SpringBoot Security安全认证框架初始化流程&认证流程之源码分析

SpringBoot Security安全认证框架初始化流程&认证流程之源码分析

以RuoYi-Vue前后端分离版本为例分析SpringBoot Security安全认证框架初始化流程&认证流程的源码分析

目录

一、SpringBoot Security安全认证框架初始化流程


《SpringBoot Security安全认证框架初始化流程梳理图》

1、引入springboot-security依赖

xml 复制代码
<!-- spring security 安全认证 -->
<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-security</artifactId>
</dependency>

2、EnableWebSecurity注解

org.springframework.security.config.annotation.web.configureation.EnableWebSecurity

  • 添加该注解到@Configuration的类上,应用程序便可以使用自定义的WebSecurityConfigurer或拓展自WebSecurityConfigurerAdapter的配置类来装配Spring Security框架。

EnableWebSecurity.java 源码

java 复制代码
package org.springframework.security.config.annotation.web.configuration;

import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
@Documented
@Import({ WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class,
		HttpSecurityConfiguration.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {

	/**
	 * Controls debugging support for Spring Security. Default is false.
	 * @return if true, enables debug support with Spring Security
	 */
	boolean debug() default false;

}

说明:


在此注解接口定义中引入了 WebSecurityConfiguration

3、WebSecurityConfiguration

3.1、setFilterChainProxySecurityConfigurer方法

shell 复制代码
重点:
1、将自定义的安全配置类对象注入到Spring容器中;
2、构建WebSecurity对象

说明:

1、获取安全配置,通过@value的方式实现了AutowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers();

2、获取类型为WebSecurityConfigurer类及其子类匹配的bean,包括WebSecurityConfigurerAdapter、继承WebSecurityConfigurerAdapter的自定义安全配置类


1)、通过@value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}")获取安全配置

2)、调用org.springframework.security.config.annotation.web.configuration.AutowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()

java 复制代码
@Autowired(required = false)
	public void setFilterChainProxySecurityConfigurer(ObjectPostProcessor<Object> objectPostProcessor,
			@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers)
			throws Exception {
		this.webSecurity = objectPostProcessor.postProcess(new WebSecurity(objectPostProcessor));
		if (this.debugEnabled != null) {
			this.webSecurity.debug(this.debugEnabled);
		}
		webSecurityConfigurers.sort(AnnotationAwareOrderComparator.INSTANCE);
		Integer previousOrder = null;
		Object previousConfig = null;
		for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) {
			Integer order = AnnotationAwareOrderComparator.lookupOrder(config);
			if (previousOrder != null && previousOrder.equals(order)) {
				throw new IllegalStateException("@Order on WebSecurityConfigurers must be unique. Order of " + order
						+ " was already used on " + previousConfig + ", so it cannot be used on " + config + " too.");
			}
			previousOrder = order;
			previousConfig = config;
		}
		for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {
			this.webSecurity.apply(webSecurityConfigurer);
		}
		this.webSecurityConfigurers = webSecurityConfigurers;
	}

3.2、springSecurityFilterChain方法

说明:


1、通过@Bean将springSecurityFilterChain()方法构建的Filter实例对象按名称为springSecurityFilterChain的Bean注入到Spring容器中

2、WebSecurity.build方法会启动对象的配置,重点是: 【可以调用到自定义安全配置类的配置方法】实现自定义配置认证退出处理类、不用认证url等SpringBoot Security安全配置

java 复制代码
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
	boolean hasConfigurers = this.webSecurityConfigurers != null && !this.webSecurityConfigurers.isEmpty();
	boolean hasFilterChain = !this.securityFilterChains.isEmpty();
	Assert.state(!(hasConfigurers && hasFilterChain),
				"Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.");
	if (!hasConfigurers && !hasFilterChain) {
		WebSecurityConfigurerAdapter adapter = this.objectObjectPostProcessor
					.postProcess(new WebSecurityConfigurerAdapter() {
		});
		this.webSecurity.apply(adapter);
	}
	for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {
		this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);
		for (Filter filter : securityFilterChain.getFilters()) {
			if (filter instanceof FilterSecurityInterceptor) {
				this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);
				break;
			}
		}
	}
	for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) {
		customizer.customize(this.webSecurity);
	}
	return this.webSecurity.build();
}

4、自定义安全配置类

自定义安全配置类继承WebSecurityConfigurerAdapter,以对象名为authenticationManager的bean将AuthenticationManager对象注入到Spring容器中


《authenticationManager的bean对象注入流程源码分析图》 说明:


1、以@Bean的方式将AuthenticationManager的Bean以Id="authenticationManager"注入到Spring容器中;

2、调用父类WebSecurityConfigurerAdapter的authenticationManagerBean()方法


重点: 通过authenticationManagerBean()方法实现了将ProviderManager对象做为AuthenticationManager的实例对象,参照 第二章节->2、调用Spring Security安全认证方法中的《将ProviderManager对象做为authenticationManager的bean对象流程源码分析图》

自定义安全配置类源码

java 复制代码
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.web.filter.CorsFilter;
import cn.edu.tit.ipaddress.ms.framework.config.properties.PermitAllUrlProperties;
import cn.edu.tit.ipaddress.ms.framework.security.filter.JwtAuthenticationTokenFilter;
import cn.edu.tit.ipaddress.ms.framework.security.handle.AuthenticationEntryPointImpl;
import cn.edu.tit.ipaddress.ms.framework.security.handle.LogoutSuccessHandlerImpl;

/**
 * spring security配置
 * 
 * @author ruoyi
 */
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
    /**
     * 自定义用户认证逻辑
     */
    @Autowired
    private UserDetailsService userDetailsService;
    
    /**
     * 认证失败处理类
     */
    @Autowired
    private AuthenticationEntryPointImpl unauthorizedHandler;

    /**
     * 退出处理类
     */
    @Autowired
    private LogoutSuccessHandlerImpl logoutSuccessHandler;

    /**
     * token认证过滤器
     */
    @Autowired
    private JwtAuthenticationTokenFilter authenticationTokenFilter;
    
    /**
     * 跨域过滤器
     */
    @Autowired
    private CorsFilter corsFilter;

    /**
     * 允许匿名访问的地址
     */
    @Autowired
    private PermitAllUrlProperties permitAllUrl;

    /**
     * 解决 无法直接注入 AuthenticationManager
     *
     * @return
     * @throws Exception
     */
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception
    {
        return super.authenticationManagerBean();
    }

    /**
     * anyRequest          |   匹配所有请求路径
     * access              |   SpringEl表达式结果为true时可以访问
     * anonymous           |   匿名可以访问
     * denyAll             |   用户不能访问
     * fullyAuthenticated  |   用户完全认证可以访问(非remember-me下自动登录)
     * hasAnyAuthority     |   如果有参数,参数表示权限,则其中任何一个权限可以访问
     * hasAnyRole          |   如果有参数,参数表示角色,则其中任何一个角色可以访问
     * hasAuthority        |   如果有参数,参数表示权限,则其权限可以访问
     * hasIpAddress        |   如果有参数,参数表示IP地址,如果用户IP和参数匹配,则可以访问
     * hasRole             |   如果有参数,参数表示角色,则其角色可以访问
     * permitAll           |   用户可以任意访问
     * rememberMe          |   允许通过remember-me登录的用户访问
     * authenticated       |   用户登录后可访问
     */
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception
    {
        // 注解标记允许匿名访问的url
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = httpSecurity.authorizeRequests();
        permitAllUrl.getUrls().forEach(url -> registry.antMatchers(url).permitAll());

        httpSecurity
                // CSRF禁用,因为不使用session
                .csrf().disable()
                // 禁用HTTP响应标头
                .headers().cacheControl().disable().and()
                // 认证失败处理类
                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
                // 基于token,所以不需要session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                // 过滤请求
                .authorizeRequests()
                // 对于登录login 注册register 验证码captchaImage 允许匿名访问
                .antMatchers("/login","/loginWeixin","/register", "/captchaImage").permitAll()
                // 静态资源,可匿名访问
                .antMatchers(HttpMethod.GET, "/", "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/profile/**").permitAll()
                .antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**").permitAll()
                // 除上面外的所有请求全部需要鉴权认证
                .anyRequest().authenticated()
                .and()
                .headers().frameOptions().disable();
        // 添加Logout filter
        httpSecurity.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);
        // 添加JWT filter
        httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
        // 添加CORS filter
        httpSecurity.addFilterBefore(corsFilter, JwtAuthenticationTokenFilter.class);
        httpSecurity.addFilterBefore(corsFilter, LogoutFilter.class);
    }

    /**
     * 强散列哈希加密实现
     */
    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder()
    {
        return new BCryptPasswordEncoder();
    }

    /**
     * 身份认证接口
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception
    {
        auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
    }
}

二、SpringBoot Security认证流程

1、在用户登录认证类中自动注入AuthenticationManager对象

自动注入AuthenticationManager对象

java 复制代码
@Resource
private AuthenticationManager authenticationManager;

@Resource注解-说明:


一、@Resource和@Autowired异同

@Resoutce注解的功能和@Autowired相似的,可以互相替换,一般情况是可以正常运行的,由> @Resource标注的属性也会进行自动装配

二、二者区别:

1.提供者不同:

@AutoWired是Spring提供的

@Resource是由Java提供的

2.注入规则不同:

原则上@Autowired注入规则为"byType"(通过类型注入)

原则上@Resource注入规则为"byName"(通过名称注入)这里的名称就是对象的id

3.匹配规则不同

@Auotowired是先检查类型,如果有类型匹配直接匹配,只通过类型不能匹配,在通过id;

@Resource是先匹配id,如果有id匹配,直接成功;如果没有id匹配,在进行类型匹配;

2、调用Spring Security安全认证方法

关键代码

java 复制代码
// 用户名、密码构建UsernamePasswordAuthenticationToken对象
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, password);

AuthenticationContextHolder.setContext(authenticationToken);
// 调用认证方法,验证用户名和密码
Authentication authentication = authenticationManager.authenticate(authenticationToken);


《将ProviderManager对象做为authenticationManager的bean对象流程源码分析图》 说明


验证用户名和密码,通过调用认证方法后,通过上图所示最终是调用了ProviderManager.authenticate()方法


《SpringBoot Security - 登录认证流程源码分析图》 说明


1、ProviderManager.authenticate()方法中通过getProviders()获取认证Provider实现类;

2、Provider实现类 - DaoAuthenticationProvider实现类,并继承AbstractUserDetailsAuthenticationProvider;

三、SpringBoot启动源码分析

下图为SpringBoot启动源码分析图,与SpringBoot Security没有关系,如果对SpringBoot启动熟悉的话可以跳过此章节内容。


《SpringBoot启动源码分析图》

相关推荐
斌斌_____12 分钟前
Spring Boot 配置文件的加载顺序
java·spring boot·后端
路在脚下@21 分钟前
Spring如何处理循环依赖
java·后端·spring
一个不秃头的 程序员43 分钟前
代码加入SFTP JAVA ---(小白篇3)
java·python·github
丁总学Java1 小时前
--spring.profiles.active=prod
java·spring
苹果醋31 小时前
React系列(八)——React进阶知识点拓展
运维·vue.js·spring boot·nginx·课程设计
上等猿1 小时前
集合stream
java
java1234_小锋1 小时前
MyBatis如何处理延迟加载?
java·开发语言
菠萝咕噜肉i1 小时前
MyBatis是什么?为什么有全自动ORM框架还是MyBatis比较受欢迎?
java·mybatis·框架·半自动
林的快手1 小时前
209.长度最小的子数组
java·数据结构·数据库·python·算法·leetcode
Hacker_Nightrain1 小时前
网络安全与加密
安全·web安全