保存請求與移除請求
//save request
org.springframework.security.web.access.ExceptionTranslationFilter#doFilter{
handleSpringSecurityException(request, response, chain, ase);
}
org.springframework.security.web.access.ExceptionTranslationFilter#handleSpringSecurityException{
sendStartAuthentication(request,response,chain,new InsufficientAuthenticationException("Full authentication is required to access this resource"));
}
org.springframework.security.web.access.ExceptionTranslationFilter#sendStartAuthentication{
requestCache.saveRequest(request, response);
}
org.springframework.security.web.savedrequest.HttpSessionRequestCache#saveRequest{
request.getSession().setAttribute(SAVED_REQUEST, savedRequest);
}
//remove request
//case 1
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#doFilter{
successfulAuthentication(request, response, chain, authResult);
}
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#successfulAuthentication{
successHandler.onAuthenticationSuccess(request, response, authResult);
}
org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler#onAuthenticationSuccess{
requestCache.removeRequest(request, response);
}
org.springframework.security.web.savedrequest.HttpSessionRequestCache#removeRequest{
session.removeAttribute(SAVED_REQUEST);
}
//case 2
org.springframework.security.web.savedrequest.RequestCacheAwareFilter#doFilter{
HttpServletRequest wrappedSavedRequest = requestCache.getMatchingRequest((HttpServletRequest) request, (HttpServletResponse) response);
}
org.springframework.security.web.savedrequest.HttpSessionRequestCache#getMatchingRequest{
removeRequest(request, response);
}
org.springframework.security.web.savedrequest.HttpSessionRequestCache#removeRequest{
session.removeAttribute(SAVED_REQUEST);
}保存Session(如果要持久化到redis就要看
org.springframework.security.web.context.SecurityContextPersistenceFilter#doFilter{
repo.saveContext(contextAfterChainExecution, holder.getRequest(),holder.getResponse());
}
org.springframework.security.web.context.HttpSessionSecurityContextRepository#saveContext{
responseWrapper.saveContext(context);
}
org.springframework.security.web.context.HttpSessionSecurityContextRepository.SaveToSessionResponseWrapper#saveContext{
HttpSession httpSession = request.getSession(false);
httpSession.setAttribute(springSecurityContextKey, context);
}這個repo在springSecurity有兩種實現:org.springframework.security.web.context.HttpSessionSecurityContextRepository和org.springframework.security.web.context.NullSecurityContextRepository(這種實現爲了不保存session,比如服務端保持無狀態),如果想要注入自己的實現,比如保存到數據庫之類的方法如下:重寫org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity)
http.securityContext().securityContextRepository(securityContextRepository)授權攔截處理:
.authorizeRequests().antMatchers("/me").access("#oauth2.hasScope('read')")這一類:
org.springframework.security.web.access.intercept.FilterSecurityInterceptor#invoke{
InterceptorStatusToken token = super.beforeInvocation(fi);
}
org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation{
this.accessDecisionManager.decide(authenticated, object, attributes);
}啓用全局方法安全這一類(詳細看<十springSecurity啓用全局方法使用aop的分析>):對攔截方法類生成代理,在調用方法前先調用前置通知
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor#invoke{
InterceptorStatusToken token = super.beforeInvocation(mi);
}
org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation{
this.accessDecisionManager.decide(authenticated, object, attributes);
}這兩類最終都由decide方法作出決定是否授權