手写框架
将自己的类加入到spring容器中
@Configuration
public class AddBean{
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
在要调用的地方
@Autowired
PasswordEncoder passwordEncoder;
=======视频解析
public class FilterChainProxy extends GenericFilterBean {
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
try {
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
doFilterInternal(request, response, chain);
} catch (RequestRejectedException e) {
this.requestRejectedHandler.handle((HttpServletRequest) request, (HttpServletResponse) response, e);
}
private void doFilterInternal(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
List<Filter> filters = getFilters(fwRequest);
chain.doFilter(fwRequest, fwResponse);
return;
}
VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters);
vfc.doFilter(fwRequest, fwResponse);
}
private static class VirtualFilterChain implements FilterChain {
private final FilterChain originalChain;
private final List<Filter> additionalFilters;
private final FirewalledRequest firewalledRequest;
private final int size;
private int currentPosition = 0;
private VirtualFilterChain(FirewalledRequest firewalledRequest,
FilterChain chain, List<Filter> additionalFilters) {
this.originalChain = chain;
this.additionalFilters = additionalFilters;
this.size = additionalFilters.size();
this.firewalledRequest = firewalledRequest;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response)
throws IOException, ServletException {
if (currentPosition == size) {
if (logger.isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)
+ " reached end of additional filter chain; proceeding with original chain");
}
// Deactivate path stripping as we exit the security filter chain
this.firewalledRequest.reset();
originalChain.doFilter(request, response);
}
else {
currentPosition++;
Filter nextFilter = additionalFilters.get(currentPosition - 1);
if (logger.isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)
+ " at position " + currentPosition + " of " + size
+ " in additional filter chain; firing Filter: '"
+ nextFilter.getClass().getSimpleName() + "'");
}
nextFilter.doFilter(request, response, this);
}
}
}
}
首先在web.xml配置文件里面写好要注入的类–入口类(加入容器的 【可能是spring,可能是tomcat】)
<filter>
DelegatingFilterProxy
</filter>
不知道是啥,就打个断点调试一下。
public class FilterChainProxy extends GenericFilterBean {
doFilterInternal()打断点
里面封装了过滤器
List<Filter> filters = this.getFilters((HttpServletRequest)fwRequest);
private List<Filter> getFilters(HttpServletRequest request) {
Iterator var2 = this.filterChains.iterator();
SecurityFilterChain chain;
do {
if (!var2.hasNext()) {
return null;
}
chain = (SecurityFilterChain)var2.next();
} while(!chain.matches(request));
return chain.getFilters();
}
}
public interface SecurityFilterChain {
boolean matches(HttpServletRequest var1);
List<Filter> getFilters();
}
public final class DefaultSecurityFilterChain implements SecurityFilterChain {
}
后端接口安全是一定要 做的
如何结合spring写出一款自己的框架来.【集成spring的环境类,然后手动注入】
public abstract class GenericFilterBean implements BeanNameAware, EnvironmentAware, EnvironmentCapable, ServletContextAware, InitializingBean, DisposableBean {
WebApplicationContextUtils.getWebApplicationContext()可根据spring提供的工具获取spring环境。然后手动注入bean到容器中。
//入口类的初始化过程依次次加入自己写的核心逻辑类
}
public class FilterChainProxy extends GenericFilterBean {//本质实现了javax.servlet的Filter类接口,所以它会自动加入到servlet的生命周期里面并运转.。。tomcat会执行该方法
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain){
//.....FilterChain chain这些过滤器
}
}
security就是一个过滤器链条GenericFilterBean (每个节点/过滤器都集成GenericFilterBean)
public abstract class GenericFilterBean implements Filter, BeanNameAware, EnvironmentAware,
EnvironmentCapable, ServletContextAware, InitializingBean, DisposableBean {}
public class DelegatingFilterProxy extends GenericFilterBean {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException {
Filter delegateToUse = this.delegate;
delegateToUse = this.initDelegate(wac);添加过滤器
//this.invokeDelegate(delegateToUse, request, response, filterChain);
执行过滤器,让过滤器链生效
}
public DefaultSecurityFilterChain(RequestMatcher requestMatcher, Filter... filters) {
this(requestMatcher, Arrays.asList(filters));
}
可变长度参数列表 Object...obj
可以传一个Object[]数组,也可以传多个对象
SecurityContextPersistenceFilter入口【存储了当前用户的认证以及权限信息】
WebAsyncManagerIntegrationFilter异步执行
HeaderWriterFilter向请求的Header中添加相应的信息
CsrfFilter防止csrf攻击的效果
LogoutFilter退出
UsernamePasswordAuthenticationFilter认证【写死了路径为/login】
DefaultLoginPageGeneratingFilter【默认的认证页面】
DefaultLogoutPageGeneratingFilter【默认退出页面】
BasicAuthenticationFilter自动解析HTTP请求中头部名字为Authentication
RequestCacheAwareFilter用于缓存HttpServletRequest
SecurityContextHolderAwareRequestFilter封装了ServletRequest
AnonymousAuthenticationFilter匿名登录用的
SessionManagementFilter限制同一用户开启多个会话的数量
ExceptionTranslationFilter用来转换整个链路中出现的异常
FilterSecurityInterceptor鉴权
过滤器就是一个
package javax.servlet;
public interface Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain);
}
public interface FilterChain {
public void doFilter(ServletRequest request, ServletResponse response);
}
梦的起点