过滤器链加载源码
-
spring boot启动中会加载spring.factories文件,在文件中有对应Spring Security的过滤器链的配置信息。
安全过滤器自动配置
org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoCo
nfiguration -
SecurityFilterAutoConfiguration类
@EnableConfigurationProperties({SecurityProperties.class})
@ConditionalOnClass({AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class})
@AutoConfigureAfter({SecurityAutoConfiguration.class})
public class SecurityFilterAutoConfiguration {}
-
SecurityAutoConfiguration类
@ConditionalOnClass({DefaultAuthenticationEventPublisher.class})
@EnableConfigurationProperties({SecurityProperties.class})
@Import({SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class})
public class SecurityAutoConfiguration {}
-
WebScurityEnableConfiguration类
@Configuration(
proxyBeanMethods = false
)
@ConditionalOnBean({WebSecurityConfigurerAdapter.class})
@ConditionalOnMissingBean(
name = {"springSecurityFilterChain"}
)
@ConditionalOnWebApplication(
type = Type.SERVLET
)
@EnableWebSecurity
public class WebSecurityEnablerConfiguration {
public WebSecurityEnablerConfiguration() {
}
} -
WebSecurityConfiguration类
/**
* 声明 Spring Security 核心过滤器链(默认名称:springSecurityFilterChain)
* 对应 AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME
*/
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
// 检查是否有自定义的 WebSecurityConfigurer 配置
boolean hasConfigurers = webSecurityConfigurers != null && !webSecurityConfigurers.isEmpty();// 如果没有自定义配置,创建默认空适配器(避免构建失败) if (!hasConfigurers) { WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor.postProcess( new WebSecurityConfigurerAdapter() { // 空适配器:仅保证过滤器链能构建,无实际安全规则 @Override protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception { // 6.x 需替换为 http.csrf(AbstractHttpConfigurer::disable) http.csrf().disable(); // 示例:禁用 CSRF(根据业务调整) } } ); webSecurity.apply(adapter); // 将默认适配器应用到 WebSecurity } else { // 如果有自定义配置,遍历应用所有 WebSecurityConfigurer for (WebSecurityConfigurerAdapter configurer : webSecurityConfigurers) { webSecurity.apply(configurer); } } // 构建过滤器链(返回 FilterChainProxy,实现 Filter 接口) Filter filterChain = webSecurity.build(); return filterChain; }
认真流程源码
UsernamePasswordAuthenticationFilter:
UsernamePasswordAuthenticationToken
AuthenticationManager-->ProviderManager-->AbstractUserDetailsAuthenticationProvider
retrieveUser方法
additionalAuthenticationChecks方法
AbstractAuthenticationProcessingFilter--doFilter方法
successfulAuthentication方法
记住我流程源码
AbstractAuthenticationProcessingFilter--successfulAuthentication方法
loginSuccess方法-->onLoginSuccess
RememberMeAuthenticationFilter
autoLogin方法
processAutoLoginCookie方法
CSRF流程源码
授权流程源码
**AffirmativeBased(基于肯定)的逻辑是:**一票通过权
ConsensusBased (基于共识)的逻辑是 **:**赞成票多于反对票则表示通过,反对票多于赞成票则将抛出
AccessDeniedException
**UnanimousBased(基于一致)的逻辑:**一票否决权
FilterSecurityInterceptor
ExceptionTranslationFilter
