SpringSecurity之基本原理——过滤器加载过程

ybb_ymm

已于 2023-05-06 08:42:43 修改

阅读量555

点赞数

分类专栏： SpringSecurity安全框架文章标签： spring boot 后端 java SpringSecurity

于 2023-04-13 08:00:00 首次发布

本文链接：https://blog.csdn.net/ybb_ymm/article/details/130083285

版权

SpringSecurity安全框架专栏收录该内容

12 篇文章 2 订阅

订阅专栏

前言

前一篇讲解了S p r i n g S e c u r i t y的过滤器链的基本只是，今天我们就要进入过滤器，看看其加载过程是如何的？

相信认真度过第一篇文章的小伙伴还记得，我说在S p r i n g B o o t出现后，帮助我们省去了那些繁琐的配置，实现了自动配置。那么，我们更应该了解他是如何实现自动加载的了！

过滤器如何进行加载的？

要是用过滤器，就必须配置过滤器 DelegatingFilterProxy ，之所以我们在前面的示例中没有进行配置，是因为Spring Boot 为我们完成了。

具体的加载逻辑如下图所示：

接下来，我们通过代码来看一下

首先进入到DelegatingFilterProxy类中的d o F i l t e r中

public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Filter delegateToUse = this.delegate;
if (delegateToUse == null) {
Object var5 = this.delegateMonitor;
synchronized(this.delegateMonitor) {
delegateToUse = this.delegate;
if (delegateToUse == null) {
WebApplicationContext wac = this.findWebApplicationContext();
if (wac == null) {
throw new IllegalStateException("No WebApplicationContext found: no ContextLoaderListener or DispatcherServlet registered?");
}

delegateToUse = this.initDelegate(wac);
}

this.delegate = delegateToUse;
}
}

this.invokeDelegate(delegateToUse, request, response, f i l t e r C h a i n);
}

执行delegateToUse = this.initDelegate(wac);后进入到F i l t e r C h a i n P r o x y 类中，

List<Filter> filters = this.getFilters((HttpServletRequest)firewallRequest);加载所有的过滤器

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;
if (!clearContext) {
this.doFilterInternal(request, response, chain);
} else {
try {
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
this.doFilterInternal(request, response, chain);
} catch (Exception var11) {
Throwable[] causeChain = this.throwableAnalyzer.determineCauseChain(var11);
Throwable requestRejectedException = this.throwableAnalyzer.getFirstThrowableOfType(RequestRejectedException.class, causeChain);
if (!(requestRejectedException instanceof RequestRejectedException)) {
throw var11;
}

this.requestRejectedHandler.handle((HttpServletRequest)request, (HttpServletResponse)response, (RequestRejectedException)requestRejectedException);
} finally {
SecurityContextHolder.clearContext();
request.removeAttribute(FILTER_APPLIED);
}

}
}

private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
FirewalledRequest firewallRequest = this.firewall.getFirewalledRequest((HttpServletRequest)request);
HttpServletResponse firewallResponse = this.firewall.getFirewalledResponse((HttpServletResponse)response);
List<Filter> filters = this.getFilters((HttpServletRequest)firewallRequest);
if (filters != null && filters.size() != 0) {
if (logger.isDebugEnabled()) {
logger.debug(LogMessage.of(() -> {
return "Securing " + requestLine(firewallRequest);
}));
}

FilterChainProxy.VirtualFilterChain virtualFilterChain = new FilterChainProxy.VirtualFilterChain(firewallRequest, chain, filters);
virtualFilterChain.doFilter(firewallRequest, firewallResponse);
} else {
if (logger.isTraceEnabled()) {
logger.trace(LogMessage.of(() -> {
return "No security for " + requestLine(firewallRequest);
}));
}

firewallRequest.reset();
chain.doFilter(firewallRequest, firewallResponse);
}
}