spring security加载原理（基于springboot）

一、基本架构

二、自动配置原理

依据 Spring Boot 自动配置原理，其会自动加载spring-boot-autoconfigure.jar中/META-INF/spring.factories内键值org.springframework.boot.autoconfigure.EnableAutoConfiguration指定的自动配置类。查看该文件，可以看到，与 Spring Security 相关的自动配置类有如下几个：

org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,                                      \
org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration,                            \
org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration,                                \
org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration,                             \
org.springframework.boot.autoconfigure.security.reactive.ReactiveUserDetailsServiceAutoConfiguration,                   \
org.springframework.boot.autoconfigure.security.rsocket.RSocketSecurityAutoConfiguration,                               \
org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration,                               \
org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration,                    \
org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientAutoConfiguration,           \
org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration,          \
org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerAutoConfiguration, \

每个配置类都为 Spring Security 注入不同的 Bean 到 Spring容器中。这里我们着重介绍一下SecurityFilterAutoConfiguration和SecurityAutoConfiguration配置类，因为这两个配置类会自动装配DelegatingFilterProxy和FilterChainProxy到 Spring容器中。

三、自动装配FilterChainProxy

下面介绍下配置类SecurityAutoConfiguration，具体如下：

@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
@EnableConfigurationProperties(SecurityProperties.class)
@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,SecurityDataConfiguration.class })
public class SecurityAutoConfiguration {@Bean@ConditionalOnMissingBean(AuthenticationEventPublisher.class)public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {return new DefaultAuthenticationEventPublisher(publisher);}
}

可以看到：
SecurityAutoConfiguration导入了3个配置类

WebSecurityEnablerConfiguration。

查看WebSecurityEnablerConfiguration配置类，其源码如下：

@Configuration(proxyBeanMethods = false)
@ConditionalOnMissingBean(name = "springSecurityFilterChain")
@ConditionalOnClass(EnableWebSecurity.class)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@EnableWebSecurity
class WebSecurityEnablerConfiguration {}

当 Spring容器中没有名称为springSecurityFilterChain的 Bean 等条件时，就会加载该配置类，此时@EnableWebSecurity注解生效：

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
@Documented
@Import({ WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class,HttpSecurityConfiguration.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {boolean debug() default false;
}

SpringWebMvcImportSelector的作用是判断当前的环境是否包含springmvc，因为springsecurity可以在非spring环境下使用，为了避免DispatcherServlet的重复配置，所以使用了这个注解来区分。

WebSecurityConfiguration顾名思义，是用来配置web安全的，下面的小节会详细介绍。

OAuth2ImportSelector:该类是为了对 OAuth2.0 开放授权协议进行支持。ClientRegistration 如果被引用，具体点也就是 spring-security-oauth2 模块被启用（引入依赖jar）时。会启用 OAuth2 客户端配置 OAuth2ClientConfiguration

HttpSecurityConfiguration会通过@Autowired去获取容器中的一个AuthenticationManager实例，如果没能获取到则使用依赖注入的AuthenticationConfiguration实例创建一个AuthenticationManager实例，这个实例其实就是ProviderManager。

注解@EnableWebSecurity又导入了4个配置类，这里着重看下

WebSecurityConfiguration：

@Configuration(proxyBeanMethods = false)
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {.../*** Creates the Spring Security Filter Chain* @return the {@link Filter} that represents the security filter chain* @throws Exception*/@Bean(name = "springSecurityFilterChain")public Filter springSecurityFilterChain() throws Exception {...return this.webSecurity.build();}...
}

可以看到：

WebSecurityConfiguration#springSecurityFilterChain()最终生成了一个名称为springSecurityFilterChain的Bean 实体，该 Bean 的实际类型其实为FilterChainProxy，是由WebSecurity#build()方法创建的。

综上，SecurityAutoConfiguration配置类生成了很多 Bean 实体，其中最重要的一个是名称为springSecurityFilterChain的FilterChainProxy对象。

注意：WebSecurityEnablerConfiguration 目的仅仅就是在某些条件下激活 @EnableWebSecurity 注解

SpringBootWebSecurityConfiguration

@Configuration(proxyBeanMethods = false)
@ConditionalOnDefaultWebSecurity
@ConditionalOnWebApplication(type = Type.SERVLET)
class SpringBootWebSecurityConfiguration {@Bean@Order(SecurityProperties.BASIC_AUTH_ORDER)SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {//开启所有请求的权限认证（要求表单认证或者httpbasic认证）http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();return http.build();}
}

再看一下@ConditionalOnDefaultWebSecurity

@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Conditional({DefaultWebSecurityCondition.class})
public @interface ConditionalOnDefaultWebSecurity {}

class DefaultWebSecurityCondition extends AllNestedConditions {DefaultWebSecurityCondition() {super(ConfigurationPhase.REGISTER_BEAN);}@ConditionalOnMissingBean({WebSecurityConfigurerAdapter.class, SecurityFilterChain.class})static class Beans {Beans() {}}@ConditionalOnClass({SecurityFilterChain.class, HttpSecurity.class})static class Classes {Classes() {}}
}

可以看到，当：

条件一 classpath中存在 SecurityFilterChain.class, HttpSecurity.class

条件二 没有自定义 WebSecurityConfigurerAdapter.class, SecurityFilterChain.class

就会引入默认的DefaultWebSecurityCondition。

四、自动装配DelegatingFilterProxy

下面介绍下配置类SecurityFilterAutoConfiguration，其源码如下所示：

@Configuration(proxyBeanMethods = false)
@ConditionalOnWebApplication(type = Type.SERVLET)
@EnableConfigurationProperties({SecurityProperties.class})
@ConditionalOnClass({AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class})
@AutoConfigureAfter({SecurityAutoConfiguration.class})
public class SecurityFilterAutoConfiguration {private static final String DEFAULT_FILTER_NAME = "springSecurityFilterChain";public SecurityFilterAutoConfiguration() {}@Bean@ConditionalOnBean(name = {"springSecurityFilterChain"})public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(SecurityProperties securityProperties) {DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean("springSecurityFilterChain", new ServletRegistrationBean[0]);registration.setOrder(securityProperties.getFilter().getOrder());registration.setDispatcherTypes(this.getDispatcherTypes(securityProperties));return registration;}private EnumSet<DispatcherType> getDispatcherTypes(SecurityProperties securityProperties) {return securityProperties.getFilter().getDispatcherTypes() == null ? null : (EnumSet)securityProperties.getFilter().getDispatcherTypes().stream().map((type) -> {return DispatcherType.valueOf(type.name());}).collect(Collectors.toCollection(() -> {return EnumSet.noneOf(DispatcherType.class);}));}
}

可以看到，要加载SecurityFilterAutoConfiguration前，必须先加载配置类SecurityAutoConfiguration，该配置类前面已经详细介绍了，主要功能就是注入了一个名称为springSecurityFilterChain的 Bean，因此，此时SecurityFilterAutoConfiguration#securityFilterChainRegistration就会生效，最终生成一个DelegatingFilterProxyRegistrationBean实体。DelegatingFilterProxyRegistrationBean实现了ServletContextInitializer接口，当系统执行ServletWebServerApplicationContext.selfInitialize()进行初始化时，会依次调用到：

RegistrationBean.onStartup() --> DynamicRegistrationBean.register()
–> AbstractFilterRegistrationBean.addRegistration()

其中，AbstractFilterRegistrationBean#addRegistration()源码如下：

protected Dynamic addRegistration(String description, ServletContext servletContext) {Filter filter = this.getFilter();return servletContext.addFilter(this.getOrDeduceName(filter), filter);
}

this.getFilter()实际调用的是DelegatingFilterProxyRegistrationBean#getFilter()方法，其内部会创建一个DelegatingFilterProxy实例并返回，源码如下：

public DelegatingFilterProxy getFilter() {return new DelegatingFilterProxy(this.targetBeanName, this.getWebApplicationContext()) {protected void initFilterBean() throws ServletException {}};
}

因此，AbstractFilterRegistrationBean#addRegistration()最终就是通过ServletContext#addFilter将一个DelegatingFilterProxy实例注入到 Servlet 的FilterChain中。

DelegatingFilterProxy和SecurityFilterChain的关系

请求进来经由 DelegatingFilterProxy 可以分发到不同的SecurityFilterChain进行授权验证

示意图，当DelegatingFilterProxy注入到FileterChain后，就可以拦截每一个请求，对其做出认证和授权了

五、默认加载的Filter

1. WebAsyncManagerIntegrationFilter 支持集成Spring的异步调用
2. SecurityContextPersistenceFilter 从Session中获取SecurityContext,没有则新建，最终放入SecurityContextHolder中。
3. HeaderWriterFilter 往响应对象response中写入Header属性(Like X-Frame-Options, X-XSS-Protection and X- Content-Type-Options)
4. CsrfFilter csrf校验
5. LogoutFilter 默认拦截[POST]/logout 处理登出逻辑
6. UsernamePasswordAuthenticationFilter 默认拦截[POST]/login 处理登录认证逻辑6.1 第一步 封装Authentication（从request中获取认证信息封装为UsernamePasswordAuthenticationToken）6.2 第二步 获取AuthenticationManager实例[ProviderManager]6.3 第三步 ProviderManager基于委托者模式通过AuthenticationProvider列表完成认证6.4 第四步 认证通过后，将Authentication放入SecurityContextHolder的SecurityContext中。
7. DefaultLoginPageGeneratingFilter 默认拦截[GET]/login 生成登录页面
8. DefaultLogoutPageGeneratingFilter 默认拦截[POST]/login 生成登出页面
9. BasicAuthenticationFilter 认证Basic [Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
10. RequestCacheAwareFilter 用于用户登录成功后，重新恢复因为登录被打断的请求
11. SecurityContextHolderAwareRequestFilter 包装request实现servlet api的一些接口方法isUserInRole、getRemoteUser
12. AnonymousAuthenticationFilter 匿名用户认证、信息填充
13. SessionManagementFilter Session管理
14. ExceptionTranslationFilter 异常处理
15. FilterSecurityInterceptor 权限校验、未登录拦截、无权限拦截