Spring Security 啟動過程分析

準(zhǔn)備環(huán)境

本文以oauth2+github登錄為例,首先創(chuàng)建一個Spring Boot工程,版本為2.1.0.RELEASE,工程目錄結(jié)構(gòu)如下圖:

image.png

pom.xml如下:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
    <version>5.1.2.RELEASE</version>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-test</artifactId>
    <scope>test</scope>
</dependency>

啟動類SecurityApplication.java

/**
 * @author iHelin
 */
@RestController
@SpringBootApplication
public class SecurityApplication {

    public static void main(String[] args) {
        SpringApplication.run(SecurityApplication.class, args);
    }

    @GetMapping({"/", "/user"})
    public Object get() {
        OAuth2AuthenticationToken authentication = (OAuth2AuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
        OAuth2User principal = authentication.getPrincipal();
        return principal.getAttributes();
    }

}

SercurityConfig.java

/**
 * @author iHelin
 * @date 2018-11-30 15:47
 */
@EnableWebSecurity(debug = true)
public class SercurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests().anyRequest().authenticated().and()
                .oauth2Login();
    }

}

配置文件application.properties

server.port=8080
logging.level.org.springframework.security=debug
logging.level.org.springframework.boot.autoconfigure.security=debug
spring.security.oauth2.client.registration.github.client-id=xxxxxx
spring.security.oauth2.client.registration.github.client-secret=xxxxxx

@EnableWebSecurity開始說起

SercurityConfig是一個配置類,它繼承了WebSecurityConfigurerAdapter,并標(biāo)明了@EnableWebSecurity(debug = true)注解,查看這個注解發(fā)現(xiàn),里面又導(dǎo)入(import)了WebSecurityConfiguration.class這個配置類,如下圖:

image.png

WebSecurityConfiguration是一個自動配置類,它的主要作用創(chuàng)建過濾器鏈(securityFilterChains)并完成安全配置工作,而這一系列過程主要是通過webSecurity完成的。
系統(tǒng)啟動時Spring上下文會首先調(diào)用它setFilterChainProxySecurityConfigurer方法進行webSecurity的初始化,這一步通過反射完成(當(dāng)然,這不是我們的重點)。然后再調(diào)用springSecurityFilterChain進行webSecurity的配置,具體步驟如下:
首先進入springSecurityFilterChain方法
image.png

接著調(diào)用org.springframework.security.config.annotation.AbstractSecurityBuilder#build方法

public final O build() throws Exception {
    if (this.building.compareAndSet(false, true)) {
        this.object = doBuild();
        return this.object;
    }
    throw new AlreadyBuiltException("This object has already been built");
}

cas操作進入if語句,進入關(guān)鍵的org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder#doBuild方法

@Override
protected final O doBuild() throws Exception {
    synchronized(configurers) {
        buildState = BuildState.INITIALIZING;
        beforeInit();
        init();
        buildState = BuildState.CONFIGURING;
        beforeConfigure();
        configure();
        buildState = BuildState.BUILDING;
        O result = performBuild();
        buildState = BuildState.BUILT;
        return result;
    }
}

里面是一個同步的代碼塊,不過這也不是重點,核心在initperformBuild方法,注意,到現(xiàn)在我們的主語還是webSecurity。首先來看看init方法:

private void init() throws Exception {
    Collection < SecurityConfigurer < O, B >> configurers = getConfigurers();
    for (SecurityConfigurer < O, B > configurer: configurers) {
        configurer.init((B) this);
    }
    for (SecurityConfigurer < O, B > configurer: configurersAddedInInitializing) {
        configurer.init((B) this);
    }
}

這里主要看第一個for循環(huán),里面會進行一些配置的初始化,其中會有一個我們繼承的WebSecurityConfigurerAdapter的代理,其實也就是我們自己定義的安全配置類SercurityConfig,調(diào)用其init方法:

public void init(final WebSecurity web) throws Exception {
    final HttpSecurity http = getHttp();
    web.addSecurityFilterChainBuilder(http).postBuildAction(new Runnable() {
        public void run() {
            FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class);
            web.securityInterceptor(securityInterceptor);
        }
    });
}

看下getHttp

protected final HttpSecurity getHttp() throws Exception {
    ...
    if (!disableDefaults) {
        // @formatter:off
        http.csrf().and().addFilter(new WebAsyncManagerIntegrationFilter()).exceptionHandling().and().headers().and().sessionManagement().and().securityContext().and().requestCache().and().anonymous().and().servletApi().and().apply(new DefaultLoginPageConfigurer < > ()).and().logout();
        // @formatter:on
        ...
    }
    configure(http);
    return http;
}

里面首先進行默認(rèn)的配置,這里添加了一個Filter:WebAsyncManagerIntegrationFilter,繼續(xù)向下執(zhí)行,會執(zhí)行configure方法,它是一個模板方法,也就是這里會執(zhí)行我們配置類里面覆蓋的configure方法,這里就完成了httpSecurity的初始化。
以上步驟都只是webSecurityinit操作,也就是創(chuàng)建了許多的配置器,接下來進入webSecurityperformBuild方法使配置生效,具體過程是調(diào)用httpSecurityconfig方法,里面會調(diào)用上面創(chuàng)建的眾多配置器的configure方法,其目的是向過濾器鏈添加各種Filter,最后還會調(diào)用performBuild方法對過濾器進行排序,創(chuàng)建DefaultSecurityFilterChain過濾器鏈,這里以ExceptionHandlingConfigurer為例。

public void configure(H http) throws Exception {
    AuthenticationEntryPoint entryPoint = getAuthenticationEntryPoint(http);
    ExceptionTranslationFilter exceptionTranslationFilter = new ExceptionTranslationFilter(entryPoint, getRequestCache(http));
    AccessDeniedHandler deniedHandler = getAccessDeniedHandler(http);
    exceptionTranslationFilter.setAccessDeniedHandler(deniedHandler);
    exceptionTranslationFilter = postProcess(exceptionTranslationFilter);
    http.addFilter(exceptionTranslationFilter);
}

關(guān)鍵看最后的addFilter方法

public HttpSecurity addFilter(Filter filter) {
    Class <? extends Filter > filterClass = filter.getClass();
    if (!comparator.isRegistered(filterClass)) {
        throw new IllegalArgumentException("The Filter class " + filterClass.getName() + " does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.");
    }
    this.filters.add(filter);
    return this;
}

最終向httpSecurity對象的filters中添加filter。
然后再調(diào)用httpSecurityperformBuild方法對filters進行排序:

protected DefaultSecurityFilterChain performBuild() throws Exception {
    Collections.sort(filters, comparator);
    return new DefaultSecurityFilterChain(requestMatcher, filters);
}

最后返回了一個DefaultSecurityFilterChain對象,至此http的配置宣告完成。再回到webSecurityperformBuild方法,它根據(jù)httpSecurity返回的securityFilterChain創(chuàng)建了一個securityFilterChains。

protected Filter performBuild() throws Exception {
    ...
    for (RequestMatcher ignoredRequest: ignoredRequests) {
        securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
    }
    for (SecurityBuilder <? extends SecurityFilterChain > securityFilterChainBuilder: securityFilterChainBuilders) {
        securityFilterChains.add(securityFilterChainBuilder.build());
    }
    FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
    ...
    Filter result = filterChainProxy;
    ...
    return result;
}

可以看到filterChainProxy本質(zhì)上也是一個filter,它最終返回給容器。這樣webSecurity的配置也基本完成。

以上。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容