在网上一直在看security3,就把自己看到的一些资源整理下吧。
---------------------------------------------------------------
http://dead-knight.iteye.com/category/220917
---------------------------------------------------------------
博主的博客,里面写了很多对security的分析,我也最简单地先选择一些自己想要的东东。
org.springframework.security.config.http.SecurityFilters
enum SecurityFilters {
FIRST (Integer.MIN_VALUE),
//order=100
CHANNEL_FILTER,
//order=200
CONCURRENT_SESSION_FILTER,
//依次递增……
SECURITY_CONTEXT_FILTER,
LOGOUT_FILTER,
X509_FILTER,
PRE_AUTH_FILTER,
CAS_FILTER,
FORM_LOGIN_FILTER,
OPENID_FILTER,
LOGIN_PAGE_FILTER,
DIGEST_AUTH_FILTER,
BASIC_AUTH_FILTER,
REQUEST_CACHE_FILTER,
SERVLET_API_SUPPORT_FILTER,
REMEMBER_ME_FILTER,
ANONYMOUS_FILTER,
SESSION_MANAGEMENT_FILTER,
EXCEPTION_TRANSLATION_FILTER,
FILTER_SECURITY_INTERCEPTOR,
SWITCH_USER_FILTER,
LAST (Integer.MAX_VALUE);
//这里设置100,主要给自定义过滤器提供after、before的预留位置
//也就是说,在某个默认的过滤器前后只能自定义99个过滤器,虽然可能性几乎为0
private static final int INTERVAL = 100;
private final int order;
//返回的order值=序号*间隔100
private SecurityFilters() {
order = ordinal() * INTERVAL;
}</p><p> private SecurityFilters(int order) {
this.order = order;
}
//主要通过该方法返回Filter的位置
public int getOrder() {
return order;
}
}
由此可见,该类维护了Spring Security中每个filter的顺序
通过以上的分析,可以总结如下
1.由SecurityFilters维持位置order
2.由OrderDecorator维持filter与order的对应关系
3.由OrderComparator负责比较OrderDecorator的先后顺序
(OrderDecorator类。这个类实现org.springframework.core.Ordered)
附上默认的过滤器顺序列表
order | 过滤器名称 | 解析类 | |
100 | ChannelProcessingFilter | org.springframework.security.web.access.channel.ChannelProcessingFilter | 只要intercept-url标签中包含requires-channel属性,则创建该过滤器 |
200 | ConcurrentSessionFilter | org.springframework.security.web.session.ConcurrentSessionFilter | session监控 |
300 | SecurityContextPersistenceFilter | org.springframework.security.web.context.SecurityContextPersistenceFilter | 持久化SecurityContext实例,主要是创建一个空的SecurityContext(如果session中没有SecurityContext实例),然后持久化到session中 |
400 | LogoutFilter | org.springframework.security.web.authentication.logout.LogoutFilter | |
500 | X509AuthenticationFilter | ||
600 | RequestHeaderAuthenticationFilter | ||
700 | CasAuthenticationFilter | ||
800 | UsernamePasswordAuthenticationFilter | org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter | |
900 | OpenIDAuthenticationFilter | ||
1000 | DefaultLoginPageGeneratingFilter | ||
1100 | DigestAuthenticationFilter | ||
1200 | BasicAuthenticationFilter | org.springframework.security.web.authentication.www.BasicAuthenticationFilter | |
1300 | RequestCacheAwareFilter | org.springframework.security.web.savedrequest.RequestCacheAwareFilter | 用户登录成功后,重新恢复因为登录被打断的请求,ExceptionTranslationFilter保存了请求saveRequest(req,resp),在这里得到恢复 |
1400 | SecurityContextHolderAwareRequestFilter | org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter | 从类名称可以猜出这个过滤器主要是包装请求对象request的,目的主要是实现servlet api的一些接口方法isUserInRole、getRemoteUser |
1500 | RememberMeAuthenticationFilter | org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter | |
1600 | AnonymousAuthenticationFilter | org.springframework.security.web.authentication.AnonymousAuthenticationFilter | 在UsernamePasswordAuthenticationFilter、BasicAuthenticationFilter、RememberMeAuthenticationFilter这些过滤器后面的,所以如果这三个过滤器都没有认证成功,则为当前的SecurityContext中添加一个经过匿名认证的token |
1700 | SessionManagementFilter | org.springframework.security.web.session.SessionManagementFilter | SessionManagementFilter提供两大类功能: |
1.session固化保护-通过session-fixation-protection配置 | |||
2.session并发控制-通过concurrency-control配置 | |||
1800 | ExceptionTranslationFilter | org.springframework.security.web.access.ExceptionTranslationFilter | 对后面分为是FilterSecurityInterceptor、SwitchUserFilter抛出的AccessDeniedException和AuthenticationException进行处理 |
1900 | FilterSecurityInterceptor | org.springframework.security.web.access.intercept.FilterSecurityInterceptor | 是比较核心的过滤器,主要负责授权的工作,所依赖的有决策管理器、认证管理器、安全元数据资源 |
2000 | SwitchUserFilter |