使用版本 为springboot 2.2.7
1.springboot默认配置文件
2.默认配置类
3.SecurityAutoConfiguration
默认到入了三个类
SpringBootWebSecurityConfiguration、
WebSecurityEnablerConfiguration、
SecurityDataConfiguration
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
@EnableConfigurationProperties(SecurityProperties.class)
@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
SecurityDataConfiguration.class })
public class SecurityAutoConfiguration {
@Bean
@ConditionalOnMissingBean(AuthenticationEventPublisher.class)
public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {
return new DefaultAuthenticationEventPublisher(publisher);
}
}
3.1.SpringBootWebSecurityConfiguration
SpringBootWebSecurityConfiguration在容器没有WebSecurityConfigurerAdapter类的时候默认导入WebSecurityConfigurerAdapter
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration {
@Configuration(proxyBeanMethods = false)
@Order(SecurityProperties.BASIC_AUTH_ORDER)
static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {
}
}
3.2.WebSecurityEnablerConfiguration
WebSecurityEnablerConfiguration默认开启了@EnableWebSecurity,也就是我们直接导入spring-boot-starter-security的坐标后,无需做任何配置,springsecurity就生效了
@Configuration(proxyBeanMethods = false)
@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@EnableWebSecurity
public class WebSecurityEnablerConfiguration {
}
3.2.1 @EnableWebSecurity
导入了WebSecurityConfiguration,此类向IOC容器导入过滤链
@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import({ WebSecurityConfiguration.class,
SpringWebMvcImportSelector.class,
OAuth2ImportSelector.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
/**
* Controls debugging support for Spring Security. Default is false.
* @return if true, enables debug support with Spring Security
*/
boolean debug() default false;
}
3.2.1.1.WebSecurityConfiguration
此类导入了很多默认配置,其中就导入了名为springSecurityFilterChain的过滤器实际类型为FilterChainProxy
@Configuration(proxyBeanMethods = false)
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
// 导入过滤器
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
boolean hasConfigurers = webSecurityConfigurers != null
&& !webSecurityConfigurers.isEmpty();
if (!hasConfigurers) {
WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
.postProcess(new WebSecurityConfigurerAdapter() {
});
webSecurity.apply(adapter);
}
return webSecurity.build();
}
}
3.2.1.2.SpringWebMvcImportSelector
此类通过ImportSelector接口,在当DispatcherServlet处于类路径的情况下导入WebMvcSecurityConfiguration
class SpringWebMvcImportSelector implements ImportSelector {
/*
* (non-Javadoc)
*
* @see org.springframework.context.annotation.ImportSelector#selectImports(org.
* springframework .core.type.AnnotationMetadata)
*/
public String[] selectImports(AnnotationMetadata importingClassMetadata) {
boolean webmvcPresent = ClassUtils.isPresent(
"org.springframework.web.servlet.DispatcherServlet",
getClass().getClassLoader());
return webmvcPresent
? new String[] {
"org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration" }
: new String[] {};
}
}
WebMvcSecurityConfiguration
此类实现了WebMvcConfigurer,、ApplicationContextAware;分别能配置SpringMVC和注入SpringIOC容器
3.2.1.3.OAuth2ImportSelector
此类与OAuth2有关暂时不看
3.3.SecurityDataConfiguration
此类与spring Data有关暂时不看
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(SecurityEvaluationContextExtension.class)
public class SecurityDataConfiguration {
@Bean
@ConditionalOnMissingBean
public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
return new SecurityEvaluationContextExtension();
}
}