摘要:构建完实例后,将它设置为的父认证管理器并将该传入构造器构建实例。,目前为止已经被初始化,接下去需要设置对象添加至的列表中打开类结构,和一样,它也实现了接口,同样继承自。最后返回的是的默认实现。
最近在整合微服务OAuth 2认证过程中,它是基于Spring Security之上,而本人对Spring Security架构原理并不太熟悉,导致很多配置搞不太清楚,遂咬牙啃完了Spring Security核心源码,花了差不多一星期,总体上来说,其代码确实比较晦涩,之前在学习Apache Shiro框架之前也曾经在相关论坛里了解过,相比Spring Security,Apache Shiro真的是相当轻量,代码研读起来容易很多,而Spring Security类继承结构复杂,大量使用了其所谓Builder和Configuer模式,其代码跟踪过程很痛苦,遂记录下,分享给有需要的人,由于本人能力有限,在文章中有不对之处,还请各位执教,在此谢谢各位了。
本人研读的Spring Security版本为:5.1.4.RELEASE
Spring Security在3.2版本之后支持Java Configuration,即:通过Java编码形式配置Spring Security,可不再依赖XML文件配置,本文采用Java Configuration方式。
在Spring Security官方文档中有一个最简配置例子:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.*;
import org.springframework.security.config.annotation.authentication.builders.*;
import org.springframework.security.config.annotation.web.configuration.*;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
我们先不要看其它内容,先关注注解@EnableWebSecurity ,它是初始化Spring Security的入口,打开其源码如下:
@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import({ WebSecurityConfiguration.class,
SpringWebMvcImportSelector.class,
OAuth2ImportSelector.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
/**
* Controls debugging support for Spring Security. Default is false.
* @return if true, enables debug support with Spring Security
*/
boolean debug() default false;
}
该注解类通过@Configuration 和@Import 配合使用引入了一个配置类(WebSecurityConfiguration )和两个ImportSelector(SpringWebMvcImportSelector ,OAuth2ImportSelector ),我们重点关注下WebSecurityConfiguration ,它是Spring Security的核心,正是它构建初始化了所有的Bean实例和相关配置,下面我们详细分析下。
打开WebSecurityConfiguration 源码,发现它被@Configuration 标记,说明它是配置类,
@Configuration
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware
该类中最重要的工作就是实例并注册FilterChainProxy ,也就是我们在以前XML文件中配置的过滤器:
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
该过滤器负责拦截请求,并把请求通过一定的匹配规则(通过RequestMatcher匹配实现)路由(或者Delegate)到具体的SecurityFilterChain ,源码如下:
/**
* Creates the Spring Security Filter Chain
* @return the {@link Filter} that represents the security filter chain
* @throws Exception
*/
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
boolean hasConfigurers = webSecurityConfigurers != null
&& !webSecurityConfigurers.isEmpty();
if (!hasConfigurers) {
WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
.postProcess(new WebSecurityConfigurerAdapter() {
});
webSecurity.apply(adapter);
}
return webSecurity.build();
}
@Bean 注解name 属性值AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME 就是XML中定义的springSecurityFilterChain 。
从源码中知道过滤器通过最后的webSecurity.build() 创建,webSecurity 的类型为:WebSecurity ,它在setFilterChainProxySecurityConfigurer 方法中优先被创建了:
/**
* Sets the {@code }
* instances used to create the web configuration.
*
* @param objectPostProcessor the {@link ObjectPostProcessor} used to create a
* {@link WebSecurity} instance
* @param webSecurityConfigurers the
* {@code } instances used to
* create the web configuration
* @throws Exception
*/
@Autowired(required = false)
public void setFilterChainProxySecurityConfigurer(
ObjectPostProcessor objectPostProcessor,
@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List> webSecurityConfigurers)
throws Exception {
webSecurity = objectPostProcessor
.postProcess(new WebSecurity(objectPostProcessor));
if (debugEnabled != null) {
webSecurity.debug(debugEnabled);
}
Collections.sort(webSecurityConfigurers, AnnotationAwareOrderComparator.INSTANCE);
Integer previousOrder = null;
Object previousConfig = null;
for (SecurityConfigurer config : webSecurityConfigurers) {
Integer order = AnnotationAwareOrderComparator.lookupOrder(config);
if (previousOrder != null && previousOrder.equals(order)) {
throw new IllegalStateException(
"@Order on WebSecurityConfigurers must be unique. Order of "
+ order + " was already used on " + previousConfig + ", so it cannot be used on "
+ config + " too.");
}
previousOrder = order;
previousConfig = config;
}
for (SecurityConfigurer webSecurityConfigurer : webSecurityConfigurers) {
webSecurity.apply(webSecurityConfigurer);
}
this.webSecurityConfigurers = webSecurityConfigurers;
}
从代码中可以看到,它是直接被new出来的:
webSecurity = objectPostProcessor
.postProcess(new WebSecurity(objectPostProcessor));
setFilterChainProxySecurityConfigurer方法参数中需要被注入两个对象:objectPostProcessor 和webSecurityConfigurers ,objectPostProcessor 是在ObjectPostProcessorConfiguration 配置类中注册的,而webSecurityConfigurers 则是使用了@Value 注解方式,注解内容为:#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()} ,通过源码了解,autowiredWebSecurityConfigurersIgnoreParents 是在本类中被注册:
@Bean
public static AutowiredWebSecurityConfigurersIgnoreParents autowiredWebSecurityConfigurersIgnoreParents(
ConfigurableListableBeanFactory beanFactory) {
return new AutowiredWebSecurityConfigurersIgnoreParents(beanFactory);
}
在AutowiredWebSecurityConfigurersIgnoreParents中定义了方法:getWebSecurityConfigurers :
@SuppressWarnings({ "rawtypes", "unchecked" })
public List> getWebSecurityConfigurers() {
List> webSecurityConfigurers = new ArrayList>();
Map beansOfType = beanFactory
.getBeansOfType(WebSecurityConfigurer.class);
for (Entry entry : beansOfType.entrySet()) {
webSecurityConfigurers.add(entry.getValue());
}
return webSecurityConfigurers;
}
它通过BeanFactory获取了类型为WebSecurityConfigurer 的Bean实例列表。回到WebSecurityConfiguration 类中的setFilterChainProxySecurityConfigurer 方法,它把WebSecurityConfigurer 列表设置到了WebSecurity 中,源码如下:
for (SecurityConfigurer webSecurityConfigurer : webSecurityConfigurers) {
webSecurity.apply(webSecurityConfigurer);
}
通过apply 方法,apply方法其实就是webSecurityConfigurer 放入webSecurity 维护的configurers 属性中,configurers 是个LinkedHashMap ,源码如下:
/**
* Applies a {@link SecurityConfigurer} to this {@link SecurityBuilder} overriding any
* {@link SecurityConfigurer} of the exact same class. Note that object hierarchies
* are not considered.
*
* @param configurer
* @return the {@link SecurityConfigurerAdapter} for further customizations
* @throws Exception
*/
public > C apply(C configurer) throws Exception {
add(configurer);
return configurer;
}
其中代码add(configurer) 就是将这些webSecurityConfigurer 添加到webSecurity 的configurers 属性中。
现在webSecurity 的初始化工作已经完成,现在回到springSecurityFilterChain 方法中,它首先检查当前是否配置了webSecurityConfigurer ,如果没有的会默认设置一个,并且调用上面提到的apply 方法,源码如下:
boolean hasConfigurers = webSecurityConfigurers != null
&& !webSecurityConfigurers.isEmpty();
if (!hasConfigurers) {
WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
.postProcess(new WebSecurityConfigurerAdapter() {
});
webSecurity.apply(adapter);
}
如果已经存在配置了webSecurityConfigurer ,则调用webSecurity.build() 进行构建。
在进入build 方法之前,首先简单介绍下WebSecurity的继承结构,
它实现了SecurityBuilder 接口,继承自AbstractConfiguredSecurityBuilder ,AbstractConfiguredSecurityBuilder 继承自AbstractSecurityBuilder ,AbstractSecurityBuilder 实现了SecurityBuilder ,其中AbstractConfiguredSecurityBuilder 实现了通过自定义SecurityConfigurer 类来配置SecurityBuilder ,上面提到的apply(SecurityConfigurer configurer) 就是在该类中实现的,它把configurer保存在它维护的LinkedHashMap>, List>> configurers = new LinkedHashMap>, List>>() 中。
调用webSecurity.build() 后,首先调用的父类AbstractSecurityBuilder 中的build 方法:
public final O build() throws Exception {
if (this.building.compareAndSet(false, true)) {
this.object = doBuild();
return this.object;
}
throw new AlreadyBuiltException("This object has already been built");
}
然后调用doBuild() ,doBuild() 在子类中实现,AbstractConfiguredSecurityBuilder 实现了该方法:
@Override
protected final O doBuild() throws Exception {
synchronized (configurers) {
buildState = BuildState.INITIALIZING;
beforeInit();
init();
buildState = BuildState.CONFIGURING;
beforeConfigure();
configure();
buildState = BuildState.BUILDING;
O result = performBuild();
buildState = BuildState.BUILT;
return result;
}
}
在这里重点关注init() 、configure() 和performBuild() ,下面逐个分析它们的作用。
init() 方法在AbstractConfiguredSecurityBuilder 实现:
private void init() throws Exception {
Collection> configurers = getConfigurers();
for (SecurityConfigurer configurer : configurers) {
configurer.init((B) this);
}
for (SecurityConfigurer configurer : configurersAddedInInitializing) {
configurer.init((B) this);
}
}
它的工作是迭代调用所有配置的SecurityConfigrer 的init 方法,在这里其实是它的子类WebSecurityConfigurer ,因为之前获取时指定的类型就是WebSecurityConfigurer ,在上文中提到AutowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers() 中:
Map beansOfType = beanFactory.getBeansOfType(WebSecurityConfigurer.class);
而实现了WebSecurityConfigurer 接口的就是WebSecurityConfigurerAdapter ,WebSecurityConfigurerAdapter.init() 源码如下:
public void init(final WebSecurity web) throws Exception {
final HttpSecurity http = getHttp();
web.addSecurityFilterChainBuilder(http).postBuildAction(new Runnable() {
public void run() {
FilterSecurityInterceptor securityInterceptor = http
.getSharedObject(FilterSecurityInterceptor.class);
web.securityInterceptor(securityInterceptor);
}
});
}
它只要完成两件重要的事情:
初始化HttpSecurity 对象;
设置HttpSecurity 对象添加至WebSecurity 的securityFilterChainBuilders 列表中;
初始化HttpSecurity 对象在getHttp() 方法中实现:
protected final HttpSecurity getHttp() throws Exception {
if (http != null) {
return http;
}
DefaultAuthenticationEventPublisher eventPublisher = objectPostProcessor
.postProcess(new DefaultAuthenticationEventPublisher());
localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);
AuthenticationManager authenticationManager = authenticationManager();
authenticationBuilder.parentAuthenticationManager(authenticationManager);
authenticationBuilder.authenticationEventPublisher(eventPublisher);
Map, Object> sharedObjects = createSharedObjects();
http = new HttpSecurity(objectPostProcessor, authenticationBuilder,
sharedObjects);
if (!disableDefaults) {
// @formatter:off
http
.csrf().and()
.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and()
.headers().and()
.sessionManagement().and()
.securityContext().and()
.requestCache().and()
.anonymous().and()
.servletApi().and()
.apply(new DefaultLoginPageConfigurer<>()).and()
.logout();
// @formatter:on
ClassLoader classLoader = this.context.getClassLoader();
List defaultHttpConfigurers =
SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);
for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
http.apply(configurer);
}
}
configure(http);
return http;
}
从代码中可以了解,HttpSecurity 是直接被new出来的,在创建HttpSecurity 之前,首先初始化了AuthenticationManagerBuilder 对象,这里有段代码很重要就是: AuthenticationManager authenticationManager = authenticationManager(); ,它创建AuthenticationManager 实例,打开authenticationManager() 方法:
protected AuthenticationManager authenticationManager() throws Exception {
if (!authenticationManagerInitialized) {
configure(localConfigureAuthenticationBldr);
if (disableLocalConfigureAuthenticationBldr) {
authenticationManager = authenticationConfiguration
.getAuthenticationManager();
}
else {
authenticationManager = localConfigureAuthenticationBldr.build();
}
authenticationManagerInitialized = true;
}
return authenticationManager;
}
在初始化时,它会调用configure(localConfigureAuthenticationBldr); ,默认的实现是:
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
this.disableLocalConfigureAuthenticationBldr = true;
}
【1、个性化配置入口之configure(AuthenticationManagerBuilder auth) 】 WebSecurityConfigurerAdapter 并重写该方法来个性化配置AuthenticationManager 。
构建完authenticationManager 实例后,将它设置为authenticationBuilder 的父认证管理器:
authenticationBuilder.parentAuthenticationManager(authenticationManager);
并将该authenticationBuilder 传入HttpSecurity 构造器构建HttpSecurity 实例。
构建完HttpSecurity 实例后,默认情况下会添加默认的拦截其配置:
http
.csrf().and()
.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and()
.headers().and()
.sessionManagement().and()
.securityContext().and()
.requestCache().and()
.anonymous().and()
.servletApi().and()
.apply(new DefaultLoginPageConfigurer<>()).and()
.logout();
最后调用configure(http); ,这又是一个可个性化的配置入口,它的默认实现是:
protected void configure(HttpSecurity http) throws Exception {
logger.debug("Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).");
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().and()
.httpBasic();
}
默认的配置是拦截所有的请求需要认证之后才能访问,如果没有认证,会自动生成一个认证表单要求输入用户名和密码。【2、个性化配置入口之configure(HttpSecurity http) 】 WebSecurityConfigurerAdapter 并重写该方法来个性化配置HttpSecurity 。
OK,目前为止HttpSecurity 已经被初始化,接下去需要设置HttpSecurity 对象添加至WebSecurity 的securityFilterChainBuilders 列表中:
web.addSecurityFilterChainBuilder(http).postBuildAction(new Runnable() {
public void run() {
FilterSecurityInterceptor securityInterceptor = http
.getSharedObject(FilterSecurityInterceptor.class);
web.securityInterceptor(securityInterceptor);
}
});
打开HttpSecurity 类结构,和WebSecurity一样,它也实现了SecurityBuilder 接口,同样继承自AbstractConfiguredSecurityBuilder 。
当所有的WebSecurityConfigurer 的init 方法被调用之后,webSecurity.init() 工作就结束了。webSecurity.configure() ,该方法同样是在AbstractConfiguredSecurityBuilder 中实现的:
private void configure() throws Exception {
Collection> configurers = getConfigurers();
for (SecurityConfigurer configurer : configurers) {
configurer.configure((B) this);
}
}
它的主要工作是迭代调用所有WebSecurityConfigurer 的configurer 方法,参数是WebSeucrity 本身,这又是另外一个重要的个性化入口:【3、个性化配置入口之configure(WebSecurity web) 】 WebSecurityConfigurerAdapter 并重写该方法来个性化配置WebSecurity 。
自此,三个重要的个性化入口都已经被调用,即在实现WebSecurityConfigurerAdapter 经常需要重写的:
1、configure(AuthenticationManagerBuilder auth);
2、configure(WebSecurity web);
3、configure(HttpSecurity http);
回到webSecurity构建过程,接下去重要的的调用:
O result = performBuild();
该方法在WebSecurityConfigurerAdapter 中实现,返回的就是过滤器FilterChainProxy,源码如下:
@Override
protected Filter performBuild() throws Exception {
Assert.state(
!securityFilterChainBuilders.isEmpty(),
() -> "At least one SecurityBuilder needs to be specified. "
+ "Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. "
+ "More advanced users can invoke "
+ WebSecurity.class.getSimpleName()
+ ".addSecurityFilterChainBuilder directly");
int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
List securityFilterChains = new ArrayList<>(
chainSize);
for (RequestMatcher ignoredRequest : ignoredRequests) {
securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
}
for (SecurityBuilder securityFilterChainBuilder : securityFilterChainBuilders) {
securityFilterChains.add(securityFilterChainBuilder.build());
}
FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
if (httpFirewall != null) {
filterChainProxy.setFirewall(httpFirewall);
}
filterChainProxy.afterPropertiesSet();
Filter result = filterChainProxy;
if (debugEnabled) {
logger.warn("
"
+ "********************************************************************
"
+ "********** Security debugging is enabled. *************
"
+ "********** This may include sensitive information. *************
"
+ "********** Do not use in a production system! *************
"
+ "********************************************************************
");
result = new DebugFilter(filterChainProxy);
}
postBuildAction.run();
return result;
}
首先计算出chainSize ,也就是ignoredRequests.size() + securityFilterChainBuilders.size(); ,如果你不配置ignoredRequests ,那就是securityFilterChainBuilders.size() ,也就是HttpSecurity 的个数,其本质上就是你一共配置几个WebSecurityConfigurerAdapter ,因为每个WebSecurityConfigurerAdapter 对应一个HttpSecurity ,而所谓的ignoredRequests 就是FilterChainProxy 的请求,默认是没有的,如果你需要条跳过某些请求不需要认证或授权,可以如下配置:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/statics/**");
}
在上面配置中,所有以/statics 开头请求都将被FilterChainProxy 忽略。
计算完chainSize 后,就会创建List securityFilterChains = new ArrayList<>(chainSize); ,遍历所有的HttpSecurity ,调用HtppSecurity 的build() 构建其对应的过滤器链SecurityFilterChain 实例,并将SecurityFilterChain 添加到securityFilterChains 列表中:
for (SecurityBuilder securityFilterChainBuilder : securityFilterChainBuilders) {
securityFilterChains.add(securityFilterChainBuilder.build());
}
调用HtppSecurity 的build() 构建其实和调用WebSecurity 的build() 构建类类似,父类中方法一次被执行,最后执行本身的performBuild() 方法,其源码如下:
@Override
protected DefaultSecurityFilterChain performBuild() throws Exception {
Collections.sort(filters, comparator);
return new DefaultSecurityFilterChain(requestMatcher, filters);
}
构建SecurityFilterChain 主要是完成RequestMatcher 和对应的过滤器列表,我们都知道在Spring Security中,过滤器执行按顺序顺序的,这个排序就是在performBuild() 中完成的,也就是:
Collections.sort(filters, comparator);
它通过一个比较器实现了过滤器的排序,这个比较器就是FilterComparator ,有兴趣的朋友可以自己去了解详情。SecurityFilterChain 的默认实现DefaultSecurityFilterChain 。
构建完所有SecurityFilterChain 后,创建最为重要的FilterChainProxy 实例,
FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
构造器中传入SecurityFilterChain 列表,如果开启了Debug模式,还会被包装成DebugFilter 类型,共开发调试使用,默认是关闭的,可以通过过下面方式开启Debug模式:
@Override
public void configure(WebSecurity web) throws Exception {
web.debug(true);
}
至此Spring Security 初始化完成,我们通过继承WebSecurityConfigurerAdapter 来代达到个性化配置目的,文中提到了三个重要的个性化入口,并且WebSecurityConfigurerAdapter 是可以配置多个的,其对应的接口就是会存在多个SecurityFilterChain 实例,但是它们人仍然在同一个FilterChainProxy中,通过RequestMatcher 来匹配并传入到对应的SecurityFilterChain 中执行请求。
(全文完)
