spring security 是什么: https://github.com/spring-projects/spring-security/
做三件事:
鉴权
授权
防御常见的攻击
顶层架构:https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-architecture
Spring provides a Filter implementation named DelegatingFilterProxy that allows bridging between the Servlet container’s lifecycle and Spring’s ApplicationContext.
Spring Security’s Servlet support is contained within FilterChainProxy. FilterChainProxy is a special Filter provided by Spring Security that allows delegating to many Filter instances through SecurityFilterChain. Since FilterChainProxy is a Bean, it is typically wrapped in a DelegatingFilterProxy.
spring-boot-starter-security:
把 Spring Security 相关的依赖集合在一起
就是校验一个人的身份
Architecture Components
参考官方文档: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-authentication
- SecurityContext 含有 当前已经完成鉴权的用户的鉴权信息
- Authentication - 见下方
- GrantedAuthority 被授予的权限 (i.e. roles, scopes, etc.)
- AuthenticationManager 决定 Spring Security’s Filters 如何实现鉴权
- AuthenticationProvider - 实现一种特定方式的鉴权
- Request Credentials with AuthenticationEntryPoint - 负责把未登陆的用户重定向到登陆页等类似行为
- An input to AuthenticationManager to provide the credentials a user has provided to authenticate. When used in this scenario, isAuthenticated() returns false.
- Represents the currently authenticated user. The current Authentication can be obtained from the SecurityContext.
The Authentication contains:
- principal - identifies the user. When authenticating with a username/password this is often an instance of UserDetails.
- credentials - Often a password. In many cases this will be cleared after the user is authenticated to ensure it is not leaked.
- authorities - the GrantedAuthoritys are high level permissions the user is granted. A few examples are roles or scopes.
WebSecurity 是一个 builder,负责 build 一个更上游的 FilterChainProxy,它需要管理多条 SecurityFilterChain,所以有 securityFilterChainBuilders 属性。
而 HttpSecurity,也是一个 builder,但是只负责 build 一个 SecurityFilterChain;
所以 HttpSecurity 是 WebSecurity.securityFilterChainBuilders 里面的一个 item
我们事实上可以认为,WebSecurity是Spring Security对外的唯一出口,而HttpSecurity只是内部安全策略的定义方式;WebSecurity对标FilterChainProxy,而HttpSecurity则对标SecurityFilterChain,另外它们的父类都是AbstractConfiguredSecurityBuilder。掌握了这些基本上你就能知道它们之间的区别是什么了。
spring security 的 builder + Configurer 机制
核心类 AbstractConfiguredSecurityBuilder
public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>> extends AbstractSecurityBuilder<O>
是一个 builder,作用是构建对象 O
configurers 是用来配置 builder 的
可以看到 configurers 属性在构建的全过程都在起作用
伪代码:
protected final O doBuild() throws Exception { Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();
for (SecurityConfigurer<O, B> configurer : configurers) { configurer.init((B) this); } for (SecurityConfigurer<O, B> configurer : configurers) { configurer.configure((B) this); } O result = performBuild(); return result; }
过程简述
装配的目的是要让 WebSecurity build 出一个 FilterChainProxy 来
入口是 @EnableWebSecurity 会 import WebSecurityConfiguration
spring-boot-auto-configuration
当缺少这两个 bean 时 WebSecurityConfigurerAdapter, SecurityFilterChain。
SpringBootWebSecurityConfiguration 会自动利用 HttpSecurity build 出一个默认的 SecurityFilterChain
当存在 WebSecurityConfigurerAdapter 时,意味着我需要自己configure WebSecurity
- webSecurity.build() 参考上面伪代码的流程。
在 build 前,configurers 要先装配 builder (即装配 webSecurity)
- WebSecurityConfigurerAdapter.init()
- 创建出 HttpSecurity
- 并且通过 overwrite 方法,给 HttpSecurity 上 apply 自己需要的 Configurer(AbstractHttpConfigurer)
- 把 HttpSecurity 设置为 WebSecurity 的 securityFilterChainBuilders
- WebSecurityConfigurerAdapter.configure()
- performBuild
- 遍历每个 securityFilterChainBuilders,执行 securityFilterChainBuilder.build()。即 HttpSecurity.build()
HttpSecurity.build(), 同样的,又会让 AbstractHttpConfigurer 来先装配一下 HttpSecurity
AbstractHttpConfigurer 装配时,基本都会给 HttpSecurity 添加 Filter 到最终 build 出的 SecurityFilterChain 中。
类的作用参考
WebSecurity
父类是 AbstractConfiguredSecurityBuilder
WebSecurity 是被 WebSecurityConfiguration 创建的, 用于创建 FilterChainProxy 即一个 Filter
为了精细化的管理多个SecurityFilterChain的生命周期,搞一个统一管理这些 SecurityFilterChain的 代理就十分必要了,这就是WebSecurity的意义。
WebSecurityConfigurerAdapter
让创建 WebSecurityConfigurer 更容易
WebSecurityConfigurer
用于 Configure WebSecurity
WebSecurityConfiguration
使用 WebSecurity 来创建 FilterChainProxy
HttpSecurity
HttpSecurity 是用来构建过滤器链 DefaultSecurityFilterChain 即(SecurityFilterChain)
https://developer.51cto.com/art/202104/658021.htm
https://segmentfault.com/a/1190000019135169
SecurityBuilder<O>
一个 builder,
作用:构建 O 对象
SecurityConfigurer<O, B extends SecurityBuilder<O>>
configuring a {@link SecurityBuilder}.
作用:配置一个 builder
SecurityConfigurerAdapter
public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>> implements SecurityConfigurer<O, B>
作用:配置一个 builder
* @param <O> The Object being built by B
* @param <B> The Builder that is building O and is configured by {@link SecurityConfigurerAdapter}
AbstractHttpConfigurer
public abstract class AbstractHttpConfigurer<T extends AbstractHttpConfigurer<T, B>, B extends HttpSecurityBuilder<B>>
extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, B>
Adds a convenient base class for {@link SecurityConfigurer} instances that operate on {@link HttpSecurity}.
一个 Configurer 基类
作用:配置 HttpSecurity
官方代码示例:https://github.com/spring-projects/spring-security-samples