首页 > 软件编程 > Java > Spring Security基本架构与初始化操作流程详解

Spring Security基本架构与初始化操作流程详解

福牛 3月 28, 2023 32 0

Spring Security 是基于web的安全组件,所以一些相关类会分散在 spring-security包和web包中。Spring Security通过自定义Servlet的Filter的方式实现,具体架构可参考官网Spring Security: Architecture

这里使用Spring Boot 2.7.4版本,对应Spring Security 5.7.3版本

基本架构

-1

首先左侧是Servlet中的Filter组成的FilterChain,Spring Security通过注册一个DelegatingFilterProxy的Filter,然后在该Proxy中内置多条Spring Security组织的Security Filter Chain(chain中套娃一个chain),一个Security Filter Chain又有多个Filter,通过不同的规则将Request匹配到第一个满足条件的Security Filter Chain。

Web源码

既然Spring Security涉及到Filter,而Filter是Servlet中的组件,这里就存在一个将Spring Security的顶级Filter注册到Servlet Context的过程。

首先关注Javax.servlet.ServletContainerInitializer,该类是tomcat-embed-core包中的类:

  1. // 通过SPI方式导入实现类:
  2. // META-INF/services/javax.servlet.ServletContainerInitializer
  3. public interface ServletContainerInitializer {
  4.      /**
  5.      * Receives notification during startup of a web application of the classes within the web application
  6.      * that matched the criteria defined via the annotation:
  7.      * javax.servlet.annotation.HandlesTypes
  8.      *
  9.      * 处理javax.servlet.annotation.HandlesTypes注解标注类型的实现类
  10.      **/
  11.      void onStartup(Set<Class<?>> c, ServletContext ctx) throws ServletException;
  12. }

该接口实现类由SPI方式导入,我们来到spring-web包中:

-2

可以看到spring对 该接口的实现类为:org.springframework.web.SpringServletContainerInitializer

  1. @HandlesTypes(WebApplicationInitializer.class)
  2. public class SpringServletContainerInitializer implements ServletContainerInitializer {
  3.      @Override
  4.      public void onStartup(@Nullable Set<Class<?>> webAppInitializerClasses, ServletContext servletContext)
  5.              throws ServletException {
  6.          List<WebApplicationInitializer> initializers = Collections.emptyList();
  7.          
  8.          // 添加
  9.          if (webAppInitializerClasses != null) {
  10.              initializers = new ArrayList<>(webAppInitializerClasses.size());
  11.              for (Class<?> waiClass : webAppInitializerClasses) {
  12.                      initializers.add((WebApplicationInitializer)
  13.                      ReflectionUtils.AccessibleConstructor(waiClass).newInstance());
  14.              }
  15.          }
  16.          
  17.          // 排序
  18.          AnnotationAwareOrderComparator.sort(initializers);
  19.          // 执行
  20.          for (WebApplicationInitializer initializer : initializers) {
  21.              initializer.onStartup(servletContext);
  22.          }
  23.      }
  24. }

SpringServletContainerInitializer中调用了一系列org.springframework.web.WebApplicationInitializer#onStartup

可以看到WebApplicationInitializer 有一系列实现类:

-3

其中就有Security相关的。到此,以上均为 Spring Web中的内容,Spring Security就是基于以上扩展而来。

接上文,来看看org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer:

  1. public abstract class AbstractSecurityWebApplicationInitializer implements WebApplicationInitializer {
  2.      public static final String DEFAULT_FILTER_NAME = “springSecurityFilterChain”;
  3.      
  4.      @Override
  5.      public final void onStartup(ServletContext servletContext) {
  6.          beforeSpringSecurityFilterChain(servletContext);
  7.          
  8.          insertSpringSecurityFilterChain(servletContext);
  9.          afterSpringSecurityFilterChain(servletContext);
  10.      }
  11.      
  12. }

但是,经过调试发现,Spring Security的Filter注册过程并不是上面的步骤。

重要:

Spring Security 注册Filter 不是通过上文的 javax.servlet.ServletContainerInitializerorg.springframework.web.WebApplicationInitializer#onStartup 而是org.springframework.boot.web.servlet.ServletContextInitializer,来看看ServletContextInitializer的说明:

  1. /**
  2.      * 不同于WebApplicationInitializer,实现该接口的类(且没有实现WebApplicationInitializer)
  3.      * 不会被SpringServletContainerInitializer检测到,所以不会由servlet容器自动启动。
  4.      * 该类的目的和ServletContainerInitializer一样,但是 其中的Servlet的生命周期由Spring控制而不是Servlet容器。
  5.      */
  6. @FunctionalInterface
  7. public interface ServletContextInitializer {
  8.      void onStartup(ServletContext servletContext) throws ServletException;
  9. }

DelegatingFilterProxy

首先来看自动配置类:org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration

  1. @AutoConfiguration(after = SecurityAutoConfiguration.class)
  2. @ConditionalOnWebApplication(type = Type.SERVLET)
  3. @EnableConfigurationProperties(SecurityProperties.class)
  4. @ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class })
  5. public class SecurityFilterAutoConfiguration {
  6.      // DEFAULT_FILETER_NAME = “springSecurityFilterChain”
  7.      private static final String DEFAULT_FILTER_NAME = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME;
  8.      // 必须存在名称为springSecurityFilterChain的bean
  9.      // 名称为springSecurityFilterChain的bean实际上类型即是 org.springframework.security.web.FilterChainProxy
  10.      @Bean
  11.      @ConditionalOnBean(name = DEFAULT_FILTER_NAME)
  12.      public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(
  13.              SecurityProperties securityProperties) {
  14.          DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(
  15.                  DEFAULT_FILTER_NAME);
  16.          registration.setOrder(securityProperties.getFilter().getOrder());
  17.          registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
  18.          return registration;
  19.      }
  20.      
  21. }

可以看到DelegatingFilterProxyRegistrationBean被注入Bean容器,且名称为"springSecurityFilterChain"的Bean必须存在,而DelegatingFilterProxyRegistrationBean#getFilter用来获取真正的Security Filter代理类DelegatingFilterProxy,需要注意的是,DelegatingFilterProxy实现了Filter接口。

先来看看DelegatingFilterProxyRegistrationBean的类图结构:

-4

DelegatingFilterProxyRegistrationBean负责整合Servlet Filter注册(主要就是代理类注册)和Spring生命周期,而真正的代理类DelegatingFilterProxy通过

DelegatingFilterProxyRegistrationBean#getFilter获取。这体现了职责单一的设计原则。

  1. public class DelegatingFilterProxyRegistrationBean  {
  2.      
  3.      @Override
  4.      public DelegatingFilterProxy getFilter() {
  5.          // 创建真正的代理(匿名子类),并具有延迟加载的能力
  6.          return new DelegatingFilterProxy(this.targetBeanName, getWebApplicationContext()) {
  7.              @Override
  8.              protected void initFilterBean() throws ServletException {
  9.                  // Don’t initialize filter bean on init()
  10.              }
  11.          };
  12.      }
  13.      
  14. }

接下来,DelegatingFilterProxyRegistrationBean中的DelegatingFilterProxy需要完成对多个SecurityFilterChain的代理。而这个代理过程Security又通过一个代理类org.springframework.security.web.FilterChainProxy完成 。意思是,DelegatingFilterProxy是整个Security的代理,而FilterChainProxy是SecurityFilterChain的代理,且DelegatingFilterProxy是通过FilterChainProxy来完成代理的(代理一个代理)。

来看看DelegatingFilterProxy

  1. public class DelegatingFilterProxy extends GenericFilterBean {
  2.      // 就是 springSecurityFilterChain,代表FilterChainProxy的beanName
  3.      @Nullable
  4.      private String targetBeanName;
  5.      // 代理的FilterChainProxy
  6.      @Nullable
  7.      private volatile Filter delegate;
  8.      
  9.      @Override
  10.      public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
  11.              throws ServletException, IOException {
  12.          // Lazily initialize the delegate if necessary.
  13.          Filter delegateToUse = this.delegate;
  14.          if (delegateToUse == null) {
  15.              synchronized (this.delegateMonitor) {
  16.                  delegateToUse = this.delegate;
  17.                  if (delegateToUse == null) {
  18.                      
  19.                      // 初始化代理类
  20.                      delegateToUse = initDelegate(wac);
  21.                  }
  22.                  this.delegate = delegateToUse;
  23.              }
  24.          }
  25.          // Let the delegate perform the actual doFilter operation.
  26.          invokeDelegate(delegateToUse, request, response, filterChain);
  27.      }
  28.      
  29.      protected Filter initDelegate(WebApplicationContext wac) throws ServletException {
  30.          String targetBeanName = getTargetBeanName();
  31.          // 容器中获取名称为springSecurityFilterChain 类型为Filter的bean
  32.          // 即 FilterChainProxy
  33.          // 所以 注册 DelegatingFilterProxyRegistrationBean 时必须有 @ConditionalOnBean(name=”springSecurityFilterChain”)
  34.          Filter delegate = wac.getBean(targetBeanName, Filter.class);
  35.          
  36.          return delegate;
  37.      }
  38. }

上文说到,在注册DelegatingFilterProxyRegistrationBean的自动配置类中 必须要有springSecurityFilterChain名称的bean存在,而这个名称为springSecurityFilterChain的bean实际上类型即是 org.springframework.security.web.FilterChainProxy

整个流程如下:

-1

有点像 道生一,一生二,二生三,三生万物 的思想,我将它命名为 道德经设计模式,嘿嘿 。

那么FilterChainProxy又是在哪儿注入的呢?

FilterChainProxy

在配置类org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration中我们可以发现,这里注入了FilterChainProxy

  1. @Configuration(proxyBeanMethods = false)
  2. public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
  3.      
  4.      private WebSecurity webSecurity;
  5.      // 多个SecurityFilterChain
  6.      private List<SecurityFilterChain> securityFilterChains = Collections.emptyList();
  7.      // 多个WebSecurityCustomizer
  8.      private List<WebSecurityCustomizer> webSecurityCustomizers = Collections.emptyList();
  9.      
  10.      // 注入一个Filter,指定名称为springSecurityFilterChain
  11.      @Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
  12.      public Filter springSecurityFilterChain() throws Exception {
  13.          
  14.          for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {
  15.              this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);
  16.              // 为每个SecurityFilterChain中的每个Filter添加拦截方法
  17.              for (Filter filter : securityFilterChain.getFilters()) {
  18.                  if (filter instanceof FilterSecurityInterceptor) {
  19.                      this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);
  20.                      break;
  21.                  }
  22.              }
  23.          }
  24.          // 自定义器对每个SecurityFilterChain均生效
  25.          for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) {
  26.              customizer.customize(this.webSecurity);
  27.          }
  28.          // 这里build()方法返回 org.springframework.security.web.FilterChainProxy
  29.          return this.webSecurity.build();
  30.      }
  31.      
  32.      // 自动注入, 通常我们需要自定义的就是这个SecurityFilterChain类型
  33.      // 只需要在业务配置类中注册一个SecurityFilterChain类型的bean就能被注入到这里
  34.      @Autowired(required = false)
  35.      void setFilterChains(List<SecurityFilterChain> securityFilterChains) {
  36.          this.securityFilterChains = securityFilterChains;
  37.      }
  38.      // 自动注入
  39.      @Autowired(required = false)
  40.      void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) {
  41.          this.webSecurityCustomizers = webSecurityCustomizers;
  42.      }
  43. }

在业务配置类中,我们可以自定义SecurityFilterChainWebSecurityCustomizer的bean,配置如下:

  1. @Configuration
  2. public class SecurityConfig {
  3.      @Bean
  4.      public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
  5.          http.csrf().disable();
  6.          // 必须显式注明,配合CorsConfigurationSource的Bean,不然即使在web里面配置了跨域,security这里依然会cors error
  7.          http.cors();
  8.          http.authorizeRequests()
  9.                  .antMatchers(AUTH_WHITELIST).permitAll()
  10.                  .anyRequest().authenticated();
  11.          http.formLogin().successHandler(loginSuccessHandler);
  12.          http.oauth2Login().successHandler(giteeSuccessHandler);
  13.          http.exceptionHandling().accessDeniedHandler(restAccessDeniedHandler);
  14.          http.addFilterBefore(bearAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
  15.          return http.build();
  16.      }
  17.      @Bean
  18.      public WebSecurityCustomizer webSecurityCustomizer() {
  19.          return (web) -> web.ignoring().antMatchers(“/ignore1”, “/ignore2”);
  20.      }
  21. }

OK,我们再来看看 org.springframework.security.web.FilterChainProxy:

  1. public class FilterChainProxy extends GenericFilterBean {
  2.      private List<SecurityFilterChain> filterChains;
  3.      private HttpFirewall firewall = new StrictHttpFirewall();
  4.      @Override
  5.      public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
  6.              throws IOException, ServletException {
  7.          
  8.          doFilterInternal(request, response, chain);
  9.          
  10.      }
  11.      private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain)
  12.              throws IOException, ServletException {
  13.          // 转化为org.springframework.security.web.firewall.FirewalledRequest
  14.          // reject potentially dangerous requests and/or wrap them to control their behaviour.
  15.          FirewalledRequest firewallRequest = this.firewall.getFirewalledRequest((HttpServletRequest) request);
  16.          HttpServletResponse firewallResponse = this.firewall.getFirewalledResponse((HttpServletResponse) response);
  17.          // #getFilters会在所有SecurityFilterChain中进行匹配
  18.          List<Filter> filters = getFilters(firewallRequest);
  19.          
  20.          // 转化为 VirtualFilterChain
  21.          // VirtualFilterChain是FilterChainProxy内部静态类
  22.          VirtualFilterChain virtualFilterChain = new VirtualFilterChain(firewallRequest, chain, filters);
  23.          // 开启 SecurityFilterChain中所有filter过程
  24.          virtualFilterChain.doFilter(firewallRequest, firewallResponse);
  25.      }
  26.      private List<Filter> getFilters(HttpServletRequest request) {
  27.          for (SecurityFilterChain chain : this.filterChains) {
  28.              // 返回第一个符合规则的SecurityFilterChain
  29.              if (chain.matches(request)) {
  30.                  return chain.getFilters();
  31.              }
  32.          }
  33.          return null;
  34.      }
  35.      /**
  36.      * 执行额外的 filters,控制filters执行过程
  37.      * Internal {@code FilterChain} implementation that is used to pass a request through
  38.      * the additional internal list of filters which match the request.
  39.      */
  40.      private static final class VirtualFilterChain implements FilterChain {
  41.          
  42.          private final FilterChain originalChain;
  43.          private final List<Filter> additionalFilters;
  44.          private final FirewalledRequest firewalledRequest;
  45.          // 该SecurityFilterChain中所有filter的数量
  46.          private final int size;
  47.          // 当前filter的位置
  48.          private int currentPosition = 0;
  49.          
  50.          @Override
  51.          public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
  52.              if (this.currentPosition == this.size) {
  53.                  // 执行完毕
  54.                  // Deactivate path stripping as we exit the security filter chain
  55.                  this.firewalledRequest.reset();
  56.                  this.originalChain.doFilter(request, response);
  57.                  return;
  58.              }
  59.              // 继续执行filterChain中下一个filter
  60.              this.currentPosition++;
  61.              Filter nextFilter = this.additionalFilters.get(this.currentPosition  1);
  62.              nextFilter.doFilter(request, response, this);
  63.          }
  64.          
  65.      }
  66.      
  67. }

Filters

按顺序排序,Spring Security内置了以下Filter:

  • ForceEagerSessionCreationFilter
  • ChannelProcessingFilter
  • WebAsyncManagerIntegrationFilter
  • SecurityContextPersistenceFilter
  • HeaderWriterFilter
  • CorsFilter
  • CsrfFilter
  • LogoutFilter
  • OAuth2AuthorizationRequestRedirectFilter
  • Saml2WebSsoAuthenticationRequestFilter
  • X509AuthenticationFilter
  • AbstractPreAuthenticatedProcessingFilter
  • CasAuthenticationFilter
  • OAuth2LoginAuthenticationFilter
  • Saml2WebSsoAuthenticationFilter
  • UsernamePasswordAuthenticationFilter
  • DefaultLoginPageGeneratingFilter
  • DefaultLogoutPageGeneratingFilter
  • ConcurrentSessionFilter
  • DigestAuthenticationFilter
  • BearerTokenAuthenticationFilter
  • BasicAuthenticationFilter
  • RequestCacheAwareFilter
  • SecurityContextHolderAwareRequestFilter
  • JaasApiIntegrationFilter
  • RememberMeAuthenticationFilter
  • AnonymousAuthenticationFilter
  • OAuth2AuthorizationCodeGrantFilter
  • SessionManagementFilter
  • ExceptionTranslationFilter : allows translation of AccessDeniedException and
  • AuthenticationException into HTTP responses
  • FilterSecurityInterceptor (新版本由 AuthorizationFilter 取代,该Interceptor即是做鉴权的)
  • SwitchUserFilter

到此这篇关于Spring Security基本架构与初始化操作流程详解的文章就介绍到这了,更多相关Spring Security基本架构内容请搜索我们以前的文章或继续浏览下面的相关文章希望大家以后多多支持我们!

标签

相关推荐

发表评论