这篇文章主要介绍“Spring Security基本架构与初始化操作流程是什么”的相关知识,小编通过实际案例向大家展示操作过程,操作方法简单快捷,实用性强,希望这篇“Spring Security基本架构与初始化操作流程是什么”文章能帮助大家解决问题。
Spring Security 是基于web的安全组件,所以一些相关类会分散在 spring-security包和web包中。Spring Security通过自定义Servlet的Filter的方式实现,具体架构可参考官网Spring Security: Architecture
这里使用Spring Boot 2.7.4版本,对应Spring Security 5.7.3版本
首先左侧是Servlet中的Filter组成的FilterChain,Spring Security通过注册一个DelegatingFilterProxy的Filter,然后在该Proxy中内置多条Spring Security组织的Security Filter Chain(chain中套娃一个chain),一个Security Filter Chain又有多个Filter,通过不同的规则将Request匹配到第一个满足条件的Security Filter Chain。
既然Spring Security涉及到Filter,而Filter是Servlet中的组件,这里就存在一个将Spring Security的顶级Filter注册到Servlet Context的过程。
首先关注javax.servlet.ServletContainerInitializer
,该类是tomcat-embed-core包中的类:
// 通过SPI方式导入实现类: // META-INF/services/javax.servlet.ServletContainerInitializer public interface ServletContainerInitializer { /** * Receives notification during startup of a web application of the classes within the web application * that matched the criteria defined via the annotation: * javax.servlet.annotation.HandlesTypes * * 处理javax.servlet.annotation.HandlesTypes注解标注类型的实现类 **/ void onStartup(Set<Class<?>> c, ServletContext ctx) throws ServletException; }
该接口实现类由SPI方式导入,我们来到spring-web
包中:
可以看到spring对 该接口的实现类为:org.springframework.web.SpringServletContainerInitializer
@HandlesTypes(WebApplicationInitializer.class) public class SpringServletContainerInitializer implements ServletContainerInitializer { @Override public void onStartup(@Nullable Set<Class<?>> webAppInitializerClasses, ServletContext servletContext) throws ServletException { List<WebApplicationInitializer> initializers = Collections.emptyList(); ... // 添加 if (webAppInitializerClasses != null) { initializers = new ArrayList<>(webAppInitializerClasses.size()); for (Class<?> waiClass : webAppInitializerClasses) { initializers.add((WebApplicationInitializer) ReflectionUtils.accessibleConstructor(waiClass).newInstance()); } } ... // 排序 AnnotationAwareOrderComparator.sort(initializers); // 执行 for (WebApplicationInitializer initializer : initializers) { initializer.onStartup(servletContext); } } }
SpringServletContainerInitializer
中调用了一系列org.springframework.web.WebApplicationInitializer#onStartup
可以看到WebApplicationInitializer
有一系列实现类:
其中就有Security相关的。到此,以上均为 Spring Web中的内容,Spring Security就是基于以上扩展而来。
接上文,来看看org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer
:
public abstract class AbstractSecurityWebApplicationInitializer implements WebApplicationInitializer { public static final String DEFAULT_FILTER_NAME = "springSecurityFilterChain"; ... @Override public final void onStartup(ServletContext servletContext) { beforeSpringSecurityFilterChain(servletContext); ... insertSpringSecurityFilterChain(servletContext); afterSpringSecurityFilterChain(servletContext); } ... }
但是,经过调试发现,Spring Security的Filter注册过程并不是上面的步骤。
重要:
Spring Security 注册Filter 不是通过上文的 javax.servlet.ServletContainerInitializer
和org.springframework.web.WebApplicationInitializer#onStartup
而是org.springframework.boot.web.servlet.ServletContextInitializer
,来看看ServletContextInitializer
的说明:
/** * 不同于WebApplicationInitializer,实现该接口的类(且没有实现WebApplicationInitializer) * 不会被SpringServletContainerInitializer检测到,所以不会由servlet容器自动启动。 * 该类的目的和ServletContainerInitializer一样,但是 其中的Servlet的生命周期由Spring控制而不是Servlet容器。 */ @FunctionalInterface public interface ServletContextInitializer { void onStartup(ServletContext servletContext) throws ServletException; }
首先来看自动配置类:org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration
@AutoConfiguration(after = SecurityAutoConfiguration.class) @ConditionalOnWebApplication(type = Type.SERVLET) @EnableConfigurationProperties(SecurityProperties.class) @ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class }) public class SecurityFilterAutoConfiguration { // DEFAULT_FILETER_NAME = "springSecurityFilterChain" private static final String DEFAULT_FILTER_NAME = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME; // 必须存在名称为springSecurityFilterChain的bean // 名称为springSecurityFilterChain的bean实际上类型即是 org.springframework.security.web.FilterChainProxy @Bean @ConditionalOnBean(name = DEFAULT_FILTER_NAME) public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration( SecurityProperties securityProperties) { DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean( DEFAULT_FILTER_NAME); registration.setOrder(securityProperties.getFilter().getOrder()); registration.setDispatcherTypes(getDispatcherTypes(securityProperties)); return registration; } ... }
可以看到DelegatingFilterProxyRegistrationBean
被注入Bean容器,且名称为"springSecurityFilterChain"
的Bean必须存在,而DelegatingFilterProxyRegistrationBean
中#getFilter
用来获取真正的Security Filter代理类DelegatingFilterProxy
,需要注意的是,DelegatingFilterProxy
实现了Filter接口。
先来看看DelegatingFilterProxyRegistrationBean
的类图结构:
DelegatingFilterProxyRegistrationBean
负责整合Servlet Filter注册(主要就是代理类注册)和Spring生命周期,而真正的代理类DelegatingFilterProxy
通过
DelegatingFilterProxyRegistrationBean#getFilter
获取。这体现了职责单一的设计原则。
public class DelegatingFilterProxyRegistrationBean ... { ... @Override public DelegatingFilterProxy getFilter() { // 创建真正的代理(匿名子类),并具有延迟加载的能力 return new DelegatingFilterProxy(this.targetBeanName, getWebApplicationContext()) { @Override protected void initFilterBean() throws ServletException { // Don't initialize filter bean on init() } }; } ... }
接下来,DelegatingFilterProxyRegistrationBean
中的DelegatingFilterProxy
需要完成对多个SecurityFilterChain
的代理。而这个代理过程Security又通过一个代理类org.springframework.security.web.FilterChainProxy
完成 。意思是,DelegatingFilterProxy
是整个Security的代理,而FilterChainProxy
是SecurityFilterChain的代理,且DelegatingFilterProxy
是通过FilterChainProxy
来完成代理的(代理一个代理)。
来看看DelegatingFilterProxy
:
public class DelegatingFilterProxy extends GenericFilterBean { // 就是 springSecurityFilterChain,代表FilterChainProxy的beanName @Nullable private String targetBeanName; // 代理的FilterChainProxy @Nullable private volatile Filter delegate; ... @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException { // Lazily initialize the delegate if necessary. Filter delegateToUse = this.delegate; if (delegateToUse == null) { synchronized (this.delegateMonitor) { delegateToUse = this.delegate; if (delegateToUse == null) { ... // 初始化代理类 delegateToUse = initDelegate(wac); } this.delegate = delegateToUse; } } // Let the delegate perform the actual doFilter operation. invokeDelegate(delegateToUse, request, response, filterChain); } ... protected Filter initDelegate(WebApplicationContext wac) throws ServletException { String targetBeanName = getTargetBeanName(); // 容器中获取名称为springSecurityFilterChain 类型为Filter的bean // 即 FilterChainProxy // 所以 注册 DelegatingFilterProxyRegistrationBean 时必须有 @ConditionalOnBean(name="springSecurityFilterChain") Filter delegate = wac.getBean(targetBeanName, Filter.class); ... return delegate; } }
上文说到,在注册DelegatingFilterProxyRegistrationBean
的自动配置类中 必须要有springSecurityFilterChain
名称的bean存在,而这个名称为springSecurityFilterChain
的bean实际上类型即是 org.springframework.security.web.FilterChainProxy
。
整个流程如下:
有点像 道生一,一生二,二生三,三生万物 的思想,我将它命名为 道德经设计模式,嘿嘿 。
那么FilterChainProxy
又是在哪儿注入的呢?
在配置类org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration
中我们可以发现,这里注入了FilterChainProxy
:
@Configuration(proxyBeanMethods = false) public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware { ... private WebSecurity webSecurity; // 多个SecurityFilterChain private List<SecurityFilterChain> securityFilterChains = Collections.emptyList(); // 多个WebSecurityCustomizer private List<WebSecurityCustomizer> webSecurityCustomizers = Collections.emptyList(); ... // 注入一个Filter,指定名称为springSecurityFilterChain @Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME) public Filter springSecurityFilterChain() throws Exception { ... for (SecurityFilterChain securityFilterChain : this.securityFilterChains) { this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain); // 为每个SecurityFilterChain中的每个Filter添加拦截方法 for (Filter filter : securityFilterChain.getFilters()) { if (filter instanceof FilterSecurityInterceptor) { this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter); break; } } } // 自定义器对每个SecurityFilterChain均生效 for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) { customizer.customize(this.webSecurity); } // 这里build()方法返回 org.springframework.security.web.FilterChainProxy return this.webSecurity.build(); } ... // 自动注入, 通常我们需要自定义的就是这个SecurityFilterChain类型 // 只需要在业务配置类中注册一个SecurityFilterChain类型的bean就能被注入到这里 @Autowired(required = false) void setFilterChains(List<SecurityFilterChain> securityFilterChains) { this.securityFilterChains = securityFilterChains; } // 自动注入 @Autowired(required = false) void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) { this.webSecurityCustomizers = webSecurityCustomizers; } }
在业务配置类中,我们可以自定义SecurityFilterChain
和WebSecurityCustomizer
的bean,配置如下:
@Configuration public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http.csrf().disable(); // 必须显式注明,配合CorsConfigurationSource的Bean,不然即使在web里面配置了跨域,security这里依然会cors error http.cors(); http.authorizeRequests() .antMatchers(AUTH_WHITELIST).permitAll() .anyRequest().authenticated(); http.formLogin().successHandler(loginSuccessHandler); http.oauth3Login().successHandler(giteeSuccessHandler); http.exceptionHandling().accessDeniedHandler(restAccessDeniedHandler); http.addFilterBefore(bearAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); return http.build(); } @Bean public WebSecurityCustomizer webSecurityCustomizer() { return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2"); } }
OK,我们再来看看 org.springframework.security.web.FilterChainProxy
:
public class FilterChainProxy extends GenericFilterBean { private List<SecurityFilterChain> filterChains; private HttpFirewall firewall = new StrictHttpFirewall(); @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { ... doFilterInternal(request, response, chain); ... } private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // 转化为org.springframework.security.web.firewall.FirewalledRequest // reject potentially dangerous requests and/or wrap them to control their behaviour. FirewalledRequest firewallRequest = this.firewall.getFirewalledRequest((HttpServletRequest) request); HttpServletResponse firewallResponse = this.firewall.getFirewalledResponse((HttpServletResponse) response); // #getFilters会在所有SecurityFilterChain中进行匹配 List<Filter> filters = getFilters(firewallRequest); ... // 转化为 VirtualFilterChain // VirtualFilterChain是FilterChainProxy内部静态类 VirtualFilterChain virtualFilterChain = new VirtualFilterChain(firewallRequest, chain, filters); // 开启 SecurityFilterChain中所有filter过程 virtualFilterChain.doFilter(firewallRequest, firewallResponse); } private List<Filter> getFilters(HttpServletRequest request) { for (SecurityFilterChain chain : this.filterChains) { // 返回第一个符合规则的SecurityFilterChain if (chain.matches(request)) { return chain.getFilters(); } } return null; } /** * 执行额外的 filters,控制filters执行过程 * Internal {@code FilterChain} implementation that is used to pass a request through * the additional internal list of filters which match the request. */ private static final class VirtualFilterChain implements FilterChain { ... private final FilterChain originalChain; private final List<Filter> additionalFilters; private final FirewalledRequest firewalledRequest; // 该SecurityFilterChain中所有filter的数量 private final int size; // 当前filter的位置 private int currentPosition = 0; ... @Override public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { if (this.currentPosition == this.size) { // 执行完毕 // Deactivate path stripping as we exit the security filter chain this.firewalledRequest.reset(); this.originalChain.doFilter(request, response); return; } // 继续执行filterChain中下一个filter this.currentPosition++; Filter nextFilter = this.additionalFilters.get(this.currentPosition - 1); nextFilter.doFilter(request, response, this); } ... } ... }
按顺序排序,Spring Security内置了以下Filter:
ForceEagerSessionCreationFilter
ChannelProcessingFilter
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CorsFilter
CsrfFilter
LogoutFilter
OAuth3AuthorizationRequestRedirectFilter
Saml2WebSsoAuthenticationRequestFilter
X509AuthenticationFilter
AbstractPreAuthenticatedProcessingFilter
CasAuthenticationFilter
OAuth3LoginAuthenticationFilter
Saml2WebSsoAuthenticationFilter
UsernamePasswordAuthenticationFilter
DefaultLoginPageGeneratingFilter
DefaultLogoutPageGeneratingFilter
ConcurrentSessionFilter
DigestAuthenticationFilter
BearerTokenAuthenticationFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
JaasApiIntegrationFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
OAuth3AuthorizationCodeGrantFilter
SessionManagementFilter
ExceptionTranslationFilter : allows translation of AccessDeniedException and
AuthenticationException into HTTP responses
FilterSecurityInterceptor (新版本由 AuthorizationFilter 取代,该Interceptor即是做鉴权的)
SwitchUserFilter
关于“Spring Security基本架构与初始化操作流程是什么”的内容就介绍到这里了,感谢大家的阅读。如果想了解更多行业相关的知识,可以关注亿速云行业资讯频道,小编每天都会为大家更新不同的知识点。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。