知行合一,止于至善
千里之行,始于足下;合抱之木,生于毫末;九层之台,起于累土spring security 的callstack分析
在web.xml中有如下的filter声明
本文由博主javacoder.cn整理,转载请注明出处
|
1 2 3 4 5 6 7 8 9 |
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> |
在这里,DelegatingFilterProxy的filter-name是有严格要求的,不能乱定义,默认的为springSecurityFilterChain,其实就是在spring context中FilterChainProxy bean的别名。
在spring context中有如下定义
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
<global-method-security pre-post-annotations="enabled" /> <http pattern="/static/**" security="none"/> <http pattern="/loggedout.jsp" security="none"/> <http > <intercept-url pattern="/secure/extreme/**" access="hasAuthority('supervisor')"/> <intercept-url pattern="/secure/**" access="authenticated" /> <intercept-url pattern="/**" access="permitAll" /> <form-login /> <logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"/> <csrf disabled="true"/> <anonymous enabled="false"/> <session-management invalid-session-url="/timeout.jsp"> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management> </http> <authentication-manager> <!--对应ProviderManager实例--> <authentication-provider> <!--对应DaoAuthenticationProvider实例--> <user-service><!--对应InMemoryUserDetailsManager实例--> <user name="rod" password="koala" authorities="supervisor" /> <user name="dianne" password="emu" authorities="ROLE_user,ROLE_teller" /> <user name="scott" password="wombat" authorities="ROLE_user" /> <user name="peter" password="opal" authorities="ROLE_user" /> </user-service> </authentication-provider> </authentication-manager> |
前面提到的FilterChainProxy是对所有<http>元素封装,当请求到来时,比较请求的路径是否匹配<http>的pattern。如果匹配,就执行该<http>定义的filter链。具体的实现参考FilterChainProxy.doFilterInternal方法。
核心filter UsernamePasswordAuthenticationFilter的作用是完成用户的认证,用spring security的官方说法应该是"authenticate Credential"。主要的逻辑是调用ProviderManager.authenticate方法,在该方法中调用合适的AuthenticationProvider来完成真正的鉴权,本例为<authentication-provider>对应的DaoAuthenticationProvider。
核心filter FilterSecurityInterceptor的作用是判断当前用户是否拥有被请求资源的访问权限,在FilterSecurityInterceptor的父类 AbstractSecurityInterceptor.beforeInvocation方法中,先获取请求资源匹配的<intercept-url>元素对应的access定义,用Collection<ConfigAttribute>表示,然后调用AccessDecisionManager.decide进行是否有访问权限的决策,基于namespace配置时AccessDecisionManager的默认实现为AffirmativeBased。具体的逻辑参考AffirmativeBased.decide方法
调用栈如下:
Posted in: Spring Security
One Response
sorry, test CSDN~123qwe