《 Spring Security 源码解析 （一）》

1 简介

  最近一个项目，使用了试下流行的Spring Cloud 微服务架构，使用Spring Cloud oauth2.0 协议搭建访问授权器。由于项目体量较小，不对外提供授权服务，故采用oauth协议的密码模式来做令牌授权。项目中深深体会到了spring Security的强大，写下此篇博客来记录所学到的知识，希望对大家建立spring Security的体系能产生帮助。鉴于本人水平所限，有错误不足之处，望各位指正。

 spring security 核心组件

2.1 SecurityContextPersistenceFilter

spring 使用过滤链对url进行拦截，在过滤链的顶端是SecurityContextPersistenceFilter，这个过滤器的作用：用户在登录过后，后续的访问通过sessionid来识别，当如今微服务流行时，前后端传送是不传输seesion的，但过滤器还是可以帮我们清除上下文的一些信息。具体的代码：

//执行过滤链

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

//获取请求和响应

        HttpServletRequest request = (HttpServletRequest)req;

        HttpServletResponse response = (HttpServletResponse)res;

        if (request.getAttribute("__spring_security_scpf_applied") != null) {

            chain.doFilter(request, response);

        } else {

            boolean debug = this.logger.isDebugEnabled();

            request.setAttribute("__spring_security_scpf_applied", Boolean.TRUE);

            if (this.forceEagerSessionCreation) {

                HttpSession session = request.getSession();

                if (debug && session.isNew()) {

                    this.logger.debug("Eagerly created session: " + session.getId());

                }

            }

//包装request 和response

            HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);

            //从安全上下文长裤中获取SecurityContext容器

            SecurityContext contextBeforeChainExecution = this.repo.loadContext(holder);

            boolean var13 = false;

            try {

                var13 = true;

                // 获取安全响应上下文

                SecurityContextHolder.setContext(contextBeforeChainExecution);

                chain.doFilter(holder.getRequest(), holder.getResponse());

                var13 = false;

            } finally {

                if (var13) {

                //最终清除安全上下文信息

                    SecurityContext contextAfterChainExecution = SecurityContextHolder.getContext();

                    SecurityContextHolder.clearContext();

                    this.repo.saveContext(contextAfterChainExecution, holder.getRequest(), holder.getResponse());

                    request.removeAttribute("__spring_security_scpf_applied");

                    if (debug) {

                        this.logger.debug("SecurityContextHolder now cleared, as request processing completed");

                    }

                }

            }

            SecurityContext contextAfterChainExecution = SecurityContextHolder.getContext();

            SecurityContextHolder.clearContext();

            this.repo.saveContext(contextAfterChainExecution, holder.getRequest(), holder.getResponse());

            request.removeAttribute("__spring_security_scpf_applied");

            if (debug) {

                this.logger.debug("SecurityContextHolder now cleared, as request processing completed");

            }

        }

    }

从源码中可以看出安全上下文的信息是存在SecurityContextHolder这个容器当中的，当服务请求结束的时候，SecurityContextHolder清除了session信息。过滤器一般负责核心处理，具体业务，交给其他类实现，在spring的设计中我们可以看到很多诸如此类的设计除了SecurityContextPersistenceFilter，在spring Security的一堆过滤器链中，在学习中我们应该举一反三，这样有利于我们对源码的学习，也能提高自己的代码能力。还有一些很重要的filter，比如AbstractAuthenticationProcessingFilter,以及它的子类SecurityContextPersistenceFilter等等都是很总要的过滤器，我们将重点对AbstractAuthenticationProcessingFilter进行讲解

2.2 SecurityContextHolder

SecurityContextHolder用于存储安全上下文（SecurityContext)信息。当前用户信息都被保存到SecurityContextHolder中，其实是保存到TContextHolderStrategy的实现类中，顾名思义，SecurityContextHolder绑定了本地线程，在用户退出后， SecurityContextPersistenceFilter会qing清除Context信息。我们来看源码：

public class SecurityContextHolder {

//存储策略

    public static final String MODE_THREADLOCAL = "MODE_THREADLOCAL";

    public static final String MODE_INHERITABLETHREADLOCAL = "MODE_INHERITABLETHREADLOCAL";

    public static final String MODE_GLOBAL = "MODE_GLOBAL";

    public static final String SYSTEM_PROPERTY = "spring.security.strategy";

    private static String strategyName = System.getProperty("spring.security.strategy");

    private static SecurityContextHolderStrategy strategy;

    private static int initializeCount = 0;

    public SecurityContextHolder() {

    }

//清除上下文

    public static void clearContext() {

        strategy.clearContext();

    }

    private static void initialize() {

        if (!StringUtils.hasText(strategyName)) {

            strategyName = "MODE_THREADLOCAL";

        }

        if (strategyName.equals("MODE_THREADLOCAL")) {

        //创建真正的安全上下文容器

            strategy = new ThreadLocalSecurityContextHolderStrategy();

        } else if (strategyName.equals("MODE_INHERITABLETHREADLOCAL")) {

            strategy = new InheritableThreadLocalSecurityContextHolderStrategy();

        } else if (strategyName.equals("MODE_GLOBAL")) {

            strategy = new GlobalSecurityContextHolderStrategy();

        } else {

            try {

                Class<?> clazz = Class.forName(strategyName);

                Constructor<?> customStrategy = clazz.getConstructor();

                strategy = (SecurityContextHolderStrategy)customStrategy.newInstance();

            } catch (Exception var2) {

                ReflectionUtils.handleReflectionException(var2);

            }

        }

        ++initializeCount;

    }

//....代码省略

//  初始化

    static {

        initialize();

    }

}

从代码中我们也可以看出，SecurityContextHolder就是这么和线程关联的，并提供了clear的方法，方便进程结束后对安全上线文的清除。写在这里我们也可以仿照SecurityContextHolder的策略来实现我们的业务逻辑：

@Slf4j

@Service

@Lazy(false)

public class TenantContextHolder implements ApplicationContextAware, DisposableBean {

private static ThreadLocal<String> tenantThreadLocal= new ThreadLocal<>();

private static ApplicationContext applicationContext =null;

@Override

public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {

TenantContextHolder.applicationContext =applicationContext;

}

public static final void setTenant(String schema){

tenantThreadLocal.set(schema);

}

public static final String getTenant(){

String schema = tenantThreadLocal.get();

if(schema == null){

schema = "";

}

return schema;

}

@Override

public void destroy() throws Exception {

TenantContextHolder.clearHolder();

}

public static void clearHolder() {

if (log.isDebugEnabled()) {

log.debug("清除TenantContextHolder中的ApplicationContext:" + applicationContext);

}

applicationContext = null;

}

}

2.3 AbstractAuthenticationProcessingFilter

从名字也可以看出这是一个抽象类，这是一个很重要的类，用户权限校验都与此类有关，请求进入filter会执行doFilter（）方法，首先判断是否能够处理当前请求，如果是则调用子类的attemptAuthentication（）方法进行验证，在这个抽象类中，引入了统一认证管理AuthenticationManager ,登录成功AuthenticationSuccessHandler等等，登录成功后，又定义了登录成功后的方法，将封装的Authentication信息封装到SecurityContextHolder中，这个类中业务逻辑很多，我这里代码没有贴全，希望朋友们自己能够阅读源码，了解这个类的核心。

public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware, MessageSourceAware {

//事件发布器

    protected ApplicationEventPublisher eventPublisher;

//核心几口 所有的权限校验都由它进行统一管理

    private AuthenticationManager authenticationManager;

//记住我

    private RememberMeServices rememberMeServices = new NullRememberMeServices();

    private RequestMatcher requiresAuthenticationRequestMatcher;

    private boolean continueChainBeforeSuccessfulAuthentication = false;

    private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();

    //登录成功处理

    private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();

    //失败处理

    private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();

  //  代码省略.........

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest)req;

        HttpServletResponse response = (HttpServletResponse)res;

        //判断当前的filter是否可以处理当前请求，不可以的话则交给下一个filter处理

        if (!this.requiresAuthentication(request, response)) {

            chain.doFilter(request, response);

        } else {

            if (this.logger.isDebugEnabled()) {

                this.logger.debug("Request is to process authentication");

            }

            Authentication authResult;

            try {

            //对权限进行校验

                authResult = this.attemptAuthentication(request, response);

                if (authResult == null) {

                    return;

                }

//认证成功

            this.sessionStrategy.onAuthentication(authResult, request, response);

            if (this.continueChainBeforeSuccessfulAuthentication) {

                chain.doFilter(request, response);

            }

            this.successfulAuthentication(request, response, chain, authResult);

        }

    }

//权限校验的方法

    public abstract Authentication attemptAuthentication(HttpServletRequest var1, HttpServletResponse var2) throws AuthenticationException, IOException, ServletException;

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {

        this.authenticationManager = authenticationManager;

    }

}

AbstractAuthenticaitonProcessingFilter有很4个子类，比如：UsernamepasswordProcessingFiter,OAuth2ClientAuthenticationFilter，他们都实现了**attemptAuthentication**方法，我们来看：

public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {

    public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";

    public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";

    private String usernameParameter = "username";

    private String passwordParameter = "password";

    private boolean postOnly = true;

//在webconfig里，配置http.login 并且路径为/login、方法为post 就会被这个拦截器拦截

    public UsernamePasswordAuthenticationFilter() {

        super(new AntPathRequestMatcher("/login", "POST"));

    }

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

        if (this.postOnly && !request.getMethod().equals("POST")) {

            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());

        } else {

            String username = this.obtainUsername(request);

            String password = this.obtainPassword(request);

            if (username == null) {

                username = "";

            }

            if (password == null) {

                password = "";

            }

            // 注意 划重点

//获取用户名和密码 并将用户名和密码封装成一个UsernamePasswordAuthenticationToken这么个token

            username = username.trim();

            UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

            this.setDetails(request, authRequest);

            //将校验交由AuthenticationManger的authenticate方法去执行

            return this.getAuthenticationManager().authenticate(authRequest);

        }

    }

2.4 AuthenticationManager

上文我们提到，所有的权限校验都是由AuthenticationManager去完成的 那么我们去看看它的源码

public interface AuthenticationManager {

    Authentication authenticate(Authentication var1) throws AuthenticationException;

}

我们看到AuthenticationManager是一个接口，所有的校验都是由他的实现类去完成的，AuthenticationManager制作统一的管理，这里我们就要开动脑筋想想，这么设计的用意是什么，这里我留着空间让大家思考，废话不多说我们来看看他的两个核心实现类OAuth2AuthenticationManager、ProviderManager ，每个都为我们提供了校验接入点，接下来我们就说说ProviderManager，OAuth2AuthenticationManager则放到Oauth相关章节去讲

2.5 ProviderManager

我们知道，用户校验的话有很多种，比如说用户名+密码、手机号+验证码、邮箱+密码、social登录等等，那么ProviderManager是怎么知道我们是哪一种请求呢？我们继续来看看源码：

public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {

// 代码省略 ....

    public ProviderManager(List<AuthenticationProvider> providers) {

        this(providers, (AuthenticationManager)null);

    }

    public ProviderManager(List<AuthenticationProvider> providers, AuthenticationManager parent) {

        this.eventPublisher = new ProviderManager.NullEventPublisher();

        this.providers = Collections.emptyList();

        this.messages = SpringSecurityMessageSource.getAccessor();

        this.eraseCredentialsAfterAuthentication = true;

        Assert.notNull(providers, "providers list cannot be null");

        this.providers = providers;

        this.parent = parent;

        this.checkState();

    }

//权限校验

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {

    //获取当前认证的类型

        Class<? extends Authentication> toTest = authentication.getClass();

        AuthenticationException lastException = null;

        Authentication result = null;

        boolean debug = logger.isDebugEnabled();

        //获取迭代器

        Iterator var6 = this.getProviders().iterator();

//循环获取 这里和4.x版本有所不同个 有兴趣的可以看看4.x的版本

        while(var6.hasNext()) {

            AuthenticationProvider provider = (AuthenticationProvider)var6.next();

            if (provider.supports(toTest)) {

                if (debug) {

                    logger.debug("Authentication attempt using " + provider.getClass().getName());

                }

                try {

                    result = provider.authenticate(authentication);

                    //通过当前类型获取到认证信息且不为null 则停止循环

                    if (result != null) {

                    将result装换成Authentication信息

                        this.copyDetails(authentication, result);

                        break;

                    }

                } catch (AccountStatusException var11) {

                    this.prepareException(var11, authentication);

                    throw var11;

                } catch (InternalAuthenticationServiceException var12) {

                    this.prepareException(var12, authentication);

                    throw var12;

                } catch (AuthenticationException var13) {

                    lastException = var13;

                }

            }

        }

//如果结果为空 则调用父类的authenticate方法 这里可以理解成递归

        if (result == null && this.parent != null) {

            try {

                result = this.parent.authenticate(authentication);

            } catch (ProviderNotFoundException var9) {

                ;

            } catch (AuthenticationException var10) {

                lastException = var10;

            }

        }

//获取到结果

        if (result != null) {

            if (this.eraseCredentialsAfterAuthentication && result instanceof CredentialsContainer) {

              //移除密码

              ((CredentialsContainer)result).eraseCredentials();

            }

//发布验证成功事件 并返回结果

            this.eventPublisher.publishAuthenticationSuccess(result);

            return result;

        } else {

        //执行到此，说明没有认证成功，包装异常信息

            if (lastException == null) {

                lastException = new ProviderNotFoundException(this.messages.getMessage("ProviderManager.providerNotFound", new Object[]{toTest.getName()}, "No AuthenticationProvider found for {0}"));

            }

            this.prepareException((AuthenticationException)lastException, authentication);

            throw lastException;

        }

    }

    public List<AuthenticationProvider> getProviders() {

        return this.providers;

    }

// .................

}

看到这里的话，我想刚才留的思考就可以解答了，当获取的认证信息和Providers不相符的时候，就调用父类AuthenticationManger的authenticate方法 ，与下个provider进行匹配，通俗来说，当前台是已邮箱加密码登录的，首先 Iterator 获取的可能是usernamepassword模式的，那么查出结果是空，就调用父类的方法，又走了一遍子类实现，又继续认证，直到认证成功，将返回的 result 既 Authentication 对象进一步封装为 Authentication Token，比如usernamepasswordtoken 、remembermetoken等等。

2.6 Authentication

上文我们一直有提到过Authentication ，那么我们来看一下Authentication具体是什么

public interface Authentication extends Principal, Serializable {

//权限信息集合

    Collection<? extends GrantedAuthority> getAuthorities();

//获取凭证

    Object getCredentials();

//获取详情

    Object getDetails();

//获取当前用户

    Object getPrincipal();

//是否认证

    boolean isAuthenticated();

    void setAuthenticated(boolean var1) throws IllegalArgumentException;

}

认证授权信息都会封装到这里，比如我们用户登录后 将用户名和密码封装成UsernamePasswordToken 就是实现了这个接口，它封装了用户权限信息，以及对象信息，是整个框架的核心类

2.7 UserDetailsService和 UserDetails

这也是Spring Security 最重要的接口，通过该接口的loadUserByUsername()方法返回一个UserDetails对象，那么这个对象是什么呢？

public interface UserDetailsService {

    UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;

}

我们看到UserDetailsService就定义了一个接口，那么想必它也有很多适用不同业务功能的实现类，我们稍后再看，先瞧瞧UserDetails这个类

public interface UserDetails extends Serializable {

//权限集合

    Collection<? extends GrantedAuthority> getAuthorities();

    String getPassword();

    String getUsername();

//是否过期

    boolean isAccountNonExpired();

//是被锁

    boolean isAccountNonLocked();

//凭证（密码）是否失效

    boolean isCredentialsNonExpired();

//用户是否可用（是否删除）

    boolean isEnabled();

}

是不是和Authentication很像呢！那为什么要定义两个呢？这里依旧留一个疑问。我们再来看UserDetails，还是个接口，那么我们来看他的子类实现

public class User implements UserDetails, CredentialsContainer {

    private static final long serialVersionUID = 500L;

    private static final Log logger = LogFactory.getLog(User.class);

    private String password;

    private final String username;

    private final Set<GrantedAuthority> authorities;

    private final boolean accountNonExpired;

    private final boolean accountNonLocked;

    private final boolean credentialsNonExpired;

    private final boolean enabled;

    public User(String username, String password, Collection<? extends GrantedAuthority> authorities) {

        this(username, password, true, true, true, true, authorities);

    }

    public User(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) {

        if (username != null && !"".equals(username) && password != null) {

            this.username = username;

            this.password = password;

            this.enabled = enabled;

            this.accountNonExpired = accountNonExpired;

            this.credentialsNonExpired = credentialsNonExpired;

            this.accountNonLocked = accountNonLocked;

            this.authorities = Collections.unmodifiableSet(sortAuthorities(authorities));

        } else {

            throw new IllegalArgumentException("Cannot pass null or empty values to constructor");

        }

    }

// 代码省略.............

}

当我们使用用户名密码登录的时候，从数据库中查到的用户名和密码都会封装到这里

2.8DaoAuthenticationProvider

用户登录后将用户登录提交信息封装成了Authentication对象，那么我们如何从数据库中获取用户名和密码来进行校验，如何进行密码加解密。这里我们就要说说DaoAuthenticationProvider了:

public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {

    private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword";

    //问价加解密处理

    private PasswordEncoder passwordEncoder;

    private volatile String userNotFoundEncodedPassword;

    //注入UserDetailsService 调用子类的loadUserByUsername方法 获得UserDetails对象

    private UserDetailsService userDetailsService;

    public DaoAuthenticationProvider() {

    //密码处理

        this.setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());

    }

//仔细看好这里  从数据库中获取到的UserDetails对象和前台表单提交封装的UsernamePasswordAuthenticationToken对象 进行比较

    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {

        if (authentication.getCredentials() == null) {

            this.logger.debug("Authentication failed: no credentials provided");

            throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));

        } else {

            String presentedPassword = authentication.getCredentials().toString();

            if (!this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {

                this.logger.debug("Authentication failed: password does not match stored value");

                throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));

            }

        }

    }

    protected void doAfterPropertiesSet() throws Exception {

        Assert.notNull(this.userDetailsService, "A UserDetailsService must be set");

    }

    protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {

        this.prepareTimingAttackProtection();

        try {

        //在这里通过用户名从数据库中拿到UserDetails 然后交给additionalAuthenticationChecks去验证

            UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);

            if (loadedUser == null) {

                throw new InternalAuthenticationServiceException("UserDetailsService returned null, which is an interface contract violation");

            } else {

                return loadedUser;

            }

    // ..........................

}

我们以表单登录的来看一下用户登录的执行流程

图片来源于网络，侵权请留言！！

让我们再梳理一下Spring security的核心类