準備環境
本文以oauth2+github登錄爲例,首先創建一個Spring Boot工程,版本爲2.1.0.RELEASE,工程目錄結構如下圖:
pom.xml如下:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
<version>5.1.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
啓動類SecurityApplication.java:
/**
* @author iHelin
*/
@RestController
@SpringBootApplication
public class SecurityApplication {
public static void main(String[] args) {
SpringApplication.run(SecurityApplication.class, args);
}
@GetMapping({"/", "/user"})
public Object get() {
OAuth2AuthenticationToken authentication = (OAuth2AuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
OAuth2User principal = authentication.getPrincipal();
return principal.getAttributes();
}
}
SercurityConfig.java:
/**
* @author iHelin
* @date 2018-11-30 15:47
*/
@EnableWebSecurity(debug = true)
public class SercurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().anyRequest().authenticated().and()
.oauth2Login();
}
}
配置文件application.properties
server.port=8080
logging.level.org.springframework.security=debug
logging.level.org.springframework.boot.autoconfigure.security=debug
spring.security.oauth2.client.registration.github.client-id=xxxxxx
spring.security.oauth2.client.registration.github.client-secret=xxxxxx
從@EnableWebSecurity開始說起
SercurityConfig是一個配置類,它繼承了WebSecurityConfigurerAdapter,並標明瞭@EnableWebSecurity(debug = true)註解,查看這個註解發現,裏面又導入(import)了WebSecurityConfiguration.class這個配置類,如下圖:
WebSecurityConfiguration是一個自動配置類,它的主要作用創建過濾器鏈(securityFilterChains)並完成安全配置工作,而這一系列過程主要是通過webSecurity完成的。系統啓動時Spring上下文會首先調用它
setFilterChainProxySecurityConfigurer方法進行webSecurity的初始化,這一步通過反射完成(當然,這不是我們的重點)。然後再調用springSecurityFilterChain進行webSecurity的配置,具體步驟如下:首先進入
springSecurityFilterChain方法
接着調用
org.springframework.security.config.annotation.AbstractSecurityBuilder#build方法
public final O build() throws Exception {
if (this.building.compareAndSet(false, true)) {
this.object = doBuild();
return this.object;
}
throw new AlreadyBuiltException("This object has already been built");
}
cas操作進入if語句,進入關鍵的org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder#doBuild方法
@Override
protected final O doBuild() throws Exception {
synchronized(configurers) {
buildState = BuildState.INITIALIZING;
beforeInit();
init();
buildState = BuildState.CONFIGURING;
beforeConfigure();
configure();
buildState = BuildState.BUILDING;
O result = performBuild();
buildState = BuildState.BUILT;
return result;
}
}
裏面是一個同步的代碼塊,不過這也不是重點,核心在init和performBuild方法,注意,到現在我們的主語還是webSecurity。首先來看看init方法:
private void init() throws Exception {
Collection < SecurityConfigurer < O, B >> configurers = getConfigurers();
for (SecurityConfigurer < O, B > configurer: configurers) {
configurer.init((B) this);
}
for (SecurityConfigurer < O, B > configurer: configurersAddedInInitializing) {
configurer.init((B) this);
}
}
這裏主要看第一個for循環,裏面會進行一些配置的初始化,其中會有一個我們繼承的WebSecurityConfigurerAdapter的代理,其實也就是我們自己定義的安全配置類SercurityConfig,調用其init方法:
public void init(final WebSecurity web) throws Exception {
final HttpSecurity http = getHttp();
web.addSecurityFilterChainBuilder(http).postBuildAction(new Runnable() {
public void run() {
FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class);
web.securityInterceptor(securityInterceptor);
}
});
}
看下getHttp:
protected final HttpSecurity getHttp() throws Exception {
...
if (!disableDefaults) {
// @formatter:off
http.csrf().and().addFilter(new WebAsyncManagerIntegrationFilter()).exceptionHandling().and().headers().and().sessionManagement().and().securityContext().and().requestCache().and().anonymous().and().servletApi().and().apply(new DefaultLoginPageConfigurer < > ()).and().logout();
// @formatter:on
...
}
configure(http);
return http;
}
裏面首先進行默認的配置,這裏添加了一個Filter:WebAsyncManagerIntegrationFilter,繼續向下執行,會執行configure方法,它是一個模板方法,也就是這裏會執行我們配置類裏面覆蓋的configure方法,這裏就完成了httpSecurity的初始化。
以上步驟都只是webSecurity的init操作,也就是創建了許多的配置器,接下來進入webSecurity的performBuild方法使配置生效,具體過程是調用httpSecurity的config方法,裏面會調用上面創建的衆多配置器的configure方法,其目的是向過濾器鏈添加各種Filter,最後還會調用performBuild方法對過濾器進行排序,創建DefaultSecurityFilterChain過濾器鏈,這裏以ExceptionHandlingConfigurer爲例。
public void configure(H http) throws Exception {
AuthenticationEntryPoint entryPoint = getAuthenticationEntryPoint(http);
ExceptionTranslationFilter exceptionTranslationFilter = new ExceptionTranslationFilter(entryPoint, getRequestCache(http));
AccessDeniedHandler deniedHandler = getAccessDeniedHandler(http);
exceptionTranslationFilter.setAccessDeniedHandler(deniedHandler);
exceptionTranslationFilter = postProcess(exceptionTranslationFilter);
http.addFilter(exceptionTranslationFilter);
}
關鍵看最後的addFilter方法
public HttpSecurity addFilter(Filter filter) {
Class <? extends Filter > filterClass = filter.getClass();
if (!comparator.isRegistered(filterClass)) {
throw new IllegalArgumentException("The Filter class " + filterClass.getName() + " does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.");
}
this.filters.add(filter);
return this;
}
最終向httpSecurity對象的filters中添加filter。
然後再調用httpSecurity的performBuild方法對filters進行排序:
protected DefaultSecurityFilterChain performBuild() throws Exception {
Collections.sort(filters, comparator);
return new DefaultSecurityFilterChain(requestMatcher, filters);
}
最後返回了一個DefaultSecurityFilterChain對象,至此http的配置宣告完成。再回到webSecurity的performBuild方法,它根據httpSecurity返回的securityFilterChain創建了一個securityFilterChains。
protected Filter performBuild() throws Exception {
...
for (RequestMatcher ignoredRequest: ignoredRequests) {
securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
}
for (SecurityBuilder <? extends SecurityFilterChain > securityFilterChainBuilder: securityFilterChainBuilders) {
securityFilterChains.add(securityFilterChainBuilder.build());
}
FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
...
Filter result = filterChainProxy;
...
return result;
}
可以看到filterChainProxy本質上也是一個filter,它最終返回給容器。這樣webSecurity的配置也基本完成。
以上。