pig4cloud请求分发流程和pig4cloud的Filter
SpringBoot版本:2.7.16
SpringSecurity版本:5.7.11
pig4cloud版本:3.7.1-JDK8
pig的请求分发跟之前了解的SpringSecurity的原理一样,都是DelegatingFilterProxy代理FilterChainProxy;然后匹配支持的SecurityFilterChain;pig4cloud默认添加19个filter;
具体过程可以参照:
从字面上可以看出,这个过滤器是用来禁用URL重新编码的;
Session的会话持有在客户端是通过cookies来保存SessionId来实现的,每次客户端的请求都携带sessionId.
如果禁用了cookie,后端的默认响应会重写url将sessionId拼接到url后面,传递给页面,sessionId就在http访问日志中暴露了。
官方文档地址:
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/session/DisableEncodeUrlFilter.html
WebAsyncManagerIntegrationFilter
从字面上理解的话,这个过滤器就是 Web异步处理整合过滤器。
默认情况下securityContextHolderStrategy的存储策略为ThreadLocal,在ThreadLocal的存储策略下,只有当前线程可以获取到securityContextHolder。
WebAsyncManagerIntegrationFilter 通过创建拦截器的形式,将securityContextHolderStrategy传递给子线程,后续子线程可以通过该拦截器获取到用户认证信息。
官方文档地址:
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/context/request/async/WebAsyncManagerIntegrationFilter.html
AuthorizationServerContextFilter
描述:A Filter that associates the AuthorizationServerContext to the AuthorizationServerContextHolder.
翻译:将AuthorizationServerContext关联到authorizationservercontexholder的过滤器。
SecurityContextPersistenceFilter
描述:Populates the SecurityContextHolder with information obtained from the configured SecurityContextRepository prior to the request and stores it back in the repository once the request has completed and clearing the context holder. By default it uses an HttpSessionSecurityContextRepository. See this class for information HttpSession related configuration options.This filter will only execute once per request, to resolve servlet container (specifically Weblogic) incompatibilities.This filter MUST be executed BEFORE any authentication processing mechanisms. Authentication processing mechanisms (e.g. BASIC, CAS processing filters etc) expect the SecurityContextHolder to contain a valid SecurityContext by the time they execute.This is essentially a refactoring of the old HttpSessionContextIntegrationFilter to delegate the storage issues to a separate strategy, allowing for more customization in the way the security context is maintained between requests.The forceEagerSessionCreation property can be used to ensure that a session is always available before the filter chain executes (the default is false, as this is resource intensive and not recommended).
翻译:使用在请求之前从配置的securitycontexrepository获得的信息填充SecurityContextHolder,并在请求完成并清除上下文持有人后将其存储回存储库中。默认情况下,它使用httpessionsecuritycontextrepository。有关HttpSession相关配置选项的信息,请参阅这个类。这个过滤器对每个请求只执行一次,以解决servlet容器(特别是Weblogic)的不兼容性。这个过滤器必须在任何身份验证处理机制之前执行。身份验证处理机制(例如BASIC, CAS处理过滤器等)期望SecurityContextHolder在执行时包含一个有效的SecurityContext。这实际上是对旧的httpessioncontextintegrationfilter的重构,将存储问题委托给一个单独的策略,允许在请求之间维护安全上下文的方式上进行更多定制。forceEagerSessionCreation属性可用于确保在过滤器链执行之前会话始终可用(默认为false,因为这是资源密集型的,不推荐使用)。
从字面上理解,头信息写入过滤器
该过滤器的类描述信息:
为当前响应添加报头的过滤器实现。可以添加某些头,启用浏览器保护。像X-Frame-Options, X-XSS-Protection和X-Content-Type-Options。
官方文档地址:
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/header/HeaderWriterFilter.html
从字面上理解,这个过滤器的是处理用户登出请求的。他的逻辑代码比较简单。
官方文档地址:
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/authentication/logout/LogoutFilter.html
OAuth2AuthorizationServerMetadataEndpointFilter
描述:A Filter that processes OAuth 2.0 Authorization Server Metadata Requests.
翻译:处理OAuth 2.0授权服务器元数据请求的过滤器。
OAuth2AuthorizationEndpointFilter
描述:A Filter for the OAuth 2.0 Authorization Code Grant, which handles the processing of the OAuth 2.0 Authorization Request and Consent.
翻译:OAuth 2.0授权代码授予的过滤器,它处理OAuth 2.0授权请求和同意的处理。
OAuth2ClientAuthenticationFilter
描述:A Filter that processes an authentication request for an OAuth 2.0 Client.
翻译:一个过滤器,用于处理OAuth 2.0客户端的身份验证请求。
UsernamePasswordAuthenticationFilter
从名称上看,这个过滤器时 用户名密码认证的过滤器。
他是AbstractAuthenticationProcessingFilter的子类,AbstractAuthenticationProcessingFilter的作用是,用于提供针对某种类型AbstractAuthenticationToken的用户认证的具体实现。
官方文档地址:
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.html
这个过滤器是一个比较重要的,当客户端访问资源时,RequestCacheAwareFilter尝试冲缓存中查找已经保存的Request,默认是存储到Session的Attitude种的,默认的key为SPRING_SECURITY_SAVED_REQUEST。
从代码中可以看出,如果从缓存中找到了已经存储的请求,则继续原请求,如果没找到,则继续当前请求。
官方文档地址:
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/savedrequest/RequestCacheAwareFilter.html
描述:Detects if there is no Authentication object in the SecurityContextHolder, and populates it with one if needed.
翻译:检测SecurityContextHolder中是否没有Authentication对象,并在需要时填充一个。
描述:Detects that a user has been authenticated since the start of the request and, if they have, calls the confiqured SessionAuthenticationStrategy to perform any session-related activity such as activating session-fixation protection mechanisms or checking for multiple concurrent logins.
翻译:检测用户自请求开始以来是否已经进行了身份验证,如果已经进行了身份验证,则调用已配置的SessionAuthenticationStrategy来执行任何与会话相关的活动,例如激活会话固定保护机制或检查多个并发登录。
ExceptionTranslationFilter是第14个过滤器,主要作用是用来处理 过滤器链中抛出来的权限校验异常。
如果检测到AuthenticationException这种认证异常,过滤器将启动authenticationEntryPoint 跳转到登录页面去认证。
如果检测到AccessDeniedException,过滤器将确定用户是否是匿名用户。如果是匿名用户,authenticationEntryPoint将启动,跳转到登录页面去,如果他们不是匿名用户,过滤器将委托给AccessDeniedHandler。默认情况下,过滤器将使用AccessDeniedHandlerImpl。
官方文档地址:
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/access/ExceptionTranslationFilter.html
描述:Performs security handling of HTTP resources via a filter implementation.The SecurityMetadataSource required by this security interceptor is of type FilterInvocationSecurityMetadataSource.Refer to AbstractSecurityInterceptor for details on the workflow.
翻译:通过过滤器实现对HTTP资源执行安全处理。此安全拦截器所需的SecurityMetadataSource类型为FilterInvocationSecurityMetadataSource。有关工作流的详细信息,请参阅AbstractSecurityInterceptor。
描述:A Filter for the OAuth 2.0 Token endpoint, which handles the processing of an OAuth 2.0 Authorization Grant.It converts the OAuth 2.0 Authorization Grant request to an Authentication, which is then authenticated by the AuthenticationManager. If the authentication succeeds, the AuthenticationManager returns an OAuth2AccessTokenAuthenticationToken, which is returned in the OAuth 2.0 Access Token response. In case of any error, an OAuth2Error is returned in the OAuth 2.0 Error response.By default, this Filter responds to authorization grant requests at the URI /oauth2/token andHttpMethod POST.The default endpoint URI /oauth2/token may be overridden via the constructor OAuth2TokenEndpointFilter(AuthenticationManager, String).A Filter for the OAuth 2.0 Token endpoint, which handles the processing of an OAuth 2.0 Authorization Grant.It converts the OAuth 2.0 Authorization Grant request to an Authentication, which is then authenticated by the AuthenticationManager. If the authentication succeeds, the AuthenticationManager returns an OAuth2AccessTokenAuthenticationToken, which is returned in the OAuth 2.0 Access Token response. In case of any error, an OAuth2Error is returned in the OAuth 2.0 Error response.By default, this Filter responds to authorization grant requests at the URI /oauth2/token andHttpMethod POST.The default endpoint URI /oauth2/token may be overridden via the constructor OAuth2TokenEndpointFilter(AuthenticationManager, String).
翻译:OAuth 2.0令牌端点的过滤器,它处理OAuth 2.0授权授予的处理。它将OAuth 2.0授权授予请求转换为身份验证,然后由AuthenticationManager进行身份验证。如果认证成功,AuthenticationManager返回OAuth2AccessTokenAuthenticationToken,它在OAuth 2.0访问令牌响应中返回。如果出现任何错误,OAuth2Error将在OAuth 2.0 error响应中返回。默认情况下,此过滤器响应URI /oauth2/令牌处的授权授予请求HttpMethod POST.默认端点URI /oauth2/令牌可以通过构造函数OAuth2TokenEndpointFilter(AuthenticationManager, String)覆盖。OAuth 2.0令牌端点的过滤器,它处理OAuth 2.0授权授予的处理。它将OAuth 2.0授权授予请求转换为身份验证,然后由AuthenticationManager进行身份验证。如果认证成功,AuthenticationManager返回OAuth2AccessTokenAuthenticationToken,它在OAuth 2.0访问令牌响应中返回。如果出现任何错误,OAuth2Error将在OAuth 2.0 error响应中返回。默认情况下,此过滤器响应URI /oauth2/令牌处的授权授予请求HttpMethod POST.默认端点URI /oauth2/令牌可以通过构造函数OAuth2TokenEndpointFilter(AuthenticationManager, String)覆盖。
OAuth2TokenIntrospectionEndpointFilter
描述:Filter for the OAuth 2.0 Token Introspection endpoint.
翻译:OAuth 2.0令牌自省端点的过滤器。
OAuth2TokenRevocationEndpointFilter
描述:A Filter for the OAuth 2.0 Token Revocation endpoint.
翻译:OAuth 2.0令牌撤销端点的过滤器。