SecurityAutoConfiguration是SpringSecurity最重要的一个自动配置类 像以前版本的教程说要在启动类上配@EnableWebSecurity,现在也是由这个自动配置类负责引入 分析一 已经介绍了DefaultAuthenticationEventPublisher,所以说重点就只有使用@Import导入的三个类 , SpringBootWebSecurityConfiguration, WebSecurityEnablerConfiguration, SecurityDataConfiguration
@Configuration ( proxyBeanMethods = false )
@ConditionalOnClass ( DefaultAuthenticationEventPublisher . class )
@EnableConfigurationProperties ( SecurityProperties . class )
@Import ( { SpringBootWebSecurityConfiguration . class , WebSecurityEnablerConfiguration . class ,
SecurityDataConfiguration . class } )
public class SecurityAutoConfiguration {
@Bean
@ConditionalOnMissingBean ( AuthenticationEventPublisher . class )
public DefaultAuthenticationEventPublisher authenticationEventPublisher ( ApplicationEventPublisher publisher) {
return new DefaultAuthenticationEventPublisher ( publisher) ;
}
}
1、SpringBootWebSecurityConfiguration
从源码能看出当容器中没有类型为WebSecurityConfigurerAdapter的Bean的时候并且当前环境为Serviet的情况下,会往容器中注册一个DefaultConfigurerAdapter 这个类就是对于SpringSecurity的过滤器链做一个默认配置,比如说开启CSRF、Session管理、默认登录登出页等等
@Configuration ( proxyBeanMethods = false )
@ConditionalOnClass ( WebSecurityConfigurerAdapter . class )
@ConditionalOnMissingBean ( WebSecurityConfigurerAdapter . class )
@ConditionalOnWebApplication ( type = Type . SERVLET )
public class SpringBootWebSecurityConfiguration {
@Configuration ( proxyBeanMethods = false )
@Order ( SecurityProperties . BASIC_AUTH_ORDER )
static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {
}
}
2、WebSecurityEnablerConfiguration
此类的核心就是导入了@EnableWebSecurity
@Configuration ( proxyBeanMethods = false )
@ConditionalOnBean ( WebSecurityConfigurerAdapter . class )
@ConditionalOnMissingBean ( name = BeanIds . SPRING_SECURITY_FILTER_CHAIN )
@ConditionalOnWebApplication ( type = ConditionalOnWebApplication. Type . SERVLET )
@EnableWebSecurity
public class WebSecurityEnablerConfiguration {
}
@EnableWebSecurity先是导入了三个类
WebSecurityConfiguration:使用WebSecurity创建FilterChainProxy,这是注册到Tomcat容器中的过滤器链 SpringWebMvcImportSelector:有关于一些SpringSecurity的参数可以借助SrpingMVC的参数解析功能进行获取的,正是因为这里注册了某些参数解析器 OAuth2ImportSelector:注册一些OAuth2的类
@Retention ( value = java. lang. annotation. RetentionPolicy. RUNTIME )
@Target ( value = { java. lang. annotation. ElementType. TYPE } )
@Documented
@Import ( { WebSecurityConfiguration . class ,
SpringWebMvcImportSelector . class ,
OAuth2ImportSelector . class } )
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
boolean debug ( ) default false ;
}
后又标记了一个@EnableGlobalAuthentication,紧接着导入了AuthenticationConfiguration 而这个AuthenticationConfiguration是全局认证管理器的配置类,而认证管理器也就是整个认证的入口
@Retention ( RetentionPolicy . RUNTIME )
@Target ( ElementType . TYPE )
@Documented
@Import ( AuthenticationConfiguration . class )
@Configuration
public @interface EnableGlobalAuthentication {
}
3、SecurityDataConfiguration
自动添加Spring Security与Spring Data的集成
@Configuration ( proxyBeanMethods = false )
@ConditionalOnClass ( SecurityEvaluationContextExtension . class )
public class SecurityDataConfiguration {
@Bean
@ConditionalOnMissingBean
public SecurityEvaluationContextExtension securityEvaluationContextExtension ( ) {
return new SecurityEvaluationContextExtension ( ) ;
}
}