最近在使用Springsecurity,然後debug代碼時,經常看到FilterChainProxy,所以就在這裏記錄下吧。
Springsecurity版本是4.3.x.RELEASE.
List-1
public class FilterChainProxy extends GenericFilterBean {
private final static String FILTER_APPLIED = FilterChainProxy.class.getName().concat(".APPLIED");
private List<SecurityFilterChain> filterChains;
private FilterChainValidator filterChainValidator = new NullFilterChainValidator();
private HttpFirewall firewall = new StrictHttpFirewall();
...
如List-1所示,後面我們會重點看下filterChains。
FilterChainProxy繼承了GenericFilterBean,這個類來自於Springframework框架而非Springsecurity。
FilterChainProxy重寫了GenericFilterBean的doFilter方法,如下List-2所示。
List-2
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;
if (clearContext) {
try {
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
doFilterInternal(request, response, chain);
}
finally {
SecurityContextHolder.clearContext();
request.removeAttribute(FILTER_APPLIED);
}
}
else {
doFilterInternal(request, response, chain);
}
}
在List-2中的doFilterInternal,通過getFilters(HttpServletRequest)方法,根據request的url來獲取對應的Filter,如下List-3所示,SecurityFilterChain是個接口,如List-4所示。
List-3
private List<Filter> getFilters(HttpServletRequest request) {
for (SecurityFilterChain chain : filterChains) {
if (chain.matches(request)) {
return chain.getFilters();
}
}
return null;
}
List-4 SecurityFilterChain是個接口
public interface SecurityFilterChain {
boolean matches(HttpServletRequest request);
List<Filter> getFilters();
}
如果List-3返回的getFilters不爲空,那麼會構造一個VirtualFilterChain,並調用它的doFilter,下面來看下VirtualFilterChain,如List-5,additionalFilters是根據request的url得到的Filter集合,originalChain是FilterChainProxy的doFilter中傳入的FilterChain。
List-5 VirtualFilterChain的屬性及構造方法
private static class VirtualFilterChain implements FilterChain {
private final FilterChain originalChain;
private final List<Filter> additionalFilters;
private final FirewalledRequest firewalledRequest;
private final int size;
private int currentPosition = 0;
private VirtualFilterChain(FirewalledRequest firewalledRequest,
FilterChain chain, List<Filter> additionalFilters) {
this.originalChain = chain;
this.additionalFilters = additionalFilters;
this.size = additionalFilters.size();
this.firewalledRequest = firewalledRequest;
}
...
下面來看下VirtualFilterChain的doFilter,如List-6所示。
List-6 VirtualFilterChain的doFilter
public void doFilter(ServletRequest request, ServletResponse response)
throws IOException, ServletException {
if (currentPosition == size) {
// Deactivate path stripping as we exit the security filter chain
this.firewalledRequest.reset();
originalChain.doFilter(request, response);
}
else {
currentPosition++;
Filter nextFilter = additionalFilters.get(currentPosition - 1);
nextFilter.doFilter(request, response, this);
}
}
圖1
如List-6所示,會先調用additionalFilters中的Filer,之後纔會調用originalChain這個Filter,如圖1所示,這個過程有點遞歸的感覺。而重點是這個additionalFilters中的Filter,正是Springsecurity根據配置加上request的url得到的Filter集合,所以Springsecurity通過這樣的方式將需要處理的邏輯添加到originalChain之前。
看FilterChainProxy的時候,看到一個內部類,如下List-7,然後有個實現類NullFilterChainValidator,但是這個裏面沒有做什麼,得到的一個啓示就是,在命名上,如果以後要定義一個默認什麼都沒有做的實現類,那麼命名上也可以參考這個,在類名稱前加上Null。最後這點純屬個人意見。
List-7 FilterChainValidator
public interface FilterChainValidator {
void validate(FilterChainProxy filterChainProxy);
}
private static class NullFilterChainValidator implements FilterChainValidator {
public void validate(FilterChainProxy filterChainProxy) {
}
}
思考:
- 這個FilterChainProxy是在哪被初始化的?這個問題的答案,目前還沒有找到。
- SecurityFilterChain的實現還沒有分析