摘要:Spring Security的初始化过程涉及多个关键组件和配置步骤,其核心在于将用户配置转化为安全过滤器链。以下为逐步解析:
Spring Security的初始化过程涉及多个关键组件和配置步骤,其核心在于将用户配置转化为安全过滤器链。以下为逐步解析:
1. 启用安全配置 - @EnableWebSecurity
作用:该注解引入WebSecurityConfiguration类,负责配置Spring Security的核心组件。源码触发:java
@Import({ WebSecurityConfiguration.class,
SpringWebMvcImportSelector.class,
OAuth2ImportSelector.class })
public @interface EnableWebSecurity { ... }
2. 配置类加载 - WebSecurityConfiguration
核心方法:setFilterChainProxySecurityConfigurer收集所有WebSecurityConfigurer实例(包括用户自定义配置),初始化WebSecurity。java
@Autowired(required = false)
public void setFilterChainProxySecurityConfigurer(
ObjectPostProcessor objectPostProcessor,
@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers}") List> webSecurityConfigurers) {
WebSecurity web = objectPostProcessor.postProcess(new WebSecurity(objectPostProcessor));
for (SecurityConfigurer webSecurityConfigurer : webSecurityConfigurers) {
web.apply(webSecurityConfigurer);
}
this.webSecurity = web;
}
3. 构建过滤器链 - WebSecurity.build
执行流程:初始化阶段:调用所有SecurityConfigurer的init方法。配置阶段:执行各配置器的configure方法。构建阶段:生成FilterChainProxy,整合所有SecurityFilterChain。关键源码:java
@Override
protected Filter performBuild throws Exception {
List filterChains = new ArrayList;
for (SecurityBuilder securityFilterChainBuilder : securityFilterChainBuilders) {
filterChains.add(securityFilterChainBuilder.build);
}
return new FilterChainProxy(filterChains);
}
4. HTTP安全配置 - HttpSecurity
配置入口:用户通过重写WebSecurityConfigurerAdapter.configure(HttpSecurity http)自定义规则。链式配置:每个配置方法(如authorizeRequests)添加对应配置器。java
public HttpSecurity authorizeRequests throws Exception {
return getOrApply(new AuthorizeRequestsConfigurer);
}
最终构建:HttpSecurity构建出包含过滤器的DefaultSecurityFilterChain,如UsernamePasswordAuthenticationFilter、FilterSecurityInterceptor等。5. 过滤器链代理 - FilterChainProxy
请求处理:根据请求URL匹配对应的SecurityFilterChain,执行其中的过滤器。结构示例:java
public class FilterChainProxy extends GenericFilterBean {
private List filterChains;
// 匹配请求并执行对应过滤器链
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) { ... }
}
6. 用户配置合并与优先级
多配置类处理:所有WebSecurityConfigurerAdapter子类会被收集并按@Order排序,配置按顺序叠加,后续配置可能覆盖前者。默认配置:若无自定义配置,Spring Boot提供DefaultSecurityFilterChain,默认开启基础认证。7. 关键配置器与过滤器映射
示例配置器:Ø CsrfConfigurer → CsrfFilter
Ø ExceptionHandlingConfigurer → ExceptionTranslationFilter
Ø AuthorizeRequestsConfigurer → FilterSecurityInterceptor
认证流程:UserDetailsService Bean被注入到DaoAuthenticationProvider,用于身份验证。总结流程图
复制
@EnableWebSecurity → WebSecurityConfiguration → 初始化WebSecurity → 收集WebSecurityConfigurers → 构建FilterChainProxy → 注册为Spring Bean → 处理请求时通过FilterChainProxy选择匹配的SecurityFilterChain执行
通过以上步骤,Spring Security将用户配置转化为运行时安全策略,确保请求经过适当的安全控制。理解这一过程有助于深入定制安全逻辑及排查配置问题。
来源:老客数据一点号
