1 SecurityContextPersistenceFilter
通過觀察Filter的名字,就能大概猜出來這個過濾器的作用,持久化SecurityContext實例
org.springframework.security.web.context.SecurityContextPersistenceFilter
該 Filter 位於過濾器的頂端,所有過濾器的入口
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; if (request.getAttribute(FILTER_APPLIED) != null) { // 確保對於每個請求只應用一次過濾器 chain.doFilter(request, response); return; } final boolean debug = logger.isDebugEnabled(); request.setAttribute(FILTER_APPLIED, Boolean.TRUE); if (forceEagerSessionCreation) { HttpSession session = request.getSession(); if (debug && session.isNew()) { logger.debug("Eagerly created session: " + session.getId()); } } // 將 request/response 對象交給該對象維護 HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request,response); //通過SecurityContextRepository接口的實現類裝載SecurityContext實例 //HttpSessionSecurityContextRepository將產生SecurityContext實例的任務交給SecurityContextHolder.createEmptyContext() //SecurityContextHolder再根據策略模式的不同, //把任務再交給相應策略類完成SecurityContext的創建 //如果沒有配置策略名稱,則默認爲 //ThreadLocalSecurityContextHolderStrategy, //該類直接通過new SecurityContextImpl()創建實例 SecurityContext contextBeforeChainExecution = repo.loadContext(holder); try { //將產生的SecurityContext再通過SecurityContextHolder-> //ThreadLocalSecurityContextHolderStrategy設置到ThreadLocal SecurityContextHolder.setContext(contextBeforeChainExecution); //繼續把請求流向下一個過濾器執行 chain.doFilter(holder.getRequest(), holder.getResponse()); } finally { // 所有過濾器執行完後 //先從SecurityContextHolder獲取SecurityContext實例 SecurityContext contextAfterChainExecution = SecurityContextHolder .getContext(); //關鍵性地除去SecurityContextHolder內容 - 在任何事情之前執行此操作 //再把SecurityContext實例從SecurityContextHolder中清空 //若沒有清空,會受到服務器的線程池機制的影響 SecurityContextHolder.clearContext(); //將SecurityContext實例持久化到session中 repo.saveContext(contextAfterChainExecution, holder.getRequest(), holder.getResponse()); request.removeAttribute(FILTER_APPLIED); if (debug) { logger.debug("SecurityContextHolder now cleared, as request processing completed"); } } }
該Filter的作用主要是創建一個空的SecurityContext(如果session中沒有SecurityContext實例),然後持久化到session中