使用過springSecurity的朋友都知道,首先需要在web.xml進行以下配置,
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
從這個配置中,可能會給我們造成一個錯覺,以爲DelegatingFilterProxy類就是springSecurity的入口,但其實這個類位於spring-web-3.0.5.RELEASE.jar這個jar下面,說明這個類本身是和springSecurity無關。DelegatingFilterProxy類繼承於抽象類GenericFilterBean,間接地implement 了javax.servlet.Filter接口,Servlet容器在啓動時,首先會調用Filter的init方法,GenericFilterBean的作用主要是可以把Filter的初始化參數自動地set到繼承於GenericFilterBean類的Filter中去。在其init方法的如下代碼就是做了這個事:
|
1
2
3
4
5
6
|
PropertyValues
pvs = new FilterConfigPropertyValues(filterConfig,
this.requiredProperties);BeanWrapper
bw = PropertyAccessorFactory.forBeanPropertyAccess(this);ResourceLoader
resourceLoader = new ServletContextResourceLoader(filterConfig.getServletContext());bw.registerCustomEditor(Resource.class,
new ResourceEditor(resourceLoader));initBeanWrapper(bw);bw.setPropertyValues(pvs,
true); |
另外在init方法中調用了initFilterBean()方法,該方法是GenericFilterBean類是特地留給子類擴展用的,
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
protected void initFilterBean()
throws ServletException
{ //
If no target bean name specified, use filter name. if (this.targetBeanName
== null)
{ this.targetBeanName
= getFilterName(); } //
Fetch Spring root application context and initialize the delegate early, //
if possible. If the root application context will be started after this //
filter proxy, we'll have to resort to lazy initialization. synchronized (this.delegateMonitor)
{ WebApplicationContext
wac = findWebApplicationContext(); if (wac
!= null)
{ this.delegate
= initDelegate(wac); } } } |
可以看出上述代碼首先看Filter是否提供了targetBeanName初始化參數,如果沒有提供則直接使用filter的name做爲beanName,產生了beanName後,由於我們在web.xml的filter的name是springSecurityFilterChain,從spring的IOC容器中取出bean的代碼是initDelegate方法,下面是該方法代碼:
|
1
2
3
4
5
6
7
|
protected Filter
initDelegate(WebApplicationContext wac) throws ServletException
{ Filter
delegate = wac.getBean(getTargetBeanName(), Filter.class); if (isTargetFilterLifecycle())
{ delegate.init(getFilterConfig()); } return delegate;} |
通過跟蹤代碼,發現取出的bean是org.springframework.security.FilterChainProxy,該類也是繼承於GenericFilterBean,取出bean後,判斷targetFilterLifecycle屬性是false還是true,決定是否調用該類的init方法。這個FilterChainProxy bean實例最終被保存在DelegatingFilterProxy類的delegate屬性裏,
下面看一下DelegatingFilterProxy類的doFilter方法
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
public void doFilter(ServletRequest
request, ServletResponse response, FilterChain filterChain) throws ServletException,
IOException { //
Lazily initialize the delegate if necessary. Filter
delegateToUse = null; synchronized (this.delegateMonitor)
{ if (this.delegate
== null)
{ WebApplicationContext
wac = findWebApplicationContext(); if (wac
== null)
{ throw new IllegalStateException("No
WebApplicationContext found: no ContextLoaderListener registered?"); } this.delegate
= initDelegate(wac); } delegateToUse
= this.delegate; } //
Let the delegate perform the actual doFilter operation. invokeDelegate(delegateToUse,
request, response, filterChain); } |
真正要關注invokeDelegate(delegateToUse, request, response, filterChain);這句代碼,在下面可以看出DelegatingFilterProxy類實際是用其delegate屬性即org.springframework.security.FilterChainProxy實例的doFilter方法來響應請求。
|
1
2
3
4
5
6
|
protected void invokeDelegate( Filter
delegate, ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException,
IOException { delegate.doFilter(request,
response, filterChain); } |
以上就是DelegatingFilterProxy類的一些內部運行機制,其實主要作用就是一個代理模式的應用,可以把servlet 容器中的filter同spring容器中的bean關聯起來。