Spring Security常用過濾器例項解析
Spring Security常見的15個攔截器
1 . org.springframework.security.web.context.SecurityContextPersistenceFilter
首當其衝的一個過濾器,作用之重要,自不必多言。
- SecurityContextPersistenceFilter主要是使用SecurityContextRepository在session中儲存或更新一個
- SecurityContext,並將SecurityContext給以後的過濾器使用,來為後續filter建立所需的上下文。
- SecurityContext中儲存了當前使用者的認證以及許可權資訊。
2 . org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
此過濾器用於整合SecurityContext到Spring非同步執行機制中的WebAsyncManager
3 . org.springframework.security.web.header.HeaderWriterFilter
向請求的Header中新增相應的資訊,可在http標籤內部使用security:headers來控制
4 . org.springframework.security.web.csrf.CsrfFilter
csrf又稱跨域請求偽造,SpringSecurity會對所有post請求驗證是否包含系統生成的csrf的token資訊,
如果不包含,則報錯。起到防止csrf攻擊的效果。
5. org.springframework.security.web.authentication.logout.LogoutFilter
匹配 URL為/logout的請求,實現使用者退出,清除認證資訊。
6 . org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
認證操作全靠這個過濾器,預設匹配URL為/login且必須為POST請求。
7 . org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter
如果沒有在配置檔案中指定認證頁面,則由該過濾器生成一個預設認證頁面。
8 . org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter
由此過濾器可以生產一個預設的退出登入頁面
9 . org.springframework.security.web.authentication.www.BasicAuthenticationFilter
此過濾器會自動解析HTTP請求中頭部名字為Authentication,且以Basic開頭的頭資訊。
10 . org.springframework.security.web.savedrequest.RequestCacheAwareFilter
通過HttpSessionRequestCache內部維護了一個RequestCache,用於快取HttpServletRequest
11 . org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
針對ServletRequest進行了一次包裝,使得request具有更加豐富的API
12 . org.springframework.security.web.authentication.AnonymousAuthenticationFilter
當SecurityContextHolder中認證資訊為空,則會建立一個匿名使用者存入到SecurityContextHolder中。
spring security為了相容未登入的訪問,也走了一套認證流程,只不過是一個匿名的身份。
13 . org.springframework.security.web.session.SessionManagementFilter
SecurityContextRepository限制同一使用者開啟多個會話的數量
14 . org.springframework.security.web.access.ExceptionTranslationFilter
異常轉換過濾器位於整個springSecurityFilterChain的後方,用來轉換整個鏈路中出現的異常
15 . org.springframework.security.web.access.intercept.FilterSecurityInterceptor
獲取所配置資源訪問的授權資訊,根據SecurityContextHolder中儲存的使用者資訊來決定其是否有許可權。
那麼,是不是spring security一共就這麼多過濾器呢?答案是否定的!隨著spring-security.xml配置的新增,還
會出現新的過濾器。
那麼,是不是spring security每次都會載入這些過濾器呢?答案也是否定的!隨著spring-security.xml配置的修
改,有些過濾器可能會被去掉。
spring security 過濾器鏈載入原理
public class DelegatingFilterProxy extends GenericFilterBean {
@Nullable
private String contextAttribute;
@Nullable
private WebApplicationContext webApplicationContext;
@Nullable
private String targetBeanName;
private boolean targetFilterLifecycle;
@Nullable
private volatile Filter delegate;//注:這個過濾器才是真正載入的過濾器
private final Object delegateMonitor;
//注:doFilter才是過濾器的入口,直接從這看!
public void doFilter(ServletRequest request,ServletResponse response,FilterChain
filterChain) throws ServletException,IOException {
Filter delegateToUse = this.delegate;
if (delegateToUse == null) {
synchronized(this.delegateMonitor) {
delegateToUse = this.delegate;
if (delegateToUse == null) {
WebApplicationContext wac = this.findWebApplicationContext();
if (wac == null) {
throw new IllegalStateException("No WebApplicationContext found: no
ContextLoaderListener or DispatcherServlet registered?");
}
//第一步:doFilter中最重要的一步,初始化上面私有過濾器屬性delegate
delegateToUse = this.initDelegate(wac);
}
this.delegate = delegateToUse;
}
}
//第三步:執行FilterChainProxy過濾器
this.invokeDelegate(delegateToUse,request,response,filterChain);
}
//第二步:直接看最終載入的過濾器到底是誰
protected Filter initDelegate(WebApplicationContext wac) throws ServletException {
//debug得知targetBeanName為:springSecurityFilterChain
String targetBeanName = this.getTargetBeanName();
Assert.state(targetBeanName != null,"No target bean name set");
//debug得知delegate物件為:FilterChainProxy
Filter delegate = (Filter)wac.getBean(targetBeanName,Filter.class);
if (this.isTargetFilterLifecycle()) {
delegate.init(this.getFilterConfig());
}
return delegate;
}
protected void invokeDelegate(Filter delegate,ServletRequest request,ServletResponse
response,FilterChain filterChain) throws ServletException,IOException {
delegate.doFilter(request,filterChain);
}
}
第二步debug結果如下:
由此可知, DelegatingFilterProxy通過springSecurityFilterChain這個名稱,得到了一個FilterChainProxy過濾器,
最終在第三步執行了這個過濾器。
FilterChainProxy
public class FilterChainProxy extends GenericFilterBean {
private static final Log logger = LogFactory.getLog(FilterChainProxy.class);
private static final String FILTER_APPLIED =
FilterChainProxy.class.getName().concat(".APPLIED");
private List<SecurityFilterChain> filterChains;
private FilterChainProxy.FilterChainValidator filterChainValidator;
private HttpFirewall firewall;
//咿!?可以通過一個叫SecurityFilterChain的物件例項化出一個FilterChainProxy物件
//這FilterChainProxy又是何方神聖?會不會是真正的過濾器鏈物件呢?先留著這個疑問!
public FilterChainProxy(SecurityFilterChain chain) {
this(Arrays.asList(chain));
}
//又是SecurityFilterChain這傢伙!嫌疑更大了!
public FilterChainProxy(List<SecurityFilterChain> filterChains) {
this.filterChainValidator = new FilterChainProxy.NullFilterChainValidator();
this.firewall = new StrictHttpFirewall();
this.filterChains = filterChains;
}
//注:直接從doFilter看
public void doFilter(ServletRequest request,FilterChain chain)
throws IOException,ServletException {
boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;
if (clearContext) {
try {
request.setAttribute(FILTER_APPLIED,Boolean.TRUE);
this.doFilterInternal(request,chain);
} finally {
SecurityContextHolder.clearContext();
request.removeAttribute(FILTER_APPLIED);
}
} else {
//第一步:具體操作呼叫下面的doFilterInternal方法了
this.doFilterInternal(request,chain);
}
}
private void doFilterInternal(ServletRequest request,FilterChain
chain) throws IOException,ServletException {
FirewalledRequest fwRequest =
this.firewall.getFirewalledRequest((HttpServletRequest)request);
HttpServletResponse fwResponse =
this.firewall.getFirewalledResponse((HttpServletResponse)response);
//第二步:封裝要執行的過濾器鏈,那麼多過濾器就在這裡被封裝進去了!
List<Filter> filters = this.getFilters((HttpServletRequest)fwRequest);
if (filters != null && filters.size() != 0) {
FilterChainProxy.VirtualFilterChain vfc = new
FilterChainProxy.VirtualFilterChain(fwRequest,chain,filters);
//第四步:載入過濾器鏈
vfc.doFilter(fwRequest,fwResponse);
} else {
if (logger.isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl(fwRequest) + (filters == null ? " has no
matching filters" : " has an empty filter list"));
}
fwRequest.reset();
chain.doFilter(fwRequest,fwResponse);
}
}
private List<Filter> getFilters(HttpServletRequest request) {
Iterator var2 = this.filterChains.iterator();
//第三步:封裝過濾器鏈到SecurityFilterChain中!
SecurityFilterChain chain;
do {
if (!var2.hasNext()) {
return null;
}
chain = (SecurityFilterChain)var2.next();
} while(!chain.matches(request));
return chain.getFilters();
}
}
SecurityFilterChain
最後看SecurityFilterChain,這是個介面,實現類也只有一個,這才是web.xml中配置的過濾器鏈物件!
public interface SecurityFilterChain {
boolean matches(HttpServletRequest request);
List<Filter> getFilters();
}
public final class DefaultSecurityFilterChain implements SecurityFilterChain {
private static final Log logger = LogFactory.getLog(DefaultSecurityFilterChain.class);
private final RequestMatcher requestMatcher;
private final List<Filter> filters;
public DefaultSecurityFilterChain(RequestMatcher requestMatcher,Filter... filters) {
this(requestMatcher,Arrays.asList(filters));
}
public DefaultSecurityFilterChain(RequestMatcher requestMatcher,List<Filter> filters) {
logger.info("Creating filter chain: " + requestMatcher + "," + filters);
this.requestMatcher = requestMatcher;
this.filters = new ArrayList<>(filters);
}
public RequestMatcher getRequestMatcher() {
return requestMatcher;
}
public List<Filter> getFilters() {
return filters;
}
public boolean matches(HttpServletRequest request) {
return requestMatcher.matches(request);
}
@Override
public String toString() {
return "[ " + requestMatcher + "," + filters + "]";
}
}
以上就是本文的全部內容,希望對大家的學習有所幫助,也希望大家多多支援我們。