Explain the framework principle in three sentences

  1. At the heart of the framework is a filter calledspringSecurityFilterChainType isFilterChainProxy
  2. The core filter isFilter chain(List),Filter chainEach of the elements ofA set of urls corresponds to a set of filters
  3. WebSecurityUsed to createFilterChainProxyFilter,

    HttpSecurityEach element used to create the filter chain.

An example of dynamically managing URL permissions

The source is at Github: github.com/ygsama/ipa

Framework Interface Design

Focus on two things: the builder and the configurator

The use of a framework is to configure the builder through a configurator

Framework usage is to write a custom configuration class, inheritance WebSecurityConfigurerAdapter, rewrite a few configure WebSecurityConfigurerAdapter () method is the adapter object Web security configurator

// Security builder

// Is a builder constructor that creates and returns an object of type O

public interface SecurityBuilder<O{

    build(a) throws Exception;

}



// Abstract security builder

public abstract class AbstractSecurityBuilder<Oimplements SecurityBuilder<O{

    private AtomicBoolean building = new AtomicBoolean();

    private O object;



    public final O build(a) throws Exception {

        // Restrict build() to only once!

        if (this.building.compareAndSet(false.true)) {

            this.object = doBuild();

            return this.object;

        }

        throw new AlreadyBuiltException("This object has already been built");

    }



    // Subclasses need to override doBuild()

    protected abstract O doBuild(a) throws Exception;

}



// Abstract security builder after configuration

public abstract class AbstractConfiguredSecurityBuilder<O.B extends SecurityBuilder<O>>

        extends AbstractSecurityBuilder<O{



    // Implements doBuild(), iterates through configurers for init() and configure().

    protected final O doBuild(a) throws Exception {

        synchronized (configurers) {

            buildState = BuildState.INITIALIZING;



            beforeInit();

            init();



            buildState = BuildState.CONFIGURING;



            beforeConfigure();

            configure();



            buildState = BuildState.BUILDING;



            O result = performBuild();



            buildState = BuildState.BUILT;



            return result;

        }

    }

    // Its subclasses HttpSecurity and WebSecurity implement performBuild()!!

    protected abstract O performBuild(a) throws Exception;



    // The main function is to inject the SecurityConfigurer property configurers,

    private void configure(a) throws Exception {

        Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();



        for (SecurityConfigurer<O, B> configurer : configurers) {

            configurer.configure((B) this);

        }

    }

}

Copy the code

// Security configurator, configuration builder B, B can build O

// Initialize the SecurityBuilder and configure the SecurityBuilder

public interface SecurityConfigurer<O.B extends SecurityBuilder<O>> {

    void init(B builder) throws Exception;

    void configure(B builder) throws Exception;

}





// Web security configurator, configure builder T, T can build Web filters

public interface WebSecurityConfigurer<T extends SecurityBuilder<Filter>> 

        extends SecurityConfigurer<Filter.T{

}



// Adaptor for Web security configurator

// Configure builder WebSecurity, which can build core filters

public abstract class WebSecurityConfigurerAdapter 

        implements WebSecurityConfigurer<WebSecurity{

}





// Used to build FilterChainProxy builder

public final class WebSecurity 

    extends AbstractConfiguredSecurityBuilder<Filter.WebSecurity>

    implements

        SecurityBuilder<Filter>, ApplicationContextAware {

}



// The builder used to build SecurityFilterChain

public final class HttpSecurity 

    extends AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain.HttpSecurity>

    implements 

        SecurityBuilder<DefaultSecurityFilterChain>,

        HttpSecurityBuilder<HttpSecurity{



}

Copy the code

Conclusion:

  1. seeThe buildersTo look at his methods,build(); doBuild(); init(); configure(); performBuild();
  2. seeconfiguratorTo look at his methods,init(); config();

From the writeMySecurityConfigThe use of@EnableWebSecurityComments start by looking at the source:

The @enableWebSecurity annotation imports three classes, focusing on the WebSecurityConfiguration

Let’s analyze it in turn:

WebSecurityConfigurationThere are two methods to focus on in

  1. SetFilterChainProxySecurityConfigurer () method

    Create a WebSecurity Builder object that will be used later to build FilterChainProxy filters

  2. SpringSecurityFilterChain () method

    Call webSecurity.build () to create a FilterChainProxy filter object

Link to this article: Spring Security in Plain English (PART 1) : Explaining framework Principles in three Sentences

Spring Security (Part 2) : Creating FilterChainProxy

Spring Security (part 3) : How FilterChainProxy Works

Spring Security (part 4) : WebSecurity and HttpSecurity

Series of articles: Spring Security in Plain English, Part 5: The Authentication and Authorization Process