Spring Security的配置

Spring Security文档Java Configuration一节虽然给出了配置的指导,但还不够深入,下面具体说明配置的生效过程。

@EnableWebSecurity注解

@EnableWebSecurity注解显式启用了Spring Security,其代码如下:

@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import({ WebSecurityConfiguration.class,
        SpringWebMvcImportSelector.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {

    /**
     * Controls debugging support for Spring Security. Default is false.
     * @return if true, enables debug support with Spring Security
     */
    boolean debug() default false;
}
  • 看源码@EnableWebSecurity不需要和@Configuration一起使用,因为@EnableWebSecurity已经包括了@Configuration;
  • 导入了WebSecurityConfiguration配置类和SpringWebMvcImportSelector。

WebSecurityConfiguration配置类

WebSecurityConfiguration配置类利用WebSecurity创建FilterChainProxy,其成员变量如下:

@Configuration
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
    private WebSecurity webSecurity;
    private Boolean debugEnabled;
    private List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers;
    private ClassLoader beanClassLoader;
}
  • webSecurity保存要配置的WebSecurity对象;
  • webSecurityConfigurers保存当前上下文中所有的WebSecurityConfigurer。

获取当前上下文中的所有WebSecurityConfigurer是通过autowiredWebSecurityConfigurersIgnoreParents方法实现的:

@Bean
public AutowiredWebSecurityConfigurersIgnoreParents autowiredWebSecurityConfigurersIgnoreParents(
        ConfigurableListableBeanFactory beanFactory) {
    return new AutowiredWebSecurityConfigurersIgnoreParents(beanFactory);
}
  • 该方法实例化一个AutowiredWebSecurityConfigurersIgnoreParents类型的bean,该类的getWebSecurityConfigurers返回当前上下文中的所有WebSecurityConfigurer。

setFilterChainProxySecurityConfigurer方法用到了上一个方法,从第二个参数的@Value可以看到当前上下文中的所有WebSecurityConfigurer会被注入到参数中:

@Autowired(required = false)
public void setFilterChainProxySecurityConfigurer(
        ObjectPostProcessor<Object> objectPostProcessor,
        @Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers)
        throws Exception {
    webSecurity = objectPostProcessor
            .postProcess(new WebSecurity(objectPostProcessor));
    if (debugEnabled != null) {
        webSecurity.debug(debugEnabled);
    }

    Collections.sort(webSecurityConfigurers, AnnotationAwareOrderComparator.INSTANCE);

    Integer previousOrder = null;
    Object previousConfig = null;
    for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) {
        Integer order = AnnotationAwareOrderComparator.lookupOrder(config);
        if (previousOrder != null && previousOrder.equals(order)) {
            throw new IllegalStateException(
                    "@Order on WebSecurityConfigurers must be unique. Order of "
                            + order + " was already used on " + previousConfig + ", so it cannot be used on "
                            + config + " too.");
        }
        previousOrder = order;
        previousConfig = config;
    }
    for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {
        webSecurity.apply(webSecurityConfigurer);
    }
    this.webSecurityConfigurers = webSecurityConfigurers;
}
  • webSecurity成员变量保存新实例化的WebSecurity;
  • 对当前上下文中所有的WebSecurityConfigurer进行升序排序;
  • 将排序后的所有WebSecurityConfigurer依次添加到WebSecurity中;
  • webSecurityConfigurers成员变量保存排序后的所有WebSecurityConfigurer。

springSecurityFilterChain方法创建了Spring Security的过滤器链:

/**
    * Creates the Spring Security Filter Chain
    * @return
    * @throws Exception
    */
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
    boolean hasConfigurers = webSecurityConfigurers != null
            && !webSecurityConfigurers.isEmpty();
    if (!hasConfigurers) {
        WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
                .postProcess(new WebSecurityConfigurerAdapter() {
                });
        webSecurity.apply(adapter);
    }
    return webSecurity.build();
}
  • @Bean注解指定新实例化的bean的名称是springSecurityFilterChain;
  • hasConfigurers判断是为了处理这样一种情况,如果用户没有实现WebSecurityConfigurer接口的类,那么当前上下文就不会有WebSecurityConfigurer,这时就使用WebSecurityConfigurerAdapter类中的默认值;
  • WebSecurity的构建产出是过滤器。
  • 这里我有个疑问:setFilterChainProxySecurityConfigurer方法的setter注入一定先于springSecurityFilterChain执行吗?其实根据日常编程的经验,配置类中@Autowired注入一定先于@Bean注解方法执行,因为有些@Bean方法会用到@Autowired注入的单例,真正的证据还应该去看相关源码。

WebSecurityConfigurer接口

上文提到WebSecurityConfiguration配置类会查找当前上下文中所有的WebSecurityConfigurer,本节分析WebSecurityConfigurer。
WebSecurityConfigurer是一个接口,继承了SecurityConfigurer接口,它们都使用了泛型。

public interface SecurityConfigurer<O, B extends SecurityBuilder<O>> {

    void init(B builder) throws Exception;
    void configure(B builder) throws Exception;
}

public interface SecurityBuilder<O> {

    O build() throws Exception;
}

public interface WebSecurityConfigurer<T extends SecurityBuilder<Filter>> extends
        SecurityConfigurer<Filter, T> {
}
  • SecurityConfigurer接口中,泛型参数B表示一种SecurityBuilder,泛型参数O表示B的构建输出;
  • SecurityBuilder的种类很多,常见的有WebSecurity和HttpSecurity,该接口只有一个build方法用来输出构建结果;
  • WebSecurityConfigurer接口表示SecurityBuilder的构建输出是Filter。
  • 实际自定义配置时很少会直接编写WebSecurityConfigurer接口的实现类,都是继承WebSecurityConfigurerAdapter类并覆盖某几个方法,如configure(WebSecurity)方法配置全局安全,configure(HttpSecurity)方法配置各具体的过滤器。

HttpSecurity类

HttpSecurity类的部分代码如下,它的构建输出是DefaultSecurityFilterChain,可以用HttpSecurity配置Spring Security的各过滤器。

public final class HttpSecurity extends
        AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain, HttpSecurity>
        implements SecurityBuilder<DefaultSecurityFilterChain>,
        HttpSecurityBuilder<HttpSecurity> {

    @Override
    protected DefaultSecurityFilterChain performBuild() throws Exception {
        Collections.sort(filters, comparator);
        return new DefaultSecurityFilterChain(requestMatcher, filters);
    }
    // 省略一些代码
}
  • performBuild方法执行具体的构建过程,requestMatcher和filters都是HttpSecurity的成员变量;
  • requestMatcher成员变量可以通过调用antMatcher、mvcMatcher、regexMatcher和requestMatcher方法修改,表示哪些请求需要使用过滤器保护;
  • filters成员变量保存所配置的Spring Security过滤器,如SecurityContextPersistenceFilter和LogoutFilter等;
  • 各过滤器的配置可以通过HttpSecurity类的对应方法实现,如formLogin方法启用表单认证,对应UsernamePasswordAuthenticationFilter,如果没有指定登录页的话还会配置DefaultLoginPageGeneratingFilter,httpBasic方法启用Basic认证,对应BasicAuthenticationFilter,logout方法配置注销功能,对应LogoutFilter。

WebSecurity类

WebSecurity类的部分代码如下,它的构建输出是Filter,更具体的说是FilterChainProxy。

public final class WebSecurity extends
        AbstractConfiguredSecurityBuilder<Filter, WebSecurity> implements
        SecurityBuilder<Filter>, ApplicationContextAware {

    @Override
    protected Filter performBuild() throws Exception {
        Assert.state(
                !securityFilterChainBuilders.isEmpty(),
                "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. More advanced users can invoke "
                        + WebSecurity.class.getSimpleName()
                        + ".addSecurityFilterChainBuilder directly");
        int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
        List<SecurityFilterChain> securityFilterChains = new ArrayList<SecurityFilterChain>(
                chainSize);
        for (RequestMatcher ignoredRequest : ignoredRequests) {
            securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
        }
        for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {
            securityFilterChains.add(securityFilterChainBuilder.build());
        }
        FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
        if (httpFirewall != null) {
            filterChainProxy.setFirewall(httpFirewall);
        }
        filterChainProxy.afterPropertiesSet();

        Filter result = filterChainProxy;
        if (debugEnabled) {
            logger.warn("\n\n"
                    + "********************************************************************\n"
                    + "**********        Security debugging is enabled.       *************\n"
                    + "**********    This may include sensitive information.  *************\n"
                    + "**********      Do not use in a production system!     *************\n"
                    + "********************************************************************\n\n");
            result = new DebugFilter(filterChainProxy);
        }
        postBuildAction.run();
        return result;
    }
    // 省略一些代码
}
  • 与HttpSecurity相似,同样是performBuild方法执行具体的构建过程;
  • ignoredRequests成员变量保存需要被忽略的请求,可以通过调用ignoring方法修改。performBuild方法会为每个被忽略的请求都生成一个SecurityFilterChain;
  • HttpSecurity接着在该方法里输出一个SecurityFilterChain;
  • 这些SecurityFilterChain被用来实例化FilterChainProxy。

Spring Security的过滤器一文提到“FilterChainProxy的getFilters方法根据请求查找第一个匹配的SecurityFilterChain”,所以WebSecurity配置的忽略请求根本不会进到Spring Security的过滤器。

Spring Boot自动配置

Spring Boot中与Spring Security相关的自动配置有两个主要的类:

  • SecurityAutoConfiguration:若不使用@EnableWebSecurity注解显式启用Spring Security,那么就会导入SpringBootWebSecurityConfiguration,会使用WebSecurityConfigurerAdapter的默认配置。
  • SecurityFilterAutoConfiguration:不管使不使用@EnableWebSecurity注解,该类都会向容器注册一个DelegatingFilterProxy实例,它会代理名为springSecurityFilterChain的bean,即WebSecurityConfiguration配置类生成的FilterChainProxy。DelegatingFilterProxy处于spring-web.jar中,而FilterChainProxy处于spring-security-web.jar,通过以上分析可以感受到DelegatingFilterProxy强大的代理功能。
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容