从SpringBoot的自动装配原理入手
- 找到META-INFO下的spring.factories文件
SpringSecurity作为Spring的亲儿子,自然在spring-boot-autoconfigure下的spring.factories文件中配置了
org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,\
org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration,\
org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration,\
UserDetailsServiceAutoConfiguration
@Configuration(proxyBeanMethods = false
)
//条件注解
@ConditionalOnClass({AuthenticationManager.class})
@ConditionalOnBean({ObjectPostProcessor.class})
//提供拓展,没有提供以下三个实现类才使用默认的
@ConditionalOnMissingBean(value = {AuthenticationManager.class, AuthenticationProvider.class, UserDetailsService.class},type = {"org.springframework.security.oauth2.jwt.JwtDecoder", "org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector"}
)
public class UserDetailsServiceAutoConfiguration {//密码不加密表示private static final String NOOP_PASSWORD_PREFIX = "{noop}";private static final Pattern PASSWORD_ALGORITHM_PATTERN = Pattern.compile("^\\{.+}.*$");private static final Log logger = LogFactory.getLog(UserDetailsServiceAutoConfiguration.class);public UserDetailsServiceAutoConfiguration() {}@Bean@ConditionalOnMissingBean(type = {"org.springframework.security.oauth2.client.registration.ClientRegistrationRepository"})@Lazypublic InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties, ObjectProvider<PasswordEncoder> passwordEncoder) {//读取以spring.security开头的配置文件SecurityProperties.User user = properties.getUser();List<String> roles = user.getRoles();return new InMemoryUserDetailsManager(new UserDetails[]{User.withUsername(user.getName()).password(this.getOrDeducePassword(user, (PasswordEncoder)passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build()});}private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {String password = user.getPassword();if (user.isPasswordGenerated()) {logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));}return encoder == null && !PASSWORD_ALGORITHM_PATTERN.matcher(password).matches() ? "{noop}" + password : password;}
}//标记读取配置文件夹信息
@ConfigurationProperties(prefix = "spring.security"
)
public class SecurityProperties {public static final int BASIC_AUTH_ORDER = 2147483642;public static final int IGNORED_ORDER = Integer.MIN_VALUE;public static final int DEFAULT_FILTER_ORDER = -100;private final Filter filter = new Filter();private User user = new User();public SecurityProperties() {}public User getUser() {return this.user;}public Filter getFilter() {return this.filter;}public static class User {//如果没有配置,用户名默认user,密码uuidprivate String name = "user";private String password = UUID.randomUUID().toString();private List<String> roles = new ArrayList();private boolean passwordGenerated = true;public User() {}public String getName() {return this.name;}public void setName(String name) {this.name = name;}public String getPassword() {return this.password;}public void setPassword(String password) {if (StringUtils.hasLength(password)) {this.passwordGenerated = false;this.password = password;}}public List<String> getRoles() {return this.roles;}public void setRoles(List<String> roles) {this.roles = new ArrayList(roles);}public boolean isPasswordGenerated() {return this.passwordGenerated;}}public static class Filter {private int order = -100;private Set<DispatcherType> dispatcherTypes;public Filter() {this.dispatcherTypes = new HashSet(Arrays.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST));}public int getOrder() {return this.order;}public void setOrder(int order) {this.order = order;}public Set<DispatcherType> getDispatcherTypes() {return this.dispatcherTypes;}public void setDispatcherTypes(Set<DispatcherType> dispatcherTypes) {this.dispatcherTypes = dispatcherTypes;}}
}
SecurityFilterAutoConfiguration
约定大于配置,这里的内容就相当于在web.xml配置文件中配置springSecurityFilterChain的过程由spring自动实现.spring自动注入DelegatingFilterProxy对象,这样就可以将security中的过滤器切到spring中,在请求的时候会被DelegatingFilterProxyRegistrationBean拦截,然后去执行security中的过滤器链。
@Configuration(proxyBeanMethods = false
)
//web项目才加载
@ConditionalOnWebApplication(type = Type.SERVLET
)
@EnableConfigurationProperties({SecurityProperties.class})
@ConditionalOnClass({AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class})
//SecurityAutoConfiguration之后执行
@AutoConfigureAfter({SecurityAutoConfiguration.class})
public class SecurityFilterAutoConfiguration {//名字private static final String DEFAULT_FILTER_NAME = "springSecurityFilterChain";public SecurityFilterAutoConfiguration() {}/*** 创建DelegatingFilterProxyRegistrationBean对象注入到spring容器中* @param securityProperties* @return*/@Bean@ConditionalOnBean(name = {"springSecurityFilterChain"})public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(SecurityProperties securityProperties) {//创建DelegatingFilterProxy对象DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean("springSecurityFilterChain", new ServletRegistrationBean[0]);registration.setOrder(securityProperties.getFilter().getOrder());registration.setDispatcherTypes(this.getDispatcherTypes(securityProperties));return registration;}private EnumSet<DispatcherType> getDispatcherTypes(SecurityProperties securityProperties) {return securityProperties.getFilter().getDispatcherTypes() == null ? null : (EnumSet)securityProperties.getFilter().getDispatcherTypes().stream().map((type) -> {return DispatcherType.valueOf(type.name());}).collect(Collectors.toCollection(() -> {return EnumSet.noneOf(DispatcherType.class);}));}
}
创建DelegatingFilterProxy的过程实际是通过ServletContextInitializer接口实现的,有一个方法onStartup,有一个实现类RegistrationBean
public abstract class RegistrationBean implements ServletContextInitializer, Ordered {private static final Log logger = LogFactory.getLog(RegistrationBean.class);private int order = Integer.MAX_VALUE;private boolean enabled = true;public RegistrationBean() {}public final void onStartup(ServletContext servletContext) throws ServletException {String description = this.getDescription();if (!this.isEnabled()) {logger.info(StringUtils.capitalize(description) + " was not registered (disabled)");} else {//注册this.register(description, servletContext);}}protected abstract String getDescription();protected abstract void register(String description, ServletContext servletContext);public void setEnabled(boolean enabled) {this.enabled = enabled;}public boolean isEnabled() {return this.enabled;}public void setOrder(int order) {this.order = order;}public int getOrder() {return this.order;}
}注册逻辑在父类DynamicRegistrationBean中
public abstract class DynamicRegistrationBean<D extends Registration.Dynamic> extends RegistrationBean {private static final Log logger = LogFactory.getLog(RegistrationBean.class);private String name;private boolean asyncSupported = true;private Map<String, String> initParameters = new LinkedHashMap();public DynamicRegistrationBean() {}public void setName(String name) {Assert.hasLength(name, "Name must not be empty");this.name = name;}public void setAsyncSupported(boolean asyncSupported) {this.asyncSupported = asyncSupported;}public boolean isAsyncSupported() {return this.asyncSupported;}public void setInitParameters(Map<String, String> initParameters) {Assert.notNull(initParameters, "InitParameters must not be null");this.initParameters = new LinkedHashMap(initParameters);}public Map<String, String> getInitParameters() {return this.initParameters;}public void addInitParameter(String name, String value) {Assert.notNull(name, "Name must not be null");this.initParameters.put(name, value);}protected final void register(String description, ServletContext servletContext) {//生成DelegatingFilterProxy对象D registration = this.addRegistration(description, servletContext);if (registration == null) {logger.info(StringUtils.capitalize(description) + " was not registered (possibly already registered?)");} else {//在其父类AbstractFilterRegistrationBean中配置拦截/*请求this.configure(registration);}}protected abstract D addRegistration(String description, ServletContext servletContext);protected void configure(D registration) {registration.setAsyncSupported(this.asyncSupported);if (!this.initParameters.isEmpty()) {registration.setInitParameters(this.initParameters);}}protected final String getOrDeduceName(Object value) {return this.name != null ? this.name : Conventions.getVariableName(value);}
}
跟踪代码发现实际调用的了DelegatingFilterProxyRegistrationBean的getFilter方法
public class DelegatingFilterProxyRegistrationBean extends AbstractFilterRegistrationBean<DelegatingFilterProxy> implements ApplicationContextAware {private ApplicationContext applicationContext;private final String targetBeanName;public DelegatingFilterProxyRegistrationBean(String targetBeanName, ServletRegistrationBean<?>... servletRegistrationBeans) {super(servletRegistrationBeans);Assert.hasLength(targetBeanName, "TargetBeanName must not be null or empty");this.targetBeanName = targetBeanName;this.setName(targetBeanName);}public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {this.applicationContext = applicationContext;}protected String getTargetBeanName() {return this.targetBeanName;}//创建DelegatingFilterProxy实例对象public DelegatingFilterProxy getFilter() {return new DelegatingFilterProxy(this.targetBeanName, this.getWebApplicationContext()) {protected void initFilterBean() throws ServletException {}};}private WebApplicationContext getWebApplicationContext() {Assert.notNull(this.applicationContext, "ApplicationContext be injected");Assert.isInstanceOf(WebApplicationContext.class, this.applicationContext);return (WebApplicationContext)this.applicationContext;}
}
