spring security:DelegatingFilterProxy和FilterChainProxy之間的關係
阿新 • • 發佈:2019-02-01
本文主要解答的是為什麼在web.xml中配置了
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</fiter>
DelegatingFilterProxy代理的Filter就會是定義在spring容器中的FilterChainProxy類的bean
DelegatingFilterProxy類是一個spring類,位於org.springframework.web.jar包下,這個類本身是和spring security無關。該類繼承於抽象類GenericFilterBean,間接地實現了javax.servlet.Filter介面,Servlet容器在啟動時,首先會呼叫Filter的init方法,GenericFilterBean的作用主要是可以把Filter的初始化引數自動地set到繼承與GenericFilterBean類的Filter中區。其原始碼如下:
在該方法中呼叫了initFilterBean()方法,該方法是GenericFilterBean類特地留給子類擴充套件使用的。其實現在DelegatingFilterProxy中public final void init(FilterConfig filterConfig) throws ServletException { Assert.notNull(filterConfig, "FilterConfig must not be null"); if (logger.isDebugEnabled()) { logger.debug("Initializing filter '" + filterConfig.getFilterName() + "'"); } this.filterConfig = filterConfig; // Set bean properties from init parameters. try { PropertyValues pvs = new FilterConfigPropertyValues(filterConfig, this.requiredProperties); BeanWrapper bw = PropertyAccessorFactory.forBeanPropertyAccess(this); ResourceLoader resourceLoader = new ServletContextResourceLoader(filterConfig.getServletContext()); bw.registerCustomEditor(Resource.class, new ResourceEditor(resourceLoader, this.environment)); initBeanWrapper(bw); bw.setPropertyValues(pvs, true); } catch (BeansException ex) { String msg = "Failed to set bean properties on filter '" + filterConfig.getFilterName() + "': " + ex.getMessage(); logger.error(msg, ex); throw new NestedServletException(msg, ex); } // Let subclasses do whatever initialization they like. initFilterBean(); if (logger.isDebugEnabled()) { logger.debug("Filter '" + filterConfig.getFilterName() + "' configured successfully"); } }
可以看出上述程式碼首先看Filter是否提供了targetBeanName初始化引數,如果沒有提供則直接使用filter的name作為beanName,產生beanName後,由於我們在web.xml中的filter的name是springSecurityFilterChain。protected void initFilterBean() throws ServletException { synchronized (this.delegateMonitor) { if (this.delegate == null) { // If no target bean name specified, use filter name. if (this.targetBeanName == null) { this.targetBeanName = getFilterName(); } // Fetch Spring root application context and initialize the delegate early, // if possible. If the root application context will be started after this // filter proxy, we'll have to resort to lazy initialization. WebApplicationContext wac = findWebApplicationContext(); if (wac != null) { this.delegate = initDelegate(wac); } } } }
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
FilterChainProxy從Spring IOC容器中取出bean的程式碼是initDelegate方法。
protected Filter initDelegate(WebApplicationContext wac) throws ServletException {
Filter delegate = wac.getBean(getTargetBeanName(), Filter.class);
if (isTargetFilterLifecycle()) {
delegate.init(getFilterConfig());
}
return delegate;
}
在這個方法中,getTargetBeanName()返回的是值為springSecurityFilterChain,下面的內容是關鍵
wac.getBean(getTargetBeanName(), Filter.class)
wac.getBean(getTargetBeanName(),Filter.class)->AbstractApplicationContext.getBean(name,requiredType)->AbstractBeanFactory中的transformedBeanName(name)->canonicalName(BeanFactoryUtils.transformedBeanName(name))
在canonicalName方法中將springSecurityFilterChain給轉換成了org.springframework.security.filterChainProxy。這是因為SecuritynamespaceHandler在解析security名稱空間的時候在HttpSecurityBeanDefinitionParser中的registerFilterChainProxyIfNecessary方法中呼叫了ParserContext.getRegistry().registerAlias("org.springframework.security.filterChainProxy","springSecurityFilterChain")將他們的對應關係寫入到了SimpleAliasRegistry中的aliasMap中去了,而canonicalName方法使用springSecurityFilterChain為key去aliasMap中取,所以得到是org.springframework.security.filterChainProxy
這裡根據springSecurityFilterChain的bean name直接獲取FilterChainProxy的例項。可是springSecurityFilterChain這個bean在哪裡定義的呢?此時似乎忽略了spring security的bean配置檔案了。<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/
spring-security-3.0.xsd">
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user authorities="ROLE_USER" name="guest" password="guest"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
這是最簡單的配置,同時也解開了springSecurityFilterChain這個bean沒有定義的疑問。這裡主要利用了spring的自定義標籤。首先spring security的標籤解析部分的原始碼包為:spring-security-config.jar中
spring security的標籤解析由org.springframework.security.config.SecurityNamespaceHandler來處理。該類實現介面:NamespaceHandler,spring中自定義標籤都要實現該介面,該介面有三個方法init、parse、decorate,其中init用於自定義標籤的初始化,parse用於解析標籤,decorate用於裝飾。
SecurityNamespaceHandler類的init方法完成了標籤解析類的註冊工作
public void init() {
loadParsers();
}
@SuppressWarnings("deprecation")
private void loadParsers() {
// Parsers
parsers.put(Elements.LDAP_PROVIDER, new LdapProviderBeanDefinitionParser());
parsers.put(Elements.LDAP_SERVER, new LdapServerBeanDefinitionParser());
parsers.put(Elements.LDAP_USER_SERVICE, new LdapUserServiceBeanDefinitionParser());
parsers.put(Elements.USER_SERVICE, new UserServiceBeanDefinitionParser());
parsers.put(Elements.JDBC_USER_SERVICE, new JdbcUserServiceBeanDefinitionParser());
parsers.put(Elements.AUTHENTICATION_PROVIDER, new AuthenticationProviderBeanDefinitionParser());
parsers.put(Elements.GLOBAL_METHOD_SECURITY, new GlobalMethodSecurityBeanDefinitionParser());
parsers.put(Elements.AUTHENTICATION_MANAGER, new AuthenticationManagerBeanDefinitionParser());//authentication-manager的標籤解析類註冊
parsers.put(Elements.METHOD_SECURITY_METADATA_SOURCE, new MethodSecurityMetadataSourceBeanDefinitionParser());
// Only load the web-namespace parsers if the web classes are available
if(ClassUtils.isPresent(FILTER_CHAIN_PROXY_CLASSNAME, getClass().getClassLoader())) {
parsers.put(Elements.DEBUG, new DebugBeanDefinitionParser());
parsers.put(Elements.HTTP, new HttpSecurityBeanDefinitionParser());//http的標籤解析類註冊
parsers.put(Elements.HTTP_FIREWALL, new HttpFirewallBeanDefinitionParser());
parsers.put(Elements.FILTER_INVOCATION_DEFINITION_SOURCE, new FilterInvocationSecurityMetadataSourceParser());
parsers.put(Elements.FILTER_SECURITY_METADATA_SOURCE, new FilterInvocationSecurityMetadataSourceParser());
parsers.put(Elements.FILTER_CHAIN, new FilterChainBeanDefinitionParser());
filterChainMapBDD = new FilterChainMapBeanDefinitionDecorator();
}
}
HttpSecurityBeanDefinitionParser的parse方法原始碼為:public BeanDefinition parse(Element element, ParserContext pc) {
CompositeComponentDefinition compositeDef =
new CompositeComponentDefinition(element.getTagName(), pc.extractSource(element));
......
registerFilterChainProxyIfNecessary(pc,pc.extractSource(element));
......
}
static void registerFilterChainProxyIfNecessary(ParserContext pc, Object source) {
logger.debug("\n registerFilterChainProxyIfNecessary----"+pc.getRegistry()+"\n source=="+source);
if (pc.getRegistry().containsBeanDefinition(BeanIds.FILTER_CHAIN_PROXY)) {
return;
}
// Not already registered, so register the list of filter chains and the FilterChainProxy
BeanDefinition listFactoryBean = new RootBeanDefinition(ListFactoryBean.class);
listFactoryBean.getPropertyValues().add("sourceList", new ManagedList());
pc.registerBeanComponent(new BeanComponentDefinition(listFactoryBean, BeanIds.FILTER_CHAINS));
BeanDefinitionBuilder fcpBldr = BeanDefinitionBuilder.rootBeanDefinition(FilterChainProxy.class);
fcpBldr.getRawBeanDefinition().setSource(source);
fcpBldr.addConstructorArgReference(BeanIds.FILTER_CHAINS);
fcpBldr.addPropertyValue("filterChainValidator", new RootBeanDefinition(DefaultFilterChainValidator.class));
BeanDefinition fcpBean = fcpBldr.getBeanDefinition();
pc.registerBeanComponent(new BeanComponentDefinition(fcpBean, BeanIds.FILTER_CHAIN_PROXY));
pc.getRegistry().registerAlias(BeanIds.FILTER_CHAIN_PROXY, BeanIds.SPRING_SECURITY_FILTER_CHAIN);
//BeanIds.FILTER_CHAIN_PROXY->org.springframework.security.filterChainProxy
//BeanIds.SPRING_SECURITY_FILTER_CHAIN->springSecurityFilterChain
}
這裡需要說明的是BeanDefinitionBuilder類,該類能夠動態建立spring的bean,並通過ParserContext完成bean的註冊,而不需要在xml中進行配置。此時FilterChainProxy例項化過程已經完成。
下面再看一下DelegatingFilterProxy類的doFilter方法
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
// Lazily initialize the delegate if necessary.
Filter delegateToUse = null;
synchronized (this.delegateMonitor) {
if (this.delegate == null) {
WebApplicationContext wac = findWebApplicationContext();
if (wac == null) {
throw new IllegalStateException("No WebApplicationContext found: no ContextLoaderListener registered?");
}
this.delegate = initDelegate(wac);
}
delegateToUse = this.delegate;
}
// Let the delegate perform the actual doFilter operation.
invokeDelegate(delegateToUse, request, response, filterChain);
}
真正要關注invokeDelegate(delegateToUse, request, response, filterChain);這句程式碼,在下面可以看出DelegatingFilterProxy類實際是用其delegate屬性即org.springframework.security.FilterChainProxy例項的doFilter方法來響應請求。protected void invokeDelegate(
Filter delegate, ServletRequest request, ServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
delegate.doFilter(request, response, filterChain);
}
以上就是DelegatingFilterProxy類的一些內部執行機制,其實主要作用就是一個代理模式的應用,可以把servlet 容器中的filter同spring容器中的bean關聯起來。
參考:http://www.aichengxu.com/java/1143729.htm
另外關於