一、SecurityConfigurer简介
SecurityConfigurer 在 Spring Security 中是一个非常重要的角色。在前面的内容中曾经多次提到过, Spring Security 过滤器链中的每一个过滤器,都是通过 xxxConfigurer 来进行配置的,而这些 xxxConfigurer 实际上都是 SecurityConfigurer 的实现。
// O(DefaultSecurityFilterChain) B(HttpSecurity)
public interface SecurityConfigurer<O, B extends SecurityBuilder<O>> {
/**
* Initialize the {@link SecurityBuilder}. Here only shared state should be created
* and modified, but not properties on the {@link SecurityBuilder} used for building
* the object. This ensures that the {@link #configure(SecurityBuilder)} method uses
* the correct shared objects when building. Configurers should be applied here.
* @param builder
* @throws Exception
*/
void init(B builder) throws Exception;
/**
* Configure the {@link SecurityBuilder} by setting the necessary properties on the
* {@link SecurityBuilder}.
* @param builder
* @throws Exception
*/
void configure(B builder) throws Exception;
}
在init方法和configure方法中的形参都是SecurityBuilder类型,而SecurityBuilder是用来构建过滤器链 的【DefaultSecurityFilterChainProxy】
二、SecurityConfigurer核心实现
核心实现组件 | 备注 |
---|---|
SecurityConfigurerAdapter | CompositeObjectPostProcessor (): AutowireBeanFactoryObjectPostProcessor:利用了 AutowireCapableBeanFactory 对 Bean 进行手动注册 CompositeObjectPostProcessor:是一个复合的对象处理器,#postProcess 方法中,会遍历集合中的所有 ObjectPostProcessor,挨个调用其 postProcess 方法对对象进行后置处理 and ():该方法返回值是一个 securityBuilder,securityBuilder 实际上就是 HttpSecurity,使用 and 方法进行链式配置 |
GlobalAuthenticationConfigurerAdapter | 它的实现类将来主要 是和配置 AuthenticationManager 有关; AuthenticationManager 其实可以分为两种,一种是局部的,另一种 |