当前位置：首页 > news >正文

从源码开始精通spring-security1

news 2026/2/9 11:02:57

参考b站up主：传送门

前沿: 本章：spring-security 重要的成员 WebSecurity、HttpSecurity、SecurityBuilder、SecurityFilterChain、FilterChainProxy

重点：WebSecurity、HttpSecurity 他们都实现了 SecurityBuilder 接口用来构建对象

WebSecurity的作用：

首先看下他的结构：

public final class WebSecurity extendsAbstractConfiguredSecurityBuilder<Filter, WebSecurity> implementsSecurityBuilder<Filter>, ApplicationContextAware{}

小插曲：其实WebSecurity继承的AbstractConfiguredSecurityBuilder就已经实现了SecurityBuilder也就是说WebSecurity继承AbstractConfiguredSecurityBuilder就已经能完成工作了，再实现一遍SecurityBuilder什么意思？理解：从看代码的人角度能够更加清晰的知道WebSecurity它实现了SecurityBuilder，是我们最重要的接口而泛型Filter就已经知道要构建的对象是Filter。

总之：我们一下子在这就能看到WebSecurity最终构建的对象Object是什么？就是Filter。

写不写implements SecurityBuilder 对能完成工作

HttpSecurity的作用

用刚才WebSecurity的方法来理解

public final class HttpSecurity extendsAbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain, HttpSecurity>implements SecurityBuilder<DefaultSecurityFilterChain>,HttpSecurityBuilder<HttpSecurity> {}

HttpSecurity是为了构建DefaultSecurityFilterChain对象的。是默认的SecurityFilterChain

SecurityFilterChain

SecurityFilterChain：是一个接口，默认的实现是DefaultSecurityFilterChain

/**
Defines a filter chain which is capable of being matched against an HttpServletRequest. in order to decide whether it applies to that request.
定义这样的一个过滤器链去匹配一个特定的request，然后决定这个request能不能应用这个List<Filter>
*/
public interface SecurityFilterChain {boolean matches(HttpServletRequest request);List<Filter> getFilters();
}

SecurityFilterChain也是spring-security当中重要的一个成员。两个方法：

1、matches 是否能匹配 request

2、匹配成功那么就getFilters()方法所有的Filter都应用一遍

SecurityFilterChain的默认实现

DefaultSecurityFilterChain

public final class DefaultSecurityFilterChain implements SecurityFilterChain {// 在matches中判断能不能匹配requestprivate final RequestMatcher requestMatcher;private final List<Filter> filters;public DefaultSecurityFilterChain(RequestMatcher requestMatcher, Filter... filters) {this(requestMatcher, Arrays.asList(filters));}public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) {logger.info("Creating filter chain: " + requestMatcher + ", " + filters);this.requestMatcher = requestMatcher;this.filters = new ArrayList<>(filters);}public RequestMatcher getRequestMatcher() {return requestMatcher;}// 匹配成功就把Filter应用一遍public List<Filter> getFilters() {return filters;}// 在matches中判断能不能匹配requestpublic boolean matches(HttpServletRequest request) {return requestMatcher.matches(request);}
}

WebSecurity到底构建了怎样的Filter？

public interface SecurityBuilder<O> {/*** Builds the object and returns it or null.** @return the Object to be built or null if the implementation allows it.* @throws Exception if an error occurred when building the Object*/O build() throws Exception;
}

通过build方法看它的实现：AbstractSecurityBuilder实现了SecurityBuilder接口中的build方法

AbstractSecurityBuilder抽象类中 doBuild方法的构建工作委派给子类实现。

public abstract class AbstractSecurityBuilder<O> implements SecurityBuilder<O>{private AtomicBoolean building = new AtomicBoolean();private O object;//AbstractSecurityBuilder实现了SecurityBuilder接口中的build方法public final O build() throws Exception {if (this.building.compareAndSet(false, true)) {this.object = doBuild();return this.object;}// 解决了重复构建问题 如果再构建一次就抛出异常了throw new AlreadyBuiltException("This object has already been built");}// 构建工作 doBuild 方法protected abstract O doBuild() throws Exception;
}

继续往下走

AbstractConfiguredSecurityBuilder还是一个抽象类。它实现了父类的doBuild方法

public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>>extends AbstractSecurityBuilder<O> {@Overrideprotected final O doBuild() throws Exception {// 加锁 此阶段只能一个线程执行synchronized (configurers) {buildState = BuildState.INITIALIZING;// 留给子类实现的模版方法  不强制子类实现 即不重要的方法beforeInit();init();buildState = BuildState.CONFIGURING;// 留给子类实现的模版方法 不强制子类实现 即不重要的方法beforeConfigure();configure();buildState = BuildState.BUILDING;// 重要方法  有三个类实现它 AuthenticationManagerBuilder HttpSecurity WebSecurityO result = performBuild();buildState = BuildState.BUILT;return result;}} //不强制子类实现protected void beforeInit() throws Exception {}//不强制子类实现protected void beforeConfigure() throws Exception {}// 重要方法protected abstract O performBuild() throws Exception;}

这里通过performBuild();方法构建了我们最终所需要的Object，核心逻辑就在performBuild方法。

有三个类实现它 AuthenticationManagerBuilder、HttpSecurity、 WebSecurity

HttpSecurity的performBuild方法

@Overrideprotected DefaultSecurityFilterChain performBuild() {filters.sort(comparator);return new DefaultSecurityFilterChain(requestMatcher, filters);}

最终返回的就是DefaultSecurityFilterChain 前面说到HttpSecurity所要构建的就是DefaultSecurityFilterChain 那么HttpSecurity的工作完成了。

WebSecurity的performBuild方法

WebSecurity作用：构建一个Filter 显然构建工作在这

	@Overrideprotected Filter performBuild() throws Exception {Assert.state(!securityFilterChainBuilders.isEmpty(),() -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. "+ "Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. "+ "More advanced users can invoke "+ WebSecurity.class.getSimpleName()+ ".addSecurityFilterChainBuilder directly");int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);for (RequestMatcher ignoredRequest : ignoredRequests) {securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));}for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {securityFilterChains.add(securityFilterChainBuilder.build());}// FilterChainProxy 就是Filter的一个变种 最终还是一个FilterFilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);if (httpFirewall != null) {filterChainProxy.setFirewall(httpFirewall);}filterChainProxy.afterPropertiesSet();Filter result = filterChainProxy;//debugEnabled：这个是通过 @EnableWebSecurity(dubug=true)开启的if (debugEnabled) {logger.warn("\n\n"+ "********************************************************************\n"+ "**********        Security debugging is enabled.       *************\n"+ "**********    This may include sensitive information.  *************\n"+ "**********      Do not use in a production system!     *************\n"+ "********************************************************************\n\n");result = new DebugFilter(filterChainProxy);}postBuildAction.run();return result;}

FilterChainProxy

前置知识：

SecurityFilterChain：就是一个过滤器链前面介绍过了这个过滤器链能否应用就跟请求能不能匹配。

public class FilterChainProxy extends GenericFilterBean {//传了一堆 SecurityFilterChainpublic FilterChainProxy(List<SecurityFilterChain> filterChains) {this.filterChains = filterChains;}// 　是Filter的一个主要方法  doFilter做过滤的 控制过滤器只能执行一次@Overridepublic void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;if (clearContext) {try {request.setAttribute(FILTER_APPLIED, Boolean.TRUE);//核心方法 doFilterInternal(request, response, chain);}finally {SecurityContextHolder.clearContext();request.removeAttribute(FILTER_APPLIED);}}else {doFilterInternal(request, response, chain);}}//FilterChain tomcat下的一个接口 他的最主要实现是 ApplicationFilterChainprivate void doFilterInternal(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {FirewalledRequest fwRequest = firewall.getFirewalledRequest((HttpServletRequest) request);HttpServletResponse fwResponse = firewall.getFirewalledResponse((HttpServletResponse) response);// 拿到一堆Filters  这里是重点List<Filter> filters = getFilters(fwRequest);if (filters == null || filters.size() == 0) {if (logger.isDebugEnabled()) {logger.debug(UrlUtils.buildRequestUrl(fwRequest)+ (filters == null ? " has no matching filters": " has an empty filter list"));}fwRequest.reset();chain.doFilter(fwRequest, fwResponse);return;}// VirtualFilterChain 虚拟的过滤器链  chain 最顶层的过滤器链// VirtualFilterChain最终就是 把 这个参数中的 filters 挨个应用一遍VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters);// 虚拟的过滤器链 调用了他的 doFilter方法vfc.doFilter(fwRequest, fwResponse);}// 如果应用中定义了多个SecurityFilterChain 如果想要第一个匹配的去执行 此时需要控制一下顺序 实现Order接口 或者Order注解控制？private List<Filter> getFilters(HttpServletRequest request) {for (SecurityFilterChain chain : filterChains) {// 匹配到第一个即成功if (chain.matches(request)) {return chain.getFilters();}}return null;}@Overridepublic void doFilter(ServletRequest request, ServletResponse response)throws IOException, ServletException {if (currentPosition == size) {if (logger.isDebugEnabled()) {logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)+ " reached end of additional filter chain; proceeding with original chain");}// Deactivate path stripping as we exit the security filter chainthis.firewalledRequest.reset();originalChain.doFilter(request, response);}else {currentPosition++;Filter nextFilter = additionalFilters.get(currentPosition - 1);if (logger.isDebugEnabled()) {logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)+ " at position " + currentPosition + " of " + size+ " in additional filter chain; firing Filter: '"+ nextFilter.getClass().getSimpleName() + "'");}nextFilter.doFilter(request, response, this);}}}
}

最后

至此spring-security流程分析完毕它最顶层就是一个Filter 这个Filter就是FilterChainProxy。

FilterChainProxy里面有一堆的SecurityFilterChain private List<SecurityFilterChain> filterChains;(这个是FilterChainProxy类中的属性)，这些SecurityFilterChain都有一个匹配器叫做RequestMatcher，这个RequestMatcher是 SecurityFilterChain的默认实现类DefaultSecurityFilterChain中的属性。

RequestMatcher 是一个接口有若干个实现它就是用来匹配请求的。

流程总结：

由FilterChainProxy进来通过调用doFilter方法-进去再调用doFilterInternal方法-通过getFilters 根据HttpServletRequest这个对象去匹配第一个能够匹配的SecurityFilterChain 把其中Filters拿出来。

构建成了一个VirtualFilterChain对象挨个调用他们的doFilter。