springboot整合springsecurity从Hello World到源码解析(二):springsecurity配置加载解析
springboot整合springsecurity从Hello World到源码解析(二):springsecurity配置加载解析
上一篇博客我们介绍了hellowrold入门,并且成功的看到了springsecurity的拦截效果,接下来我们就来看看springsecurity是如何做到的。
系列其它文章
[springboot整合springsecurity从Hello World到源码解析(一):hello world程序入门](https://blog.csdn.net/Iperishing/article/details/86504847)
[springboot整合springsecurity从Hello World到源码解析(二):springsecurity配置加载解析](https://blog.csdn.net/Iperishing/article/details/86505017)
[springboot整合springsecurity从Hello World到源码解析(三):基础配置详解](https://blog.csdn.net/Iperishing/article/details/86505120)
[springboot整合springsecurity从Hello World到源码解析(四):springsecurity基础架构解析](https://blog.csdn.net/Iperishing/article/details/86521621)
[springboot整合springsecurity从Hello World到源码解析(五):springsecurity+jwt整合restful服务](https://blog.csdn.net/Iperishing/article/details/86575416)
启动配置详解
我们知道(不知道的就当知道吧,哈哈),springboot启动时会帮我自动配置好很多的默认配置项,并且加载配置类都会写在spring.factories文件中,所以我们这里开始,看看springsecurity做了
那些配置,打开idea,ctrl+shift+n * 2,查找spring.factories文件:如下:
spring.factories
随后在该配置文件中,查找security,如下:
security
我们可以看到,一共初始化了9个security相关的类,这里我们不关注oauth2(以后再说)和reactive(springboot2以后新特性),还有
SecurityAutoConfiguration, SecurityRequestMatcherProviderAutoConfiguration, SecurityFilterAutoConfiguration, UserDetailsServiceAutoConfiguration这四个类,首先我们看下
SecurityAutoConfiguration:
1@Configuration
2@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
3@EnableConfigurationProperties(SecurityProperties.class)
4@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
5 SecurityDataConfiguration.class })
6public class SecurityAutoConfiguration {
7
8 @Bean
9 @ConditionalOnMissingBean(AuthenticationEventPublisher.class)
10 public DefaultAuthenticationEventPublisher authenticationEventPublisher(
11 ApplicationEventPublisher publisher) {
12 return new DefaultAuthenticationEventPublisher(publisher);
13 }
14
15}
-
1.可以看出,这个类初始化了DefaultAuthenticationEventPublisher,看名字就知道,一个事件发布器,其内部实现就是spring的ApplicationEventPublisher,
用于springsecurity各种权限时间的交互,如登陆失败,会发布一个事件,然后通知其它组件做出相应的响应。 -
2.导入了一个配置类,SecurityProperties,如下:
1private String name = "user";
2
3private String password = UUID.randomUUID().toString();
4
5private List roles = new ArrayList<>();
6
7private boolean passwordGenerated = true;
现在我们知道,我们上一篇博客中yml文件中配置的用户名密码就是这这里的配置,如果不进行配置,默认生成一个uuid的密码,从控制台可以看到该密码。
- 3.另外导入了三个配置项
SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class
其中data相关的因为此处我们没有导入spring-data相关的引用,不生效。
然后我们继续观察 WebSecurityEnablerConfiguration.class,看名字我们知道这是web环境下的初始化的配置,如下:
1@Configuration
2@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
3@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
4@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
5@EnableWebSecurity
6public class WebSecurityEnablerConfiguration {
7
8}
主要作用帮我们加入了 @EnableWebSecurity注解,该注解的作用为开启springsecurity httpsecurity的自定义配置,即我们可以自己定义web环境的url配置(后面的主要关注点)。
接下来就是@SpringBootWebSecurityConfiguration,如下:
1@Configuration
2@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
3@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
4@ConditionalOnWebApplication(type = Type.SERVLET)
5public class SpringBootWebSecurityConfiguration {
6
7 @Configuration
8 @Order(SecurityProperties.BASIC_AUTH_ORDER)
9 static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {
10
11 }
12
13}
关键点来了,这个配置项检查了servlet环境下spring容器中是否有WebSecurityConfiguraerAdapter这个bean,如果没有,就帮我们默认初始化了一个。所以我们对于springsecurity
的配置就要继承WebSecurityConfigurerAdapter,然后实现自定义的配置。
以上就是SecurityAutoConfiguration该配置项的作用,接下来我们看下SecurityRequestMatcherProviderAutoConfiguration
SecurityRequestMatcherProviderAutoConfiguration
1@Configuration
2@ConditionalOnClass({ RequestMatcher.class })
3@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
4public class SecurityRequestMatcherProviderAutoConfiguration {
5
6 @Configuration
7 @ConditionalOnClass(DispatcherServlet.class)
8 @ConditionalOnBean(HandlerMappingIntrospector.class)
9 public static class MvcRequestMatcherConfiguration {
10
11 @Bean
12 @ConditionalOnClass(DispatcherServlet.class)
13 public RequestMatcherProvider requestMatcherProvider(
14 HandlerMappingIntrospector introspector) {
15 return new MvcRequestMatcherProvider(introspector);
16 }
17
18 }
19
20 @Configuration
21 @ConditionalOnClass(ResourceConfig.class)
22 @ConditionalOnMissingClass("org.springframework.web.servlet.DispatcherServlet")
23 @ConditionalOnBean(JerseyApplicationPath.class)
24 public static class JerseyRequestMatcherConfiguration {
25
26 @Bean
27 public RequestMatcherProvider requestMatcherProvider(
28 JerseyApplicationPath applicationPath) {
29 return new JerseyRequestMatcherProvider(applicationPath);
30 }
31
32 }
33
34}
可以看出,主要初始化了一个MvcRequestMatcherProvider,了解过springmvc的同学应该知道,springmvc处理请求映射的主要类就是HandlerMapping,而HandlerMappingIntrospector
类是HandlerMapping的集合工具类,springsecurity此处就是从spring容器中获取了该工具类,然后供自己内部使用(处理我们的自定义映射,后面具体讲解)。
1public class MvcRequestMatcherProvider implements RequestMatcherProvider {
2
3 private final HandlerMappingIntrospector introspector;
4
5 public MvcRequestMatcherProvider(HandlerMappingIntrospector introspector) {
6 this.introspector = introspector;
7 }
8
9 @Override
10 public RequestMatcher getRequestMatcher(String pattern) {
11 return new MvcRequestMatcher(this.introspector, pattern);
12 }
13
14}
接下来就是SecurityFilterAutoConfiguration了:
SecurityFilterAutoConfiguration
1@Configuration
2@ConditionalOnWebApplication(type = Type.SERVLET)
3@EnableConfigurationProperties(SecurityProperties.class)
4@ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class,
5 SessionCreationPolicy.class })
6@AutoConfigureAfter(SecurityAutoConfiguration.class)
7public class SecurityFilterAutoConfiguration {
8
9 private static final String DEFAULT_FILTER_NAME = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME;
10
11 @Bean
12 @ConditionalOnBean(name = DEFAULT_FILTER_NAME)
13 public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(
14 SecurityProperties securityProperties) {
15 DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(
16 DEFAULT_FILTER_NAME);
17 registration.setOrder(securityProperties.getFilter().getOrder());
18 registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
19 return registration;
20 }
21
22 private EnumSet getDispatcherTypes(
23 SecurityProperties securityProperties) {
24 if (securityProperties.getFilter().getDispatcherTypes() == null) {
25 return null;
26 }
27 return securityProperties.getFilter().getDispatcherTypes().stream()
28 .map((type) -> DispatcherType.valueOf(type.name())).collect(Collectors
29 .collectingAndThen(Collectors.toSet(), EnumSet::copyOf));
30 }
31
32}
首先,我们发现这个类有一个@AutoConfigureAfter(SecurityAutoConfiguration.class),也就是说这个类要在我们讲的第一个SecurityAutoConfiguration才行(why? 别急),
然后它拿到我们一开始说的SecurityProperties,帮我们做了一个Filter:但是!这个filter具体是啥,它沒有直接告訴我們,只把它在spring中的bean的名字给出来了,springSecurityFilterChain,
也就是説存在一个这样名字的springsecurity的filter,然后被spring代理了,管理它的生命周期。但是从名字我们大概可以猜出,不只是一个filter,是一个filter列表,既然这样,那我们直接在项目中搜索,看那个地方有这个名字的bean
最终在该地方找到:
springSecurityFilterChain
,
发现该类是在WebSecurityConfiguration中初始化的,那WebSecurityConfiguration又是在哪来的呢,上面我们说到@EnableWebSecurity的时候,开启WebSecurityAdapter的配置,其实那个时候已经导入了(哈哈,上面我也没注意到),
springSecurityFilterChain
1 private WebSecurity webSecurity;
2
3 private Boolean debugEnabled;
4
5 private List> webSecurityConfigurers;
6
7 private ClassLoader beanClassLoader;
8
9 @Bean(name = "springSecurityFilterChain")
10 public Filter springSecurityFilterChain() throws Exception {
11 boolean hasConfigurers = webSecurityConfigurers != null
12 && !webSecurityConfigurers.isEmpty();
13 if (!hasConfigurers) {
14 WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
15 .postProcess(new WebSecurityConfigurerAdapter() {
16 });
17 webSecurity.apply(adapter);
18 }
19 return webSecurity.build();
20 }
我们注意到这个初始化类有两个主要成员变量,WebSecurity和webSecurityConfigurers,而从这个springSecurityFilterChain方法我们可以看到该filter是通过构造器WebSecurity构造而来,
纳尼? 既然Websecurity构造了springSecurityFilterChain,那为什么下面还有一个 webSecurityConfigurers,并且是一个WebSecurity的list呢?
别急,我们来看下他们之间的关系。我们注意到还有这样一个方法:
1@Autowired(required = false)
2public void setFilterChainProxySecurityConfigurer(
3 ObjectPostProcessor从这里我们就知道他们的关系了, 这个webSecurityConfigurers是通过spring注入进去的(尼玛,我都快整蒙圈了),他就代表那个过滤器链,也就是权限控制的关键,而我们一开始看到的Websecurity就是这个过滤器链的入口,由它来一个个的将
过过滤器链引用作为自己的成员变量,好了,他们之间的关系我们搞清楚了,接下来就又多了一个新问题,那个过滤器链又是在哪里给初始化了呢。
@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}")
这个el表达式的bean同样在这个配置类中:
1@Bean
2public static AutowiredWebSecurityConfigurersIgnoreParents autowiredWebSecurityConfigurersIgnoreParents(
3 ConfigurableListableBeanFactory beanFactory) {
4 return new AutowiredWebSecurityConfigurersIgnoreParents(beanFactory);
5}
那我们继续看这个AutowiredWebSecurityConfigurersIgnoreParents,它拿到了spring的容器beanFactory,然后得到了那个过滤器链,然后我还是太天真:
1@SuppressWarnings({ "rawtypes", "unchecked" })
2 public List> getWebSecurityConfigurers() {
3 List> webSecurityConfigurers = new ArrayList>();
4 Map beansOfType = beanFactory
5 .getBeansOfType(WebSecurityConfigurer.class);
6 for (Entry entry : beansOfType.entrySet()) {
7 webSecurityConfigurers.add(entry.getValue());
8 }
9 return webSecurityConfigurers;
10 }
它居然不是直接初始化的,而是从beanFactory中取出来了所有WebSecurityConfigurer类型的bean,尼玛!那我们接着看实现了WebSecurityConfigurer并且作为bean在spring中已经初始化了类是哪一个,
不着不知道,依照吓一跳,查看类关系,居然又回到了最初的起点:
springSecurityFilterChain
又是它!,我们继续查看他,终于!我们找到了那个过滤器链!
1protected final HttpSecurity getHttp() throws Exception {
2 if (http != null) {
3 return http;
4 }
5
6 DefaultAuthenticationEventPublisher eventPublisher = objectPostProcessor
7 .postProcess(new DefaultAuthenticationEventPublisher());
8 localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);
9
10 AuthenticationManager authenticationManager = authenticationManager();
11 authenticationBuilder.parentAuthenticationManager(authenticationManager);
12 authenticationBuilder.authenticationEventPublisher(eventPublisher);
13 Map, Object> sharedObjects = createSharedObjects();
14
15 http = new HttpSecurity(objectPostProcessor, authenticationBuilder,
16 sharedObjects);
17 if (!disableDefaults) {
18 // @formatter:off
19 http
20 .csrf().and()
21 .addFilter(new WebAsyncManagerIntegrationFilter())
22 .exceptionHandling().and()
23 .headers().and()
24 .sessionManagement().and()
25 .securityContext().and()
26 .requestCache().and()
27 .anonymous().and()
28 .servletApi().and()
29 .apply(new DefaultLoginPageConfigurer<>()).and()
30 .logout();
31 // @formatter:on
32 ClassLoader classLoader = this.context.getClassLoader();
33 List defaultHttpConfigurers =
34 SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);
35
36 for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
37 http.apply(configurer);
38 }
39 }
40 configure(http);
41 return http;
42 }
由此方法我们得知,最终的过滤器链是保存在HttpSecuriry中,并且通过spring把所有AbstractHttpConfigurer子类都加入到容器中并且加入到了过滤器链中 http:apply(…) :
那我们看下AbstractHttpConfigurer有哪些子类
springSecurityFilterChain
,
:sob: 终于找到了,顺便看下HttpSecurity构成:
1public final class HttpSecurity extends
2 AbstractConfiguredSecurityBuilder
3 implements SecurityBuilder,
4 HttpSecurityBuilder {
5 private final RequestMatcherConfigurer requestMatcherConfigurer;
6 private List filters = new ArrayList<>();
7 private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;
8 private FilterComparator comparator = new FilterComparator();
另外从上面那个方法中,我们还看到了一个很熟悉的过滤器:DefaultLoginPageConfigurer,我们查看它。
1private DefaultLoginPageGeneratingFilter loginPageGeneratingFilter = new DefaultLoginPageGeneratingFilter();
2private DefaultLogoutPageGeneratingFilter logoutPageGeneratingFilter = new DefaultLogoutPageGeneratingFilter();
它有两个过滤器,登陆页面和注销页面,我们继续查看登陆页面,这个时候发现一点意外的收获:
1public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
2 throws IOException, ServletException {
3 HttpServletRequest request = (HttpServletRequest) req;
4 HttpServletResponse response = (HttpServletResponse) res;
5
6 boolean loginError = isErrorPage(request);
7 boolean logoutSuccess = isLogoutSuccess(request);
8 if (isLoginUrlRequest(request) || loginError || logoutSuccess) {
9 String loginPageHtml = generateLoginPageHtml(request, loginError,
10 logoutSuccess);
11 response.setContentType("text/html;charset=UTF-8");
12 response.setContentLength(loginPageHtml.getBytes(StandardCharsets.UTF_8).length);
13 response.getWriter().write(loginPageHtml);
14
15 return;
16 }
17
18 chain.doFilter(request, response);
19 }
20
21 private String generateLoginPageHtml(HttpServletRequest request, boolean loginError,
22 boolean logoutSuccess) {
23 String errorMsg = "Invalid credentials";
24
25 if (loginError) {
26 HttpSession session = request.getSession(false);
27
28 if (session != null) {
29 AuthenticationException ex = (AuthenticationException) session
30 .getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
31 errorMsg = ex != null ? ex.getMessage() : "Invalid credentials";
32 }
33 }
34
35 StringBuilder sb = new StringBuilder();
36
37 sb.append("\n"
38 + "\n"
39 + " \n"
40 + " \n"
41 + " \n"
42 + " \n"
43 + " \n"
44 + " Please sign in \n"
45 + " \n"
46 + " \n"
47 + " \n"
48 + " \n"
49 + " \n");
50
51 String contextPath = request.getContextPath();
52 if (this.formLoginEnabled) {
53 sb.append(" \n"
54 + " Please sign in\n"
55 + createError(loginError, errorMsg)
56 + createLogoutSuccess(logoutSuccess)
57 + " \n"
58 + " Username\n"
59 + " \n"
60 + "
\n"
61 + " \n"
62 + " Password\n"
63 + " \n"
64 + "
\n"
65 + createRememberMe(this.rememberMeParameter)
66 + renderHiddenInputs(request)
67 + " Sign in\n"
68 + " \n");
69 }
70
71 if (openIdEnabled) {
72 sb.append(" \n"
73 + " Login with OpenID Identity\n"
74 + createError(loginError, errorMsg)
75 + createLogoutSuccess(logoutSuccess)
76 + " \n"
77 + " Identity\n"
78 + " \n"
79 + "
\n"
80 + createRememberMe(this.openIDrememberMeParameter)
81 + renderHiddenInputs(request)
82 + " Sign in\n"
83 + " \n");
84 }
85
86 if (oauth2LoginEnabled) {
87 sb.append("Login with OAuth 2.0");
88 sb.append(createError(loginError, errorMsg));
89 sb.append(createLogoutSuccess(logoutSuccess));
90 sb.append("\n");
91 for (Map.Entry clientAuthenticationUrlToClientName : oauth2AuthenticationUrlToClientName.entrySet()) {
92 sb.append(" ");
93 String url = clientAuthenticationUrlToClientName.getKey();
94 sb.append("");
95 String clientName = HtmlUtils.htmlEscape(clientAuthenticationUrlToClientName.getValue());
96 sb.append(clientName);
97 sb.append("");
98 sb.append("