Spring Security常用過濾器例項解析
Spring Security常見的15個攔截器
1 . org.springframework.security.web.context.SecurityContextPersistenceFilter
首當其衝的一個過濾器,作用之重要,自不必多言。
- SecurityContextPersistenceFilter主要是使用SecurityContextRepository在session中儲存或更新一個
- SecurityContext,並將SecurityContext給以後的過濾器使用,來為後續filter建立所需的上下文。
- SecurityContext中儲存了當前使用者的認證以及許可權資訊。
2 . org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
此過濾器用於整合SecurityContext到Spring非同步執行機制中的WebAsyncManager
3 . org.springframework.security.web.header.HeaderWriterFilter
向請求的Header中新增相應的資訊,可在http標籤內部使用security:headers來控制
4 . org.springframework.security.web.csrf.CsrfFilter
csrf又稱跨域請求偽造,SpringSecurity會對所有post請求驗證是否包含系統生成的csrf的token資訊,
如果不包含,則報錯。起到防止csrf攻擊的效果。
5. org.springframework.security.web.authentication.logout.LogoutFilter
匹配 URL為/logout的請求,實現使用者退出,清除認證資訊。
6 . org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
認證操作全靠這個過濾器,預設匹配URL為/login且必須為POST請求。
7 . org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter
如果沒有在配置檔案中指定認證頁面,則由該過濾器生成一個預設認證頁面。
8 . org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter
由此過濾器可以生產一個預設的退出登入頁面
9 . org.springframework.security.web.authentication.www.BasicAuthenticationFilter
此過濾器會自動解析HTTP請求中頭部名字為Authentication,且以Basic開頭的頭資訊。
10 . org.springframework.security.web.savedrequest.RequestCacheAwareFilter
通過HttpSessionRequestCache內部維護了一個RequestCache,用於快取HttpServletRequest
11 . org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
針對ServletRequest進行了一次包裝,使得request具有更加豐富的API
12 . org.springframework.security.web.authentication.AnonymousAuthenticationFilter
當SecurityContextHolder中認證資訊為空,則會建立一個匿名使用者存入到SecurityContextHolder中。
spring security為了相容未登入的訪問,也走了一套認證流程,只不過是一個匿名的身份。
13 . org.springframework.security.web.session.SessionManagementFilter
SecurityContextRepository限制同一使用者開啟多個會話的數量
14 . org.springframework.security.web.access.ExceptionTranslationFilter
異常轉換過濾器位於整個springSecurityFilterChain的後方,用來轉換整個鏈路中出現的異常
15 . org.springframework.security.web.access.intercept.FilterSecurityInterceptor
獲取所配置資源訪問的授權資訊,根據SecurityContextHolder中儲存的使用者資訊來決定其是否有許可權。
那麼,是不是spring security一共就這麼多過濾器呢?答案是否定的!隨著spring-security.xml配置的新增,還
會出現新的過濾器。
那麼,是不是spring security每次都會載入這些過濾器呢?答案也是否定的!隨著spring-security.xml配置的修
改,有些過濾器可能會被去掉。
spring security 過濾器鏈載入原理
public class DelegatingFilterProxy extends GenericFilterBean { @Nullable private String contextAttribute; @Nullable private WebApplicationContext webApplicationContext; @Nullable private String targetBeanName; private boolean targetFilterLifecycle; @Nullable private volatile Filter delegate;//注:這個過濾器才是真正載入的過濾器 private final Object delegateMonitor; //注:doFilter才是過濾器的入口,直接從這看! public void doFilter(ServletRequest request,ServletResponse response,FilterChain filterChain) throws ServletException,IOException { Filter delegateToUse = this.delegate; if (delegateToUse == null) { synchronized(this.delegateMonitor) { delegateToUse = this.delegate; if (delegateToUse == null) { WebApplicationContext wac = this.findWebApplicationContext(); if (wac == null) { throw new IllegalStateException("No WebApplicationContext found: no ContextLoaderListener or DispatcherServlet registered?"); } //第一步:doFilter中最重要的一步,初始化上面私有過濾器屬性delegate delegateToUse = this.initDelegate(wac); } this.delegate = delegateToUse; } } //第三步:執行FilterChainProxy過濾器 this.invokeDelegate(delegateToUse,request,response,filterChain); } //第二步:直接看最終載入的過濾器到底是誰 protected Filter initDelegate(WebApplicationContext wac) throws ServletException { //debug得知targetBeanName為:springSecurityFilterChain String targetBeanName = this.getTargetBeanName(); Assert.state(targetBeanName != null,"No target bean name set"); //debug得知delegate物件為:FilterChainProxy Filter delegate = (Filter)wac.getBean(targetBeanName,Filter.class); if (this.isTargetFilterLifecycle()) { delegate.init(this.getFilterConfig()); } return delegate; } protected void invokeDelegate(Filter delegate,ServletRequest request,ServletResponse response,FilterChain filterChain) throws ServletException,IOException { delegate.doFilter(request,filterChain); } }
第二步debug結果如下:
由此可知, DelegatingFilterProxy通過springSecurityFilterChain這個名稱,得到了一個FilterChainProxy過濾器,
最終在第三步執行了這個過濾器。
FilterChainProxy
public class FilterChainProxy extends GenericFilterBean { private static final Log logger = LogFactory.getLog(FilterChainProxy.class); private static final String FILTER_APPLIED = FilterChainProxy.class.getName().concat(".APPLIED"); private List<SecurityFilterChain> filterChains; private FilterChainProxy.FilterChainValidator filterChainValidator; private HttpFirewall firewall; //咿!?可以通過一個叫SecurityFilterChain的物件例項化出一個FilterChainProxy物件 //這FilterChainProxy又是何方神聖?會不會是真正的過濾器鏈物件呢?先留著這個疑問! public FilterChainProxy(SecurityFilterChain chain) { this(Arrays.asList(chain)); } //又是SecurityFilterChain這傢伙!嫌疑更大了! public FilterChainProxy(List<SecurityFilterChain> filterChains) { this.filterChainValidator = new FilterChainProxy.NullFilterChainValidator(); this.firewall = new StrictHttpFirewall(); this.filterChains = filterChains; } //注:直接從doFilter看 public void doFilter(ServletRequest request,FilterChain chain) throws IOException,ServletException { boolean clearContext = request.getAttribute(FILTER_APPLIED) == null; if (clearContext) { try { request.setAttribute(FILTER_APPLIED,Boolean.TRUE); this.doFilterInternal(request,chain); } finally { SecurityContextHolder.clearContext(); request.removeAttribute(FILTER_APPLIED); } } else { //第一步:具體操作呼叫下面的doFilterInternal方法了 this.doFilterInternal(request,chain); } } private void doFilterInternal(ServletRequest request,FilterChain chain) throws IOException,ServletException { FirewalledRequest fwRequest = this.firewall.getFirewalledRequest((HttpServletRequest)request); HttpServletResponse fwResponse = this.firewall.getFirewalledResponse((HttpServletResponse)response); //第二步:封裝要執行的過濾器鏈,那麼多過濾器就在這裡被封裝進去了! List<Filter> filters = this.getFilters((HttpServletRequest)fwRequest); if (filters != null && filters.size() != 0) { FilterChainProxy.VirtualFilterChain vfc = new FilterChainProxy.VirtualFilterChain(fwRequest,chain,filters); //第四步:載入過濾器鏈 vfc.doFilter(fwRequest,fwResponse); } else { if (logger.isDebugEnabled()) { logger.debug(UrlUtils.buildRequestUrl(fwRequest) + (filters == null ? " has no matching filters" : " has an empty filter list")); } fwRequest.reset(); chain.doFilter(fwRequest,fwResponse); } } private List<Filter> getFilters(HttpServletRequest request) { Iterator var2 = this.filterChains.iterator(); //第三步:封裝過濾器鏈到SecurityFilterChain中! SecurityFilterChain chain; do { if (!var2.hasNext()) { return null; } chain = (SecurityFilterChain)var2.next(); } while(!chain.matches(request)); return chain.getFilters(); } }
SecurityFilterChain
最後看SecurityFilterChain,這是個介面,實現類也只有一個,這才是web.xml中配置的過濾器鏈物件!
public interface SecurityFilterChain { boolean matches(HttpServletRequest request); List<Filter> getFilters(); }
public final class DefaultSecurityFilterChain implements SecurityFilterChain { private static final Log logger = LogFactory.getLog(DefaultSecurityFilterChain.class); private final RequestMatcher requestMatcher; private final List<Filter> filters; public DefaultSecurityFilterChain(RequestMatcher requestMatcher,Filter... filters) { this(requestMatcher,Arrays.asList(filters)); } public DefaultSecurityFilterChain(RequestMatcher requestMatcher,List<Filter> filters) { logger.info("Creating filter chain: " + requestMatcher + "," + filters); this.requestMatcher = requestMatcher; this.filters = new ArrayList<>(filters); } public RequestMatcher getRequestMatcher() { return requestMatcher; } public List<Filter> getFilters() { return filters; } public boolean matches(HttpServletRequest request) { return requestMatcher.matches(request); } @Override public String toString() { return "[ " + requestMatcher + "," + filters + "]"; } }
以上就是本文的全部內容,希望對大家的學習有所幫助,也希望大家多多支援我們。