后应用根据请求的 URI 的路径来确定该请求的过滤器链(Filter)以及最终的具体 Servlet 控制器...
[2] WebAsyncManagerIntegrationFilter
热门推荐
既无风雨也无晴
03-07 2万+
WebAsyncManagerIntegrationFilter 介绍 字面意思这是一个Web异步管理集成过滤器,翻译成中文依然很抽象。我们从ThreadLocal讲起,ThreadLocal可以理解为一个与当前线程绑定的Map, key是当前线程,value是要存储的object。当我们在同一个线程中,可以通过get()方法获取到value。如果在A线程set(object),然后在B线程中调...
WebAsyncManagerIntegrationFilter
mzr122的专栏
09-10 702
过滤器用于集成SecurityContext到Spring异步执行机制中的WebAsyncManager。 package org.springframework.security.web.context.request.async; import java.io.IOException; import java.util.concurrent.Callable; import javax.servlet.FilterChain; import javax.servlet.ServletExcep
Spring SecurityFilter
最新发布
weixin_44263023的博客
07-08 768
如果你需要实现一些 Spring Security 没有提供的特定安全功能,你可以通过实现 javax.servlet.Filter 接口来创建自定义的过滤器,并使用 Spring SecurityFilterRegistrationBean 或通过 Spring Security 的配置类将其添加到过滤器链中。
Spring Security 解析(七) —— Spring Security Oauth2 源码解析
乌龟的专栏
03-13 1193
Spring Security 解析(七) —— Spring Security Oauth2 源码解析
SpringCould整合oauth2
weixin_43288858的博客
01-06 3339
1、创建认证微服务端 创建mengxuegu-blog-oauth2微服务工程,做认证使用 认证服务器表结构默认如下 最主要表就是这个oauth_client_details 生成 client_sercet密码 @RunWith(SpringRunner.class) @SpringBootTest public class TestAuthApplication { @Test public void testPwd() { System.out.println(new ...
java clientabortexception_ClientAbortException 异常排查
weixin_30083369的博客
03-04 1626
服务器报如下错误org.apache.catalina.connector.ClientAbortException: java.io.IOException: 远程主机强迫关闭了一个现有的连接。at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:321) ~[tomcat-embed-core-8.5.3...
SpringSecurity学习之自定义过滤器的实现代码
08-26
"SpringSecurity学习之自定义过滤器的实现代码" Spring Security学习之自定义过滤器的实现代码主要介绍了Spring Security学习之自定义过滤器的实现代码,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有...
spring-security-demo.zip
08-10
- **Filter Chain**: Spring Security通过一系列过滤器处理HTTP请求,实现身份验证和授权。 2. **配置Spring Security**: - 使用`@EnableWebSecurity`注解开启Spring Security。 - 创建自定义的`SecurityConfig...
spring-security-in-action
04-11
- Spring Security核心在于一系列过滤器,它们按特定顺序执行,处理HTTP请求和响应。关键过滤器如`HttpServletRequestWrapperFilter`、`DelegatingFilterProxy`和`FilterSecurityInterceptor`共同构建了安全控制...
spring security 4 小例子带自定义过滤器
03-20
在这个小例子中,我们将探讨如何创建并集成自定义过滤器,以及它在Spring Security中的工作原理。 首先,我们需要理解Spring Security的基础架构。它基于过滤器链模型,其中每个过滤器负责处理请求的不同方面。默认...
线上环境个别接口报network error问题排查
chang_yushun的博客
03-06 3434
org.apache.catalina.connector.ClientAbortException: java.io.IOException: Connection reset by peer问题排查
关于Spring Boot + Redis 的 no such key 异常
jakemanse的专栏
11-07 1万+
  在使用Spring Boot2.x 与 Redis 集成时,遇到如下异常,解决这个问题,让我费了些工夫,走了些弯路。 org.springframework.data.redis.RedisSystemException: Error in execution; nested exception is io.lettuce.core.RedisCommandExecutionExcept...
SpringSecurity原理分析之那些过滤器
小小默:进无止境
08-22 7384
SpringSecurity采用的是责任链的设计模式,它有一条很长的过滤器链。Spring Security采取过滤链实现认证与授权,只有当前过滤器通过,才能进入下一个过滤器:绿色部分是认证过滤器,需要我们自己配置,可以配置多个认证过滤器。认证过滤器可以使用Spring Security提供的认证过滤器,也可以自定义过滤器(例如:短信验证)。认证过滤器要在configure(HttpSecurity http)方法中配置,没有配置不生效。
SpringSecurity - 启动流程分析(四)- 默认过滤器
业精于勤荒于嬉
08-14 812
SpringSecurity - 启动流程分析(四)
SpringSecurity之默认过滤器链的WebAsyncManagerIntegrationFilter(六)
欢谷悠扬
07-07 492
1.背景 在默认过滤器链中,总共有15个过滤器,它们每个都承载了不同的角色和功能。它的匹配也比较霸气是anyRequest。就是其他人都配不上的时候,我来接盘。 2.WebAsyncManagerIntegrationFilter是干什么的? WebAsyncManager 是一个异步请求管理器,主要就是针对异步请求如何能和同步请求一样对一些数据进行处理。 Spring Security在这里的WebAsyncManagerIntegrationFilter就是用来管理在异步请求中SecurityCon
异常:org.apache.catalina.connector.ClientAbortException : java.io.IOException: 断开的管道发现与排查(JVM线上问题排查之五)
无界编程
08-28 4230
分享线上异常的查询,和异常的排查,做到滴水不漏,不能忽略任何一个错误。
Spring Security OAuth2 Resource Server 的一些核心组件和内置 Filter
小水牛的博客
05-07 5040
Spring Security OAuth2 Resource Server 的一些核心组件和内置 Filter
Spring Cloud整合SpringSecurity OAuth2(全网最强)
web15185420056的博客
06-12 1万+
本文是梳理整合SpringCloud和SpringSecurity OAuth2的搭建流程!好久没撸SpringSecurity OAuth2这系列代码了,都快忘了,特写此文章梳理脉络!开干!!!微服务版本 SpringSecurity OAuth2版本 通过微服务版本限定后spring-security-oauth2-autoconfigure的最终版本自动适配为2.1.2刚开始我这里就不一次性把一大堆配置放上来,需要什么就写什么,不然到时候都搞不清那个配置是干嘛,有什么用的!这也是我写这个文章的缘由!授
SpringSecurity自定义过滤器实现认证逻辑
"本文主要探讨了在SpringSecurity框架中如何实现自定义过滤器,通过具体的代码示例,帮助读者理解自定义过滤器在解决复杂认证场景中的应用。内容包括创建自定义过滤器类以及将其集成到SpringSecurity过滤器链中,...
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值