SpringSecurity在SpringBoot中的自动装配

已于 2024-07-07 15:59:00 修改
阅读量217 收藏 2
点赞数 1
分类专栏: 安全框架 文章标签: spring boot 后端 java
于 2024-07-07 15:57:46 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_43676797/article/details/140247514
版权

从SpringBoot的自动装配原理入手

  1. 找到META-INFO下的spring.factories文件

SpringSecurity作为Spring的亲儿子,自然在spring-boot-autoconfigure下的spring.factories文件中配置了

org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,\
org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration,\
org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration,\

UserDetailsServiceAutoConfiguration

@Configuration(
    proxyBeanMethods = false
)
//条件注解
@ConditionalOnClass({AuthenticationManager.class})
@ConditionalOnBean({ObjectPostProcessor.class})
//提供拓展,没有提供以下三个实现类才使用默认的
@ConditionalOnMissingBean(
    value = {AuthenticationManager.class, AuthenticationProvider.class, UserDetailsService.class},
    type = {"org.springframework.security.oauth2.jwt.JwtDecoder", "org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector"}
)
public class UserDetailsServiceAutoConfiguration {
    //密码不加密表示
    private static final String NOOP_PASSWORD_PREFIX = "{noop}";
    private static final Pattern PASSWORD_ALGORITHM_PATTERN = Pattern.compile("^\\{.+}.*$");
    private static final Log logger = LogFactory.getLog(UserDetailsServiceAutoConfiguration.class);

    public UserDetailsServiceAutoConfiguration() {
    }

    @Bean
    @ConditionalOnMissingBean(
        type = {"org.springframework.security.oauth2.client.registration.ClientRegistrationRepository"}
    )
    @Lazy
    public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties, ObjectProvider<PasswordEncoder> passwordEncoder) {
        //读取以spring.security开头的配置文件
        SecurityProperties.User user = properties.getUser();
        List<String> roles = user.getRoles();
        return new InMemoryUserDetailsManager(new UserDetails[]{User.withUsername(user.getName()).password(this.getOrDeducePassword(user, (PasswordEncoder)passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build()});
    }

    private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {
        String password = user.getPassword();
        if (user.isPasswordGenerated()) {
            logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));
        }

        return encoder == null && !PASSWORD_ALGORITHM_PATTERN.matcher(password).matches() ? "{noop}" + password : password;
    }
}


//标记读取配置文件夹信息
@ConfigurationProperties(
    prefix = "spring.security"
)
public class SecurityProperties {
    public static final int BASIC_AUTH_ORDER = 2147483642;
    public static final int IGNORED_ORDER = Integer.MIN_VALUE;
    public static final int DEFAULT_FILTER_ORDER = -100;
    private final Filter filter = new Filter();
    private User user = new User();

    public SecurityProperties() {
    }

    public User getUser() {
        return this.user;
    }

    public Filter getFilter() {
        return this.filter;
    }

    public static class User {
        //如果没有配置,用户名默认user,密码uuid
        private String name = "user";
        private String password = UUID.randomUUID().toString();
        private List<String> roles = new ArrayList();
        private boolean passwordGenerated = true;

        public User() {
        }

        public String getName() {
            return this.name;
        }

        public void setName(String name) {
            this.name = name;
        }

        public String getPassword() {
            return this.password;
        }

        public void setPassword(String password) {
            if (StringUtils.hasLength(password)) {
                this.passwordGenerated = false;
                this.password = password;
            }
        }

        public List<String> getRoles() {
            return this.roles;
        }

        public void setRoles(List<String> roles) {
            this.roles = new ArrayList(roles);
        }

        public boolean isPasswordGenerated() {
            return this.passwordGenerated;
        }
    }

    public static class Filter {
        private int order = -100;
        private Set<DispatcherType> dispatcherTypes;

        public Filter() {
            this.dispatcherTypes = new HashSet(Arrays.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST));
        }

        public int getOrder() {
            return this.order;
        }

        public void setOrder(int order) {
            this.order = order;
        }

        public Set<DispatcherType> getDispatcherTypes() {
            return this.dispatcherTypes;
        }

        public void setDispatcherTypes(Set<DispatcherType> dispatcherTypes) {
            this.dispatcherTypes = dispatcherTypes;
        }
    }
}

SecurityFilterAutoConfiguration

约定大于配置,这里的内容就相当于在web.xml配置文件中配置springSecurityFilterChain的过程由spring自动实现.spring自动注入DelegatingFilterProxy对象,这样就可以将security中的过滤器切到spring中,在请求的时候会被DelegatingFilterProxyRegistrationBean拦截,然后去执行security中的过滤器链。


@Configuration(
    proxyBeanMethods = false
)
//web项目才加载
@ConditionalOnWebApplication(
    type = Type.SERVLET
)
@EnableConfigurationProperties({SecurityProperties.class})
@ConditionalOnClass({AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class})
//SecurityAutoConfiguration之后执行
@AutoConfigureAfter({SecurityAutoConfiguration.class})
public class SecurityFilterAutoConfiguration {
    //名字
    private static final String DEFAULT_FILTER_NAME = "springSecurityFilterChain";

    public SecurityFilterAutoConfiguration() {
    }

    /**
     * 创建DelegatingFilterProxyRegistrationBean对象注入到spring容器中
     * @param securityProperties
     * @return
     */
    @Bean
    @ConditionalOnBean(
        name = {"springSecurityFilterChain"}
    )
    public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(SecurityProperties securityProperties) {
        //创建DelegatingFilterProxy对象
        DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean("springSecurityFilterChain", new ServletRegistrationBean[0]);
        registration.setOrder(securityProperties.getFilter().getOrder());
        registration.setDispatcherTypes(this.getDispatcherTypes(securityProperties));
        return registration;
    }

    private EnumSet<DispatcherType> getDispatcherTypes(SecurityProperties securityProperties) {
        return securityProperties.getFilter().getDispatcherTypes() == null ? null : (EnumSet)securityProperties.getFilter().getDispatcherTypes().stream().map((type) -> {
            return DispatcherType.valueOf(type.name());
        }).collect(Collectors.toCollection(() -> {
            return EnumSet.noneOf(DispatcherType.class);
        }));
    }
}

创建DelegatingFilterProxy的过程实际是通过ServletContextInitializer接口实现的,有一个方法onStartup,有一个实现类RegistrationBean

public abstract class RegistrationBean implements ServletContextInitializer, Ordered {
    private static final Log logger = LogFactory.getLog(RegistrationBean.class);
    private int order = Integer.MAX_VALUE;
    private boolean enabled = true;

    public RegistrationBean() {
    }

    public final void onStartup(ServletContext servletContext) throws ServletException {
        String description = this.getDescription();
        if (!this.isEnabled()) {
            logger.info(StringUtils.capitalize(description) + " was not registered (disabled)");
        } else {
            //注册
            this.register(description, servletContext);
        }
    }

    protected abstract String getDescription();

    protected abstract void register(String description, ServletContext servletContext);

    public void setEnabled(boolean enabled) {
        this.enabled = enabled;
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public void setOrder(int order) {
        this.order = order;
    }

    public int getOrder() {
        return this.order;
    }
}

注册逻辑在父类DynamicRegistrationBean中

public abstract class DynamicRegistrationBean<D extends Registration.Dynamic> extends RegistrationBean {
    private static final Log logger = LogFactory.getLog(RegistrationBean.class);
    private String name;
    private boolean asyncSupported = true;
    private Map<String, String> initParameters = new LinkedHashMap();

    public DynamicRegistrationBean() {
    }

    public void setName(String name) {
        Assert.hasLength(name, "Name must not be empty");
        this.name = name;
    }

    public void setAsyncSupported(boolean asyncSupported) {
        this.asyncSupported = asyncSupported;
    }

    public boolean isAsyncSupported() {
        return this.asyncSupported;
    }

    public void setInitParameters(Map<String, String> initParameters) {
        Assert.notNull(initParameters, "InitParameters must not be null");
        this.initParameters = new LinkedHashMap(initParameters);
    }

    public Map<String, String> getInitParameters() {
        return this.initParameters;
    }

    public void addInitParameter(String name, String value) {
        Assert.notNull(name, "Name must not be null");
        this.initParameters.put(name, value);
    }

    protected final void register(String description, ServletContext servletContext) {
        //生成DelegatingFilterProxy对象
        D registration = this.addRegistration(description, servletContext);
        if (registration == null) {
            logger.info(StringUtils.capitalize(description) + " was not registered (possibly already registered?)");
        } else {
            //在其父类AbstractFilterRegistrationBean中配置拦截/*请求
            this.configure(registration);
        }
    }

    protected abstract D addRegistration(String description, ServletContext servletContext);

    protected void configure(D registration) {
        registration.setAsyncSupported(this.asyncSupported);
        if (!this.initParameters.isEmpty()) {
            registration.setInitParameters(this.initParameters);
        }

    }

    protected final String getOrDeduceName(Object value) {
        return this.name != null ? this.name : Conventions.getVariableName(value);
    }
}

跟踪代码发现实际调用的了DelegatingFilterProxyRegistrationBean的getFilter方法

public class DelegatingFilterProxyRegistrationBean extends AbstractFilterRegistrationBean<DelegatingFilterProxy> implements ApplicationContextAware {
    private ApplicationContext applicationContext;
    private final String targetBeanName;

    public DelegatingFilterProxyRegistrationBean(String targetBeanName, ServletRegistrationBean<?>... servletRegistrationBeans) {
        super(servletRegistrationBeans);
        Assert.hasLength(targetBeanName, "TargetBeanName must not be null or empty");
        this.targetBeanName = targetBeanName;
        this.setName(targetBeanName);
    }

    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.applicationContext = applicationContext;
    }

    protected String getTargetBeanName() {
        return this.targetBeanName;
    }
    
    //创建DelegatingFilterProxy实例对象
    public DelegatingFilterProxy getFilter() {
        return new DelegatingFilterProxy(this.targetBeanName, this.getWebApplicationContext()) {
            protected void initFilterBean() throws ServletException {
            }
        };
    }

    private WebApplicationContext getWebApplicationContext() {
        Assert.notNull(this.applicationContext, "ApplicationContext be injected");
        Assert.isInstanceOf(WebApplicationContext.class, this.applicationContext);
        return (WebApplicationContext)this.applicationContext;
    }
}
让你三行代码QAQ
关注
专栏目录
springboot-03-web.zip
09-18
Spring Boot的核心特性之一是自动配置,这也是标签提到的"springboot自动装配"。 1. **Spring Boot自动配置**: Spring Boot通过`@EnableAutoConfiguration`注解开启自动配置功能。它会根据项目依赖来决定哪些...
org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration
slxz001的博客
08-16 2390
异常描述 Springboot整合activiti6.0,启动项目时异常 java.lang.IllegalArgumentException: Could not find class [org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration] at org.springframework.util.ClassUtils.resolveClassName(ClassUtils.java:334) ~[sprin
SecurityAutoConfiguration源码解析
m0_63437643的博客
02-18 1144
SecurityAutoConfiguration 详解 SpringBootSecurity 的支持类均位于 org.springframework.boot.autoconfigure.security包下,主要通过 SecurityAutoConfiguration 自动配置类和 SecurityProperties 属性配置来完成。 下面,我们通过对 SecurityAutoConfiguration及引入的相关自动配 置源码进行解析说明。 @Configuration(proxyBe
Could not find class [org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration]解决方法
nann-viiv 的博客
09-22 3403
java.lang.IllegalArgumentException: Could not find class [org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration] at org.springframework.util.ClassUtils.resolveClassName(ClassUtils.java:334) ~[spring-core-5.3.9.jar:5.3.9] at org.spring
Spring Boot Security 自动配置
白石的专栏
12-05 1397
在本文,我们重点介绍了 Spring Boot 提供的默认安全配置。我们看到了如何禁用或覆盖安全自动配置机制。然后我们研究了如何应用新的安全配置。
Spring boot(2)-配置详解
热门推荐
黄规速博客:学如逆水行舟,不进则退
08-18 3万+
Spring Boot 配置详解 Spring Boot 对于开发人员最大的好处在于可以对 Spring 应用进行自动配置。Spring Boot 会根据应用声明的第三方依赖来自动配置 Spring 框架,而不需要进行显式的声明。比如当声明了对 HSQLDB 的依赖时,Spring Boot 会自动配置成使用 HSQLDB 进行数据库操作。
Spring security + mybatis + springMVC整合权限管理
04-04
在本项目,"Spring security + mybatis + springMVC整合权限管理" 是一个完整的Web应用开发框架,它将三个核心组件集成为一套强大的安全管理系统。让我们深入探讨这些技术及其在权限管理的作用。 首先,Spring ...
一款利用SpringBoot自动装配的特性简化了传统swagger的繁琐配置
08-07
在"swagger-spring-boot-starter",只需要引入对应的依赖,系统就能自动识别并配置Swagger的相关组件,无需手动编写大量配置代码。 使用swagger-spring-boot-starter的步骤通常如下: 1. **添加依赖**:首先,在...
Spring Boot 2.xActuator的一些知识点
08-25
- `conditions`:展示自动装配类的状态。 - `configprops`:列出所有@ConfigurationProperties。 - `env`:展示环境属性。 - `flyway`:显示Flyway数据库迁移状态。 - `health`:提供应用健康检查信息。 - `info`:...
Spring Boot 构建简单Proteus微服务的示例
06-03
可以利用Spring Boot自动装配特性,将数据库访问、业务逻辑等组件注入到服务实现类。 5. **设置服务发现**:如果需要,可以集成如Consul或Eureka等服务发现组件,让Proteus微服务能够自动注册和发现其他服务。 ...
启动报错Could not find class [org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration]
xiaowang_lj的博客
02-12 2445
在导入了下面的依赖后,启动服务出现SecurityAutoConfiguration冲突问题,于是报错 Could not find class [org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration] <!-- 完善service在eureka的监控信息--> <dependency> <groupId>org.act
springboot整合activiti6.0.0遇到的坑
czx2018的博客
03-13 6112
springboot项目引入依赖: &amp;amp;amp;amp;amp;amp;lt;dependency&amp;amp;amp;amp;amp;amp;gt; &amp;amp;amp;amp;amp;amp;lt;groupId&amp;amp;amp;amp;amp;amp;gt;org.activiti&amp;amp;amp;amp;amp;amp;lt;/groupId&amp;amp;amp;amp;amp
总结:Spring boot之@EnableAutoConfiguration
w2009211777的专栏
01-20 1万+
一、@EnableAutoConfiguration的作用 简单点说就是Spring Boot根据依赖的jar包,自动选择实例化某些配置,配置类必须有@Configuration注解。 说白了,还是实例化对象,只是实例化的是非main类之外的包。 另外,我们也可以按照自动装配的规范自己定义装配的类。 二、@EnableAutoConfiguration和@Configuration的区别 @Configuration:表示作用的类是个配置类。我们平时也会写配置类,比如我们系统的Data..
SpringSecurity的集成以及相关组件的介绍
m0_63437643的博客
02-19 3198
Spring Boot Security支持 在企业应用系统安全方面,比较常用的安全框架有 SpringSecurity 和 Apache Shiro,相对于Shiro, Spring Security功能强大、扩展性强,同时学习难度也稍大一些。 Spring Security是专门针对 Spring 项目的安全框架,关于 Spring Security 的应用,我们可以通过专业书籍来学习,在本章我们重点放在Spring BootSpring Security的集成以及相关组件的介绍。 在具体项目实践
启动报错Could not find class [org.springframework.boot.autoconfigure.security
m0_67401761的博客
04-11 3090
启动报错Could not find class [org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration] SpringBoot整合Activiti做工作流时启动可能会报错: Could not find class [org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration] 解决办法: 在启动类注解@SpringBoot
Spring Boot 自动配置 : SecurityAutoConfiguration
Details Inside Spring
05-17 1万+
SecurityAutoConfigurationSpring Boot提供的安全自动配置类。 它仅在类DefaultAuthenticationEventPublisher存在于classpath上时才进行配置。配置包含如下几个方面 : 注册安全属性bean SecurityProperties,相应的配置属性来自外部配置项 spring.security,这些属性会被相应的安全配置机制采用...
Spring Security 实战干货:Spring Boot Spring Security 自动配置初探
码农小胖哥
10-14 2456
1. 前言 我们在前几篇对 Spring Security 的用户信息管理机制,密码机制进行了探讨。我们发现 Spring Security Starter相关的 Servlet 自动配置都在spring-boot-autoconfigure-2.1.9.RELEASE(当前 Spring Boot 版本为2.1.9.RELEASE) 模块的路径org.springframework.boot....
springboot引入activiti-6.0.0框架问题org.springframework.boot.autoconfigure.security.SecurityAutoConfigura
夜空繁星VV
06-28 731
我们在使用activiti框架6.0.0的时候会报这样一个错误 java.lang.IllegalArgumentException: Could not find class [org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration]
springboot自动装配有哪些
最新发布
06-09
5. 安全框架自动装配:包括自动配置 Spring Security、自动配置 OAuth2 等。 6. 日志自动装配:包括自动配置 Logback、自动配置 Log4j2 等。 7. 异步任务自动装配:包括自动配置 Spring Async、自动配置 Quartz 等...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值