前言
总结创建WebSecuirty的创建过程,及其构建过程。有和前面重复的地方,不管了…
1. 用户自定义的配置类
@EnableWebSecurity
@ComponentScan(
"fn.wd.security")
public class SpringSecurityConfiger extends WebSecurityConfigurerAdapter {
...
}
2. @EnableWebSecurity
@Import({ WebSecurityConfiguration.class, ObjectPostProcessorConfiguration.class,
SpringWebMvcImportSelector.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
...
}
3. WebSecurityConfiguration中创建WebSecurity
@Autowired(required =
false)
public void setFilterChainProxySecurityConfigurer(
ObjectPostProcessor<Object> objectPostProcessor,
List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers) {
webSecurity = objectPostProcessor
.postProcess(
new WebSecurity(objectPostProcessor));
if (debugEnabled !=
null) {
webSecurity.debug(debugEnabled);
}
Collections.sort(webSecurityConfigurers, AnnotationAwareOrderComparator.INSTANCE);
Integer previousOrder =
null;
Object previousConfig =
null;
for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) {
Integer
order = AnnotationAwareOrderComparator.lookupOrder(config);
if (previousOrder !=
null && previousOrder.equals(
order)) {
throw new IllegalStateException(
"@Order on WebSecurityConfigurers must be unique. Order of "
+
order +
" was already used on " + previousConfig +
", so it cannot be used on "
+ config +
" too.");
}
previousOrder =
order;
previousConfig = config;
}
for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {
webSecurity.apply(webSecurityConfigurer);
}
this.webSecurityConfigurers = webSecurityConfigurers;
}
可以看到,webSecurityConfigurers中就是我们自定义的那一个:
4. WebSecurityConfiguration中触发WebSecurity的构建过程
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter
springSecurityFilterChain()
throws Exception {
boolean hasConfigurers = webSecurityConfigurers !=
null
&& !webSecurityConfigurers.isEmpty();
if (!hasConfigurers) {
WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
.postProcess(
new WebSecurityConfigurerAdapter() {
});
webSecurity.apply(adapter);
}
return webSecurity.build();
}
AbstractConfiguredSecurityBuilder是WebSecurity的父类,定义了doBuild()方法的执行模版。
protected final O
doBuild()
throws Exception {
synchronized (configurers) {
buildState = BuildState.INITIALIZING;
beforeInit();
init();
buildState = BuildState.CONFIGURING;
beforeConfigure();
configure();
buildState = BuildState.BUILDING;
O result = performBuild();
buildState = BuildState.BUILT;
return result;
}
}
这里触发了HttpSecurity的创建(后面详细讨论),并将其设置到WebSecurity中。
public void init(
final WebSecurity web)
throws Exception {
final HttpSecurity http = getHttp();
web.addSecurityFilterChainBuilder(http).postBuildAction(
new Runnable() {
public void run() {
FilterSecurityInterceptor securityInterceptor = http
.getSharedObject(FilterSecurityInterceptor.class);
web.securityInterceptor(securityInterceptor);
}
});
}
注意:这个类并不是框架的,是需要用户自定义实现的。WebSecurityConfigurerAdapter中configurer()是空实现的,由子类(用户自定义的)去完成实现。一个例子:
@EnableWebSecurity
@ComponentScan(
"fn.wd.security")
public class SpringSecurityConfiger extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web)
throws Exception {
web.ignoring().antMatchers(
"/static/**");
web.ignoring().antMatchers(
"/favicon.ico");
web.ignoring().antMatchers(
"/resources/**");
}
}
它的功能还记得吗?前文有提到哦~~
有关异常和校验等的代码被我删掉了,只保留了核心的,请自行查看源码。
@Override
protected Filter
performBuild()
throws Exception {
int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
List<SecurityFilterChain> securityFilterChains
=
new ArrayList<SecurityFilterChain>(chainSize);
for (RequestMatcher ignoredRequest : ignoredRequests) {
securityFilterChains.add(
new DefaultSecurityFilterChain(ignoredRequest));
}
for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {
securityFilterChains.add(securityFilterChainBuilder.build());
}
FilterChainProxy filterChainProxy =
new FilterChainProxy(securityFilterChains);
if (httpFirewall !=
null) {
filterChainProxy.setFirewall(httpFirewall);
}
filterChainProxy.afterPropertiesSet();
Filter result = filterChainProxy;
postBuildAction.run();
return result;
}
转载请注明原文地址: https://ju.6miu.com/read-18328.html