Spring Security源码解析(三)—— HttpSecurity
目录
SecurityConfigurerAdapter
AbstractHttpConfigurer
AnonymousConfigurer
AbstractAuthenticationFilterConfigurer
FormLoginConfigurer
HttpBasicConfigurer
AbstractInterceptUrlConfigurer
HttpSecurity的performBuild()方法,会构造一个DefaultSecurityFilterChain,需要传入Filters。
private List<Filter> filters = new ArrayList<>();@Overrideprotected DefaultSecurityFilterChain performBuild() {filters.sort(comparator);return new DefaultSecurityFilterChain(requestMatcher, filters);}
filters通过addFilter()方法添加Filter。
public HttpSecurity addFilter(Filter filter) {Class<? extends Filter> filterClass = filter.getClass();if (!comparator.isRegistered(filterClass)) {throw new IllegalArgumentException("The Filter class "+ filterClass.getName()+ " does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.");}this.filters.add(filter);return this;}
还可以控制Filter的顺序。
H addFilterAfter(Filter filter, Class<? extends Filter> afterFilter);H addFilterBefore(Filter filter, Class<? extends Filter> beforeFilter);
HttpSecurity通过一些方法用来增加不同的Filter。例如formLogin()
public FormLoginConfigurer<HttpSecurity> formLogin() throws Exception {return getOrApply(new FormLoginConfigurer<>());}private <C extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>> C getOrApply(C configurer) throws Exception {C existingConfig = (C) getConfigurer(configurer.getClass());if (existingConfig != null) {return existingConfig;}return apply(configurer);}public <C extends SecurityConfigurerAdapter<O, B>> C apply(C configurer)throws Exception {configurer.addObjectPostProcessor(objectPostProcessor);configurer.setBuilder((B) this);add(configurer);return configurer;}
例如:logout
public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) throws Exception {logoutCustomizer.customize(getOrApply(new LogoutConfigurer<>()));return HttpSecurity.this;}
@FunctionalInterface
public interface Customizer<T> {void customize(T t);static <T> Customizer<T> withDefaults() {return t -> {};}
}
SecurityConfigurerAdapter
HttpSecurity通过apply(SecurityConfigurerAdapter) 方法来增加配置。SecurityConfigurerAdapter的继承结构如下:
public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>implements SecurityConfigurer<O, B> {private B securityBuilder;private CompositeObjectPostProcessor objectPostProcessor = new CompositeObjectPostProcessor();//初始化public void init(B builder) throws Exception {}
//配置public void configure(B builder) throws Exception {}//配置完成,返回public B and() {return getBuilder();}protected final B getBuilder() {if (securityBuilder == null) {throw new IllegalStateException("securityBuilder cannot be null");}return securityBuilder;}
AbstractHttpConfigurer
提供了disable功能。
public B disable() {getBuilder().removeConfigurer(getClass());return getBuilder();}
AnonymousConfigurer
匿名访问控制。
Filter:AnonymousAuthenticationFilter
AuthenticationProvider :AnonymousAuthenticationProvider。
private AuthenticationProvider authenticationProvider;private AnonymousAuthenticationFilter authenticationFilter;private Object principal = "anonymousUser";private List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS");
AbstractAuthenticationFilterConfigurer
验证Filter。默认loginPage:login。
需要AuthenticationDetailsSource
private F authFilter;private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;private SavedRequestAwareAuthenticationSuccessHandler defaultSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();private AuthenticationSuccessHandler successHandler = this.defaultSuccessHandler;private LoginUrlAuthenticationEntryPoint authenticationEntryPoint;private boolean customLoginPage;private String loginPage;private String loginProcessingUrl;private AuthenticationFailureHandler failureHandler;private boolean permitAll;private String failureUrl;protected AbstractAuthenticationFilterConfigurer() {setLoginPage("/login");}
构造Filter。
设置:AuthenticationManager,AuthenticationSuccessHandler,AuthenticationFailureHandler,AuthenticationDetailsSource,SessionAuthenticationStrategy,RememberMeServices
public void configure(B http) throws Exception {PortMapper portMapper = http.getSharedObject(PortMapper.class);if (portMapper != null) {authenticationEntryPoint.setPortMapper(portMapper);}RequestCache requestCache = http.getSharedObject(RequestCache.class);if (requestCache != null) {this.defaultSuccessHandler.setRequestCache(requestCache);}authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));authFilter.setAuthenticationSuccessHandler(successHandler);authFilter.setAuthenticationFailureHandler(failureHandler);if (authenticationDetailsSource != null) {authFilter.setAuthenticationDetailsSource(authenticationDetailsSource);}SessionAuthenticationStrategy sessionAuthenticationStrategy = http.getSharedObject(SessionAuthenticationStrategy.class);if (sessionAuthenticationStrategy != null) {authFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);}RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);if (rememberMeServices != null) {authFilter.setRememberMeServices(rememberMeServices);}F filter = postProcess(authFilter);http.addFilter(filter);}
FormLoginConfigurer
表单登录。
Filter:UsernamePasswordAuthenticationFilter
AuthenticationProvider :AnonymousAuthenticationProvider。
public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extendsAbstractAuthenticationFilterConfigurer<H, FormLoginConfigurer<H>, UsernamePasswordAuthenticationFilter> {/*** Creates a new instance* @see HttpSecurity#formLogin()*/public FormLoginConfigurer() {super(new UsernamePasswordAuthenticationFilter(), null);usernameParameter("username");passwordParameter("password");}
}
HttpBasicConfigurer
HttpBase验证。
Filter:BasicAuthenticationFilter
AbstractInterceptUrlConfigurer
Filter:AccessDecisionManager
Spring Security源码解析(三)—— HttpSecurity相关推荐
- Spring Security源码解析(一)——认证和鉴权
目录 认证过程 AuthenticationManager Authentication AbstractAuthenticationToken UsernamePasswordAuthenticat ...
- Spring Security源码解析(二)——引入
目录 Spring Security的引入 AuthenticationConfiguration WebSecurityConfiguration 引入 FilterChain. 设置FilterC ...
- Spring Security源码解析(四)—— 过滤器
目录 FilterChainProxy 属性 构造函数 执行Filter 获取Filter VirtualFilterChain 默认过滤器 默认Filter WebAsyncManagerInteg ...
- spring事务源码解析
前言 在spring jdbcTemplate 事务,各种诡异,包你醍醐灌顶!最后遗留了一个问题:spring是怎么样保证事务一致性的? 当然,spring事务内容挺多的,如果都要讲的话要花很长时间, ...
- 【若依】开源框架学习笔记 07 - 登录认证流程(Spring Security 源码)
文章目录 一.概述 二.登录过程代码实现 三.用户验证流程(Spring Security 源码) 1.处理用户认证逻辑过滤器 `UsernamePasswordAuthenticationFilte ...
- Spring AOP源码解析-拦截器链的执行过程
一.简介 在前面的两篇文章中,分别介绍了 Spring AOP 是如何为目标 bean 筛选合适的通知器,以及如何创建代理对象的过程.现在得到了 bean 的代理对象,且通知也以合适的方式插在了目标方 ...
- spring boot 源码解析23-actuate使用及EndPoint解析
前言 spring boot 中有个很诱人的组件–actuator,可以对spring boot应用做监控,只需在pom文件中加入如下配置即可: <dependency><group ...
- Disruptor源码解析三 RingBuffer解析
目录 系列索引 前言 主要内容 RingBuffer的要点 源码解析 系列索引 Disruptor源码解析一 Disruptor高性能之道 Disruptor源码解析二 Sequence相关类解析 D ...
- Spring Session源码解析
AbstractHttpSessionApplicationInitializer,很明显它是一个初始化的类,它是一个抽象类,可以理解为一个公用的基类,然后看一下onStartup这个方法,最主要的方 ...
最新文章
- having 与where 的异同点
- eclipse安装birt插件
- java 特殊符号正则_java利用正则表达式处理特殊字符的方法实例
- php 标点符号反转,PHP删除标点符号(无破折号)
- 血泪教训!拖垮公司的技术团队常用的 7 个操作
- 《Kali+Linux渗透测试的艺术》学习总结之----Kali Linux简介
- mac建立sftp连接_【5分钟玩转Lighthouse】Win10远程连接同步代码
- ios怎么创建html文件夹,ios 创建html文件
- qqbot python_Python3.6 QQBot 机器人 - 注册响应函数
- git 拉新项目_Git学习系列之Git基本操作拉取项目(图文详解)
- paip.powerdesign cdm pdm文件 代码生成器 java web 页面 实现
- MKS 在线编译工具使用说明书
- 数据库实验报告1数据库定义实验
- ubuntu命令chmod755
- 天九共享全方位孵化增添活力 助力独角兽企业开辟更多新大陆
- Django验证码——手机注册登录
- Android百度浏览器深色模式,深色模式适配指南
- vue 生成qrCode二维码保存图片至本地
- linux开启PREEMPT_RT
- C#基于RealPlayX.ocx视频监控整合程序