SpringSecurity源码剖析

过滤器链加载源码

1. spring boot启动中会加载spring.factories文件，在文件中有对应Spring Security的过滤器链的配置信息。

   安全过滤器自动配置

   org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoCo
   nfiguration

2. SecurityFilterAutoConfiguration类

   @EnableConfigurationProperties({SecurityProperties.class})
   @ConditionalOnClass({AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class})
   @AutoConfigureAfter({SecurityAutoConfiguration.class})
   public class SecurityFilterAutoConfiguration {

   }

3. SecurityAutoConfiguration类

   @ConditionalOnClass({DefaultAuthenticationEventPublisher.class})
   @EnableConfigurationProperties({SecurityProperties.class})
   @Import({SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class})
   public class SecurityAutoConfiguration {

   }

4. WebScurityEnableConfiguration类

   @Configuration(
   proxyBeanMethods = false
   )
   @ConditionalOnBean({WebSecurityConfigurerAdapter.class})
   @ConditionalOnMissingBean(
   name = {"springSecurityFilterChain"}
   )
   @ConditionalOnWebApplication(
   type = Type.SERVLET
   )
   @EnableWebSecurity
   public class WebSecurityEnablerConfiguration {
   public WebSecurityEnablerConfiguration() {
   }
   }

5. WebSecurityConfiguration类

   /**
   * 声明 Spring Security 核心过滤器链（默认名称：springSecurityFilterChain）
   * 对应 AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME
   */
   @Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
   public Filter springSecurityFilterChain() throws Exception {
   // 检查是否有自定义的 WebSecurityConfigurer 配置
   boolean hasConfigurers = webSecurityConfigurers != null && !webSecurityConfigurers.isEmpty();

        // 如果没有自定义配置，创建默认空适配器（避免构建失败）
        if (!hasConfigurers) {
            WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor.postProcess(
                new WebSecurityConfigurerAdapter() {
                    // 空适配器：仅保证过滤器链能构建，无实际安全规则
                    @Override
                    protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception {
                        // 6.x 需替换为 http.csrf(AbstractHttpConfigurer::disable)
                        http.csrf().disable(); // 示例：禁用 CSRF（根据业务调整）
                    }
                }
            );
            webSecurity.apply(adapter); // 将默认适配器应用到 WebSecurity
        } else {
            // 如果有自定义配置，遍历应用所有 WebSecurityConfigurer
            for (WebSecurityConfigurerAdapter configurer : webSecurityConfigurers) {
                webSecurity.apply(configurer);
            }
        }
        
        // 构建过滤器链（返回 FilterChainProxy，实现 Filter 接口）
        Filter filterChain = webSecurity.build();
        return filterChain;
    }

认真流程源码

UsernamePasswordAuthenticationFilter：

UsernamePasswordAuthenticationToken

AuthenticationManager-->ProviderManager-->AbstractUserDetailsAuthenticationProvider

retrieveUser方法

additionalAuthenticationChecks方法

AbstractAuthenticationProcessingFilter--doFilter方法

successfulAuthentication方法

记住我流程源码

AbstractAuthenticationProcessingFilter--successfulAuthentication方法

loginSuccess方法-->onLoginSuccess

RememberMeAuthenticationFilter

autoLogin方法

processAutoLoginCookie方法

CSRF流程源码

授权流程源码

**AffirmativeBased（基于肯定）的逻辑是:**一票通过权

ConsensusBased （基于共识）的逻辑是 **:**赞成票多于反对票则表示通过,反对票多于赞成票则将抛出

AccessDeniedException

**UnanimousBased（基于一致）的逻辑:**一票否决权

FilterSecurityInterceptor

ExceptionTranslationFilter