SpringSecurity 源码剖析
2021-05-20 09:47:30 28 举报SpringSecurity是一套功能强大且可高度自定义的身份验证和访问控制框架,它基于Spring Framework构建。源码剖析显示,SpringSecurity主要通过过滤器链实现安全控制,包括认证、授权、防范跨站请求伪造等。其中,认证过程通常使用DaoAuthenticationProvider进行数据库查询,授权则通过AccessDecisionManager进行决策。此外,SpringSecurity还提供了多种安全机制,如防止CSRF攻击、密码加密存储等。其模块化设计使得用户可以灵活选择需要的安全模块。整体来看,SpringSecurity源码结构清晰,易于理解和维护。
作者其他创作
大纲/内容
//GlobalAuthenticationConfigurerAdapter EnableGlobalAuthenticationAutowiredConfigurer(context)
FilterChainProxy委托securityFilterChains执行doFilter()
Spring Security是一个提供身份验证,授权和保护以防止常见攻击的框架本质上,Spring Security是一个过滤链
将webSecurityConfigurer添加到webSecurity中
@Import
自动配置条件
//InitializeUserDetailsBeanManagerConfigurerInitializeUserDetailsBeanManagerConfigurer(context)
创建实例ObjectPostProcessor
spring创建一个bean
new AutowireBeanFactoryObjectPostProcessor(beanFactory)
@Bean
判断
performBuild()
FilterChainProxy
OAuth2ImportSelector
Security Filter
整合SpringData时配置SecurityDataConfiguration
result instanceof DisposableBean
result instanceof SmartInitializingSingleton
ChannelProcessingFilterWebAsyncManagerIntegrationFilterSecurityContextPersistenceFilterHeaderWriterFilterCorsFilterCsrfFilterLogoutFilterOAuth2AuthorizationRequestRedirectFilterSaml2WebSsoAuthenticationRequestFilterX509AuthenticationFilterAbstractPreAuthenticatedProcessingFilterCasAuthenticationFilterOAuth2LoginAuthenticationFilterSaml2WebSsoAuthenticationFilterUsernamePasswordAuthenticationFilterOpenIDAuthenticationFilterDefaultLoginPageGeneratingFilterDefaultLogoutPageGeneratingFilterConcurrentSessionFilterDigestAuthenticationFilterBearerTokenAuthenticationFilterBasicAuthenticationFilterRequestCacheAwareFilterSecurityContextHolderAwareRequestFilterJaasApiIntegrationFilterRememberMeAuthenticationFilterAnonymousAuthenticationFilterOAuth2AuthorizationCodeGrantFilterSessionManagementFilterExceptionTranslationFilterFilterSecurityInterceptorSwitchUserFilter
configurer.configure((B) this)
defaultSecurityFilterChain(HttpSecurity http)
// AuthenticationManagerBuilderDefaultPasswordEncoderAuthenticationManagerBuilder
创建一个WebSecurity
ObjectPostProcessorConfiguration
SecurityFilterChain
beforeInit();
DelegatingFilterProxy
springSecurityFilterChain()
DefaultWebSecurityCondition
有EnableWebSecurity类就进行下面配置@ConditionalOnClass({EnableWebSecurity.class})
返回FilterChainProxy
运行一个线程
postBuildAction.run();
Filter
SpringWebMvcImportSelector
AuthenticationConfiguration
smartSingletons.add((SmartInitializingSingleton) result)
disposableBeans.add((DisposableBean) result)
@ConditionalOnDefaultWebSecurity
没有配置的话,会自动配置一个WebSecurityConfigurerAdapterSecurityFilterChain
/hello/**
securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
WebSecurityEnablerConfiguration
this.webSecurity.apply(webSecurityConfigurer)
找到org.springframework.boot.autoconfigure.EnableAutoConfiguration
建造者模式
开始创建
return filterChainProxy
空方法可拓展
Client
在spring-boot-autoconfigure的依赖包下,找到META-INF/spring.factories文件
init();
@EnableGlobalAuthentication
调用所有SecurityConfigurer的init()方法
@EnableWebSecurity
WebSecurityConfiguration
HttpSecurityConfiguration
@Conditional
Spring Security过滤器加载的的完整过程
Filter Chain
//InitializeAuthenticationProviderBeanManagerConfigurerInitializeAuthenticationProviderBeanManagerConfigurer(context)
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
beforeConfigure();
configure();
httpSecurity在这里build
new FilterChainProxy(securityFilterChains)
configurer.init((B) this);
Servlet
this.webSecurity.build();
securityFilterChains.add(securityFilterChainBuilder.build())
autowireBeanFactory.autowireBean(object);
SpringBootWebSecurityConfiguration
objectPostProcessor.postProcess(new WebSecurity(objectPostProcessor));
filterChainProxy.afterPropertiesSet();
自动配置一个SecurityFilterChain
/api/**
调用所有SecurityConfigurer的configure()方法
发现SpringBoot自动装配org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
0 条评论
下一页
