token的解析,是靠过滤器链中的过滤器来实现的,本章内容主要讲述了过滤器的加载过程
WebSecurityConfiguration配置类(源码核心配置类)
1 setFilterChainProxySecurityConfigurer()方法
@Configuration
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
@Autowired(required = false)
public void setFilterChainProxySecurityConfigurer(
ObjectPostProcessor<Object> objectPostProcessor,
@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers)
throws Exception {
webSecurity = objectPostProcessor
.postProcess(new WebSecurity(objectPostProcessor));
if (debugEnabled != null) {
webSecurity.debug(debugEnabled);
}
Collections.sort(webSecurityConfigurers, AnnotationAwareOrderComparator.INSTANCE);
Integer previousOrder = null;
Object previousConfig = null;
for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) {
Integer order = AnnotationAwareOrderComparator.lookupOrder(config);
if (previousOrder != null && previousOrder.equals(order)) {
throw new IllegalStateException(
"@Order on WebSecurityConfigurers must be unique. Order of "
+ order + " was already used on " + previousConfig + ", so it cannot be used on "
+ config + " too.");
}
previousOrder = order;
previousConfig = config;
}
for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {
webSecurity.apply(webSecurityConfigurer);
}
this.webSecurityConfigurers = webSecurityConfigurers;
}
}
上面代码块,setFilterChainProxySecurityConfigurer 方法有两个参数,其中第二个参数 webSecurityConfigurers是通过 autowiredWebSecurityConfigurersIgnoreParents().getWebSecurityConfigurers() 方法获取所有WebSecurityConfigurer类的子类如下图
截图中可以获取到了三个子类,其中第一个子类WebSecurityConfig是在security-oauth配置包中自定义的,另外两个是源码自带的,
在获取到三个子类后,接着实现了 webSecurity 对象 ,然后对三个子类进行排序,再然后调用webSecurity.apply(webSecurityConfigurer) 方法,将三个子类初始化到WebSecurity 的父类 AbstractConfiguredSecurityBuilder 类中的 configurers 属性中去
在 setFilterChainProxySecurityConfigurer 方法的最后,将获取到的三个子类初始化到当前WebSecurityConfiguration类的webSecurityConfigurers属性中去
2. springSecurityFilterChain()方法
@Configuration
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
boolean hasConfigurers = webSecurityConfigurers != null
&& !webSecurityConfigurers.isEmpty();
if (!hasConfigurers) {
WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
.postProcess(new WebSecurityConfigurerAdapter() {
});
webSecurity.apply(adapter);
}
return webSecurity.build();
}
}
因为在前文的setFilterChainProxySecurityConfigurer() 方法中,已经初始化了webSecurityConfigurers ,所以上面代码块中直接走的最后一行代码 webSecurity.build() 方法,进入该方法
public abstract