开始首先介绍了Servlet Filters
官网中提到
so it is helpful to look at the role of Filters generally first.
说明spring security 一系列操作是由Filters 完成的
接下来由上到下,介绍了全部的过滤代理器
DelegatingFilterProxy
spring 提供的一个实现:
我们来看看代码就明白了:
其实就是在过滤链中定义了一个位置,并且这个过滤器可以使用spring容器中的bean,我们看官方描述:Spring provides a Filter implementation named DelegatingFilterProxy that allows bridging between the Servlet container’s lifecycle and Spring’s ApplicationContext.
FilterChainProxy
这是spring security 提供的一个特殊过滤器,用来匹配对应的SecurityFilterChain,我们看官网描述: FilterChainProxy to determine which Spring Security Filters should be invoked for this request.
SecurityFilterChain
真正的过滤链,一个过滤链包含n个过滤器
Security Filters
真正通过的过滤器,其中有一些我们耳熟能详的过滤器。
Below is a comprehensive list of Spring Security Filter ordering:
-
ForceEagerSessionCreationFilter
-
ChannelProcessingFilter
-
WebAsyncManagerIntegrationFilter
-
SecurityContextPersistenceFilter
-
HeaderWriterFilter
-
CorsFilter
-
CsrfFilter
-
LogoutFilter
-
OAuth2AuthorizationRequestRedirectFilter
-
Saml2WebSsoAuthenticationRequestFilter
-
X509AuthenticationFilter
-
AbstractPreAuthenticatedProcessingFilter
-
CasAuthenticationFilter
-
OAuth2LoginAuthenticationFilter
-
Saml2WebSsoAuthenticationFilter
-
UsernamePasswordAuthenticationFilter
-
OpenIDAuthenticationFilter
-
DefaultLoginPageGeneratingFilter
-
DefaultLogoutPageGeneratingFilter
-
ConcurrentSessionFilter
-
DigestAuthenticationFilter
-
BearerTokenAuthenticationFilter
-
BasicAuthenticationFilter
-
RequestCacheAwareFilter
-
SecurityContextHolderAwareRequestFilter
-
JaasApiIntegrationFilter
-
RememberMeAuthenticationFilter
-
AnonymousAuthenticationFilter
-
OAuth2AuthorizationCodeGrantFilter
-
SessionManagementFilter
-
ExceptionTranslationFilter
-
FilterSecurityInterceptor
-
SwitchUserFilter
Handling Security Exceptions
单独说明了一下当出现异常的时候(比如未认证,等待其他异常) 是由谁来统一处理