zoukankan      html  css  js  c++  java

  • Java-Security(六):Spring Security启动加载MySecurityConfig(WebSecurityConfigurerAdapter)/WebSecurity/HttpSecurity(xxxConfigurer、filters)流程

    本章文件分为三个部分:

    1)在进行Spring Security加载流程分析之前,我们需要先了解下WebSecurityConfigurerAdapter;

    2)SpringBoot如何启动SpringSecurity?

    3)Spring Security启动流程:MySecurityConfig(WebSecurityConfigurerAdapter)/WebSecurity/HttpSecurity(xxxConfigurer、filters)。

    了解下WebSecurityConfigurerAdapter

    该类是一个Spring Security Web配置适配器。在使用Spring Security项目中,如果想通过配置修改Spring Security中的一些可配置、可自定义替换的相关设置,都必须在项目中添加一个继承WebSecurityConfigurerAdapter的类MySecurityConfig。

    WebSecurityConfigurerAdapter是一个抽象类,一般情况下继承了该类的配置类MySecurityConfig中可以通过重写:

    1)’configure(HttpSecurity http)‘实现对HttpSecurity配置;

    @Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
  
    // 基于token,所以不需要session
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    http.authorizeRequests()
            .antMatchers("/", "/*.html", "/favicon.ico", "/css/**", "/js/**", "/fonts/**", "/layui/**", "/img/**",
                    "/v2/api-docs/**", "/swagger-resources/**", "/webjars/**", "/pages/**", "/druid/**",
                    "/statics/**")
            .permitAll().anyRequest().authenticated();
    http.formLogin()/*.loginPage("/login.html")*/.loginProcessingUrl("/login")
            .successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler);
            // .and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
    http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);
    // 解决不允许显示在iframe的问题
    http.headers().frameOptions().disable();
    http.headers().cacheControl();

    http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class);
}

    2)'configure(WebSecurity web)'实现对WebSecurity配置;

    3)’configure(AuthenticationManagerBuilder auth)‘实现对Authentication配置;

        @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
    }

    实际上,这个WebSecurityConfigurerAdapter就是为了干预HttpSecurity/WebSecurity/AuthenticationManagerBuilder,用来根据使用Spring Security的开发人员可以自己通过配置达到自己想要的功能效果。

    SpringBoot如何启动SpringSecurity?

    如果是SpringBoot项目依赖了Spring Security相关依赖,就会自动加载执行SecurityFilterAutoConfiguration配置类,而SecurityFilterAutoConfiguration加载之前会先加载执(@AutoConfigureAfter({SecurityAutoConfiguration.class}))SecurityAutoConfiguration,在SecurityAutoConfiguraiton生效时它会导入WebSecurityEnableConfiguration
    EnableWebSecurity主要是加载了三个类:

    <1>SpringWebMvcImportSelector的作用是判断当前的环境是否包含springmvc,因为spring security可以在非spring环境下使用,为了避免DispatcherServlet的重复配置,所以使用了这个注解来区分。
    <2> WebSecurityConfiguration顾名思义,是用来配置web安全的,下面的小节会详细介绍。
    <3>AuthenticationConfiguration权限配置相关类
    而重点就是后两者!

    Spring Security启动流程

    在项目启动中,HttpSecurity中会加载一个Configurers,它们就是实现了AbstractInterceptUrlConfigurer的Configurer类,之后会根据xxxConfigurer后#configure(HttpSecurity http)会加载Configurer对应的Filters列表中:

    HttpBasicConfigurer->BasicAuthenticationFilter
    LogoutConfigurer->LogoutFilter
    RequestCacheConfigurer->RequestCacheAwareFilter
    RememberMeConfigurer->RememberMeAuthenticationFilter
    ServletApiConfigurer->SecurityContextHolderAwareRequestFilter
    DefaultLoginPageConfigurer->DefaultLoginPageGeneratingFilter
    SessionManagementConfigurer->SessionManagementFilter
    PortMapperConfigurer->无
    ExceptionHandlingConfigurer->ExceptionTranslationFilter
    HeadersConfigurer->HeaderWriterFilter
    CsrfConfigurer->CsrfFilter
    ImplicitGrantConfigurer->OAuth2AuthorizationRequestRedirectFilter
    AnonymousConfigurer->AnonymousAuthenticationFilter
    JeeConfigurer->J2eePreAuthenticatedProcessingFilter
    ChannelSecurityConfigurer->ChannelProcessingFilter
    CorsConfigurer->CorsFilter
    SecurityContextConfigurer->SecurityContextPersistenceFilter
    FormLoginConfigurer->DefaultLoginPageGeneratingFilter
    OAuth2LoginConfigurer->OAuth2LoginAuthenticationFilter
    OpenIDLoginConfigurer->OpenIDAuthenticationFilter
    X509Configurer->X509AuthenticationFilter
    UrlAuthorizationConfigurer->FilterSecurityInterceptor
    ExpressionUrlAuthorizationConfigurer->FilterSecurityInterceptor

    SecurityConfigurer:

     SecurityBuilder:

    HttpSecurity是一个securityBuilder,HttpSecuirty内部维护了一个Filter的List集合,我们添加的各种安全配置器对应的Filter最终都会被加入到这个List集合中。
    WebSecurity是一个securityBuilder,内部维护着securityBuilder的列表,存储securityBuilder,这里主要是存储HttpSecurity。
    很多官方类是XXXConfigurer,这些都是SecurityConfigurer。这些SecurityConfigurer的configure()方法,都会把对应filter添加到HttpSecurity 

    参考:

    基于注解的Spring Security原理解析

    Spring Security 实现原理的理解记录

    SpringSecurity分析-1-启动加载
  • 相关阅读:
    使用XmlDataDocument将数据存储到XML文档
    Dubbo+Nacos 运行异常io.netty.handler.codec.EncoderException: java.lang.NullPointerException
    一、字符串常量Java内部加载
    更高效率,Java快速获取图片尺寸宽高分辨率(支持webp)
    水印宽高比例自适应图片(Java-Thumbnails)
    UEditor 自定义图片视频尺寸校验
    应用宝官方错误日志
    Eclipse使用hibernate插件
    解决Eclipse建立Maven项目后无法建立src/main/java资源文件夹的办法
    [Err] 1022
  • 原文地址:https://www.cnblogs.com/yy3b2007com/p/14238176.html
Copyright © 2011-2022 走看看