Don’t let life down, don’t let yourself down.
wedge
In the first two installments, I talked about the SpringSecurity authentication process and the SpringSecurity authentication process. Today is the third installment, which is the final work of SpringSecurity and covers the startup process of SpringSecurity.
Just as many movies become popular and their sequels are often the early story of their predecessors, this third installment of my SpringSecurity startup process is also an “early story” that helps you to really see the whole picture of SpringSecurity.
In previous articles, the filter chain in SpringSecurity was often understood as a concept, that is, we only know that there is such a thing, and we know what it is used for, but we do not know what class the filter chain is created by when and how.
Today’s episode is to see what SpringSecurity’s autoconfiguration does for us, how it creates the filter chain, and how it adds our custom configuration to the default configuration.
Have a good harvest (while watching, the magic is infinite).
1. ð EnableWebSecurity
Let’s start by looking at how we use SpringSecurity in general.
When we use SpringSecurity will create a new SpringSecurity related configuration class, inheritance WebSecurityConfigurerAdapter with it, then hit the comments @ EnableWebSecurity, And then we can through the inside of the rewrite WebSecurityConfigurerAdapter method to finish our own custom configurations.
Something like this:
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
} } Copy the code
We already know that inheritance WebSecurityConfigurerAdapter is to rewrite the configuration, this annotation is done?
As we can probably guess from its name @enableWebSecurity, it is the good Samaritan who helped us automatically configure SpringSecurity.
@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import({ WebSecurityConfiguration.class,
SpringWebMvcImportSelector.class,
OAuth2ImportSelector.class }) @EnableGlobalAuthentication @Configuration public @interface EnableWebSecurity { / * * * Controls debugging support for Spring Security. Default is false. * @return if true, enables debug support with Spring Security * / boolean debug(a) default false; } Copy the code
Emmm, I assume you have some knowledge of annotations, ok, since you all have some knowledge of annotations, I’m going to jump right into it.
There are two important parts of @enableWebSecurity:
-
One is that the @import annotation imports three classes, the last two of which are things that SpringSecurity did for compatibility, compatibility with SpringMVC, compatibility with SpringSecurityOAuth2, and we’re really looking at the first class, Importing the class means loading the contents of the class.
-
2 it is @ EnableGlobalAuthentication this annotation, @ EnableWebSecurity you haven’t understood yet, you this to another, the annotation, its role is to load a configuration class – AuthenticationConfiguration, It is the configuration class related to AuthenticationManager, which we can talk about later.
In summary, @enableWebSecurity automatically loads two configuration classes: WebSecurityConfiguration and AuthenticationConfiguration (@ EnableGlobalAuthentication annotations to load the configuration class).
WebSecurityConfiguration of them helped us to build the filter chain configuration class, whereas AuthenticationConfiguration is injected into the AuthenticationManager related configuration class for us, Our focus today is on WebSecurityConfiguration.
2. ð Source code overview
Since we are talking about the WebSecurityConfiguration, we will give you the source code as usual, to simplify the irrelevant:
@Configuration(proxyBeanMethods = false)
public class WebSecurityConfiguration implements ImportAware.BeanClassLoaderAware {
private WebSecurity webSecurity;
private Boolean debugEnabled;
private List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers; private ClassLoader beanClassLoader; @Autowired(required = false) private ObjectPostProcessor<Object> objectObjectPostProcessor; @Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME) public Filter springSecurityFilterChain(a) throws Exception { booleanhasConfigurers = webSecurityConfigurers ! =null && !webSecurityConfigurers.isEmpty(); if(! hasConfigurers) { WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor .postProcess(new WebSecurityConfigurerAdapter() { }); webSecurity.apply(adapter); } return webSecurity.build(); } @Autowired(required = false) public void setFilterChainProxySecurityConfigurer( ObjectPostProcessor<Object> objectPostProcessor, @Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers) throws Exception { webSecurity = objectPostProcessor .postProcess(new WebSecurity(objectPostProcessor)); if(debugEnabled ! =null) { webSecurity.debug(debugEnabled); } webSecurityConfigurers.sort(AnnotationAwareOrderComparator.INSTANCE); Integer previousOrder = null; Object previousConfig = null; for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) { Integer order = AnnotationAwareOrderComparator.lookupOrder(config); if(previousOrder ! =null && previousOrder.equals(order)) { throw new IllegalStateException( "@Order on WebSecurityConfigurers must be unique. Order of " + order + " was already used on " + previousConfig + ", so it cannot be used on " + config + " too."); } previousOrder = order; previousConfig = config; } for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) { webSecurity.apply(webSecurityConfigurer); } this.webSecurityConfigurers = webSecurityConfigurers; } } Copy the code
WebSecurityConfiguration is a Configuration class annotated with the @Configuration annotation, which instantiates all the @bean annotated beans in this class.
In the class of the more important the two methods: springSecurityFilterChain and setFilterChainProxySecurityConfigurer.
SpringSecurityFilterChain punched @ Bean annotation methods, term who also can see this is the method created springSecurityFilterChain, but don’t try so hard, we can’t see this method first, although it above.
3. ð SetFilterChainProxySecurityConfigurer
We need to look at the following methods: setFilterChainProxySecurityConfigurer, why?
Why?
Because it is the @autowired annotation, so it is better than priority springSecurityFilterChain method, from the point of the order of the system load, we need to see it first.
The @autowired function here is to automatically inject two parameters for this method. Let’s look at these parameters first:
-
The objectPostProcessor parameter is injected to create an instance of WebSecurity.
-
Parameter webSecurityConfigurers is a List, it is actually all WebSecurityConfigurerAdapter subclass, that if we define custom configuration classes, is actually has been read our configuration.
Here is a bit hard to understand why parameter SecurityConfigurer < Filter, WebSecurity > this type can get WebSecurityConfigurerAdapter subclass?
Because WebSecurityConfigurerAdapter implements WebSecurityConfigurer < WebSecurity > interface, WebSecurityConfigurer
inherits SecurityConfigurer
,>
from WebSecurityConfigurer< Filter, T> WebSecurityConfigurerAdapter finally became SecurityConfigurer subclasses.
And parameters in SecurityConfigurer < Filter, WebSecurity > the two generic parameter is actually have played an important role in a filtering, take a closer look at our WebSecurityConfigurerAdapter implementation and inheritance, You can find our WebSecurityConfigurerAdapter exactly this type.
Ok, having said parameters, I think we can look at the code:
@Autowired(required = false)
public void setFilterChainProxySecurityConfigurer(
ObjectPostProcessor<Object> objectPostProcessor,
@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers)
throws Exception {
// Create a webSecurity instance webSecurity = objectPostProcessor .postProcess(new WebSecurity(objectPostProcessor)); if(debugEnabled ! =null) { webSecurity.debug(debugEnabled); } // Sort by order webSecurityConfigurers.sort(AnnotationAwareOrderComparator.INSTANCE); Integer previousOrder = null; Object previousConfig = null; for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) { Integer order = AnnotationAwareOrderComparator.lookupOrder(config); if(previousOrder ! =null && previousOrder.equals(order)) { throw new IllegalStateException( "@Order on WebSecurityConfigurers must be unique. Order of " + order + " was already used on " + previousConfig + ", so it cannot be used on " + config + " too."); } previousOrder = order; previousConfig = config; } // Save the configuration for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) { webSecurity.apply(webSecurityConfigurer); } // Initialize the member variable this.webSecurityConfigurers = webSecurityConfigurers; } Copy the code
According to our comments, this code can be broken down into several steps:
-
A webSecurity instance is created and assigned to a member variable.
-
The webSecurityConfigurers are then sorted by order, which is the load order.
-
Determine whether there is a configuration class with the same order. If so, an error will be reported directly.
-
Save the configuration and put it into a member variable of webSecurity.
You can think of this directly as the initialization of the member variable and the loading of our configuration class configuration, because the rest of the action is around the webSecurity instance that it initializes and the configuration class information that we loaded.
These things can be removed step by step, but this is really an article to write, I do not have so much energy to write out all details, I only choose the trace of the main context, if you can understand it after reading a load order is actually very good.
Just as Spring’s interview questions ask springBeans about the loading order, SpringMVC will ask SpringMVC about the running of a request.
All get clearly, must study the source code, in the early stage, as long as we know it’s a main vein, in the use of later, which problem you can directly go to the location may be which problem, so it has been very good, learning is a cycle of gradual process.
4. ð SpringSecurityFilterChain
Initialize the variable, loading the configuration, we will begin to create the filter chain, so go first setFilterChainProxySecurityConfigurer for a reason, if we don’t get our custom configuration load to come in, How do you know which filters are needed and which are not when creating a filter chain?
@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain(a) throws Exception {
booleanhasConfigurers = webSecurityConfigurers ! =null
&& !webSecurityConfigurers.isEmpty();
if(! hasConfigurers) { WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor .postProcess(new WebSecurityConfigurerAdapter() { }); webSecurity.apply(adapter); } return webSecurity.build(); } Copy the code
SpringSecurityFilterChain method logic is very simple, if we didn’t load custom configuration classes, it is for us to load a default configuration, and then call this method to build.
Given the familiar name of this method, you should know that this is builder mode, whatever mode it is, since it is called, let’s click on it.
public final O build(a) throws Exception {
if (this.building.compareAndSet(false.true)) {
this.object = doBuild();
return this.object;
}
throw new AlreadyBuiltException("This object has already been built"); } Copy the code
The build() method, in webSecurity’s AbstractSecurityBuilder parent, in turn calls the doBuild() method.
@Override
protected final O doBuild(a) throws Exception {
synchronized (configurers) {
buildState = AbstractConfiguredSecurityBuilder.BuildState.INITIALIZING;
/ / short method beforeInit(); // Call init init(); buildState = AbstractConfiguredSecurityBuilder.BuildState.CONFIGURING; / / short method beforeConfigure(); // Call the configure method configure(); buildState = AbstractConfiguredSecurityBuilder.BuildState.BUILDING; / / call performBuild O result = performBuild(); buildState = AbstractConfiguredSecurityBuilder.BuildState.BUILT; return result; } } Copy the code
As you can see from my comments, beforeInit() and beforeConfigure() are both empty methods, and the only methods that are actually useful are init(), configure(), and performBuild().
Let’s start with the init(), configure() methods.
private void init(a) throws Exception {
Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();
for (SecurityConfigurer<O, B> configurer : configurers) {
configurer.init((B) this);
} for (SecurityConfigurer<O, B> configurer : configurersAddedInInitializing) { configurer.init((B) this); } } private void configure(a) throws Exception { Collection<SecurityConfigurer<O, B>> configurers = getConfigurers(); for (SecurityConfigurer<O, B> configurer : configurers) { configurer.configure((B) this); } } Copy the code
As you can see in the source code, we get our configuration class information first, and then loop through the init() and configure() methods of the configuration class.
Said earlier, our configuration class is a subclass of inherited WebSecurityConfigurerAdapter, and WebSecurityConfigurerAdapter SecurityConfigurer subclass, All subclasses of SecurityConfigurer need to implement the init(), configure() methods.
So here’s the init (), the configure () method is called WebSecurityConfigurerAdapter yourself rewriting the init (), the configure () method.
Including WebSecurityConfigurerAdapter the configure () method is an empty, so we just need to see the WebSecurityConfigurerAdapter init () method.
public void init(final WebSecurity web) throws Exception {
final HttpSecurity http = getHttp();
web.addSecurityFilterChainBuilder(http).postBuildAction(() -> {
FilterSecurityInterceptor securityInterceptor = http
.getSharedObject(FilterSecurityInterceptor.class);
web.securityInterceptor(securityInterceptor); }); } Copy the code
This can also be divided into two steps:
-
The getHttp() method is executed, which initializes many filters.
-
HttpSecurity into the WebSecurity, FilterSecurityInterceptor into the WebSecurity, is our authentication that chapter talked about FilterSecurityInterceptor.
GetHttp () :
protected final HttpSecurity getHttp(a) throws Exception {
http = new HttpSecurity(objectPostProcessor, authenticationBuilder,
sharedObjects);
if(! disableDefaults) { // @formatter:off
http .csrf().and() .addFilter(new WebAsyncManagerIntegrationFilter()) .exceptionHandling().and() .headers().and() .sessionManagement().and() .securityContext().and() .requestCache().and() .anonymous().and() .servletApi().and() .apply(new DefaultLoginPageConfigurer<>()).and() .logout(); // @formatter:on ClassLoader classLoader = this.context.getClassLoader(); List<AbstractHttpConfigurer> defaultHttpConfigurers = SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader); for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) { http.apply(configurer); } } // We usually override this method configure(http); return http; } Copy the code
The getHttp() method is a collection of HTTP calls that are filters. The first CSRF () is an obvious filter to protect against CSRF attacks. There are many more filters that SpringSecurity adds to the filter chain by default.
Second, there’s an important point about the penultimate line of code, which I’ve also commented on, that’s what we usually override in our custom configuration class, so that’s where our custom configuration takes effect.
So during initialization, this method will load its default configuration first and then load our overwritten configuration, so that the combination of the two becomes the default configuration that we see. (If we don’t override the configure(HTTP) method, it’s a bit of a default, too, as you can see from the source code.)
After init(), configure()(empty method) is done, the performBuild() method is called.
protected Filter performBuild(a) throws Exception {
int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
List<SecurityFilterChain> securityFilterChains = new ArrayList<>(
chainSize); for (RequestMatcher ignoredRequest : ignoredRequests) { securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest)); } / / call securityFilterChainBuilder the build () method for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) { securityFilterChains.add(securityFilterChainBuilder.build()); } FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains); if(httpFirewall ! =null) { filterChainProxy.setFirewall(httpFirewall); } filterChainProxy.afterPropertiesSet(); Filter result = filterChainProxy; postBuildAction.run(); return result; } Copy the code
Major need to see this method is called securityFilterChainBuilder the build () method, the securityFilterChainBuilder is we in the init () method of the add that, So securityFilterChainBuilder is HttpSecurity here, so here is actually called the HttpSecurity bulid () method.
HttpSecurity bulid(); HttpSecurity bulid(); HttpSecurity bulid();
Bulid () init(), configure() and performBuild(). Filters in the filter chain are sorted:
@Override
protected DefaultSecurityFilterChain performBuild(a) {
filters.sort(comparator);
return new DefaultSecurityFilterChain(requestMatcher, filters);
}
Copy the code
HttpSecurity bulid () method after the execution will return to give WebSecurity DefaultSecurityFilterChain performBuil () method, The performBuil() method converts it to FilterChainProxy, and finally the performBuil() method of WebSecurity completes execution, Returns a Filter injection become name = “springSecurityFilterChain” Bean.
After the above steps, springSecurityFilterChain method is done, we can create the filter chain completed, SpringSecurity can also run up.
Afterword.
When you see this, you are already very patient, but you may still feel confused, because SpringSecurity is such a highly engineered project where all kinds of design patterns and coding ideas are flying around. When you don’t understand it, you can only say what it is, and when you understand it, you should worship it as art.
These are things that are not easy to read but are decoupled and easy to expand, like a line of code that comes down is easy to read but not easy to expand, good luck, bad luck.
And so many name, the name of the class of similar kinds of inherited abstract, to understand the down is not so easy, it actually want to give this SpringSecurity a ending, forced himself to write, I like to finish this Duan Dongxi also complicated indeed, in the next few article intends to write a few interesting and easy to relax.
If you are interested in SpringSecurity source code, you can follow my article, click on your own source code point, have a look, come on.
Since the last article sent, the feeling of a lot of front-end attention, nuggets as expected or front-end ah, nothing, although I don’t write front-end, maybe one day change it haha.
I also do not hide the “yes”, in fact, I now is to write the back end, I can only say to the front end is slightly understand slightly understand, but boring also can look at my article, little praise brush reading dry dry ð, maybe one day suddenly understand a certain article also front end to persuade back into the line, refuelling everyone.
Don’t let life down, don’t let yourself down.
Each of your likes, favorites and comments is a great affirmation of my knowledge output. If there are any mistakes or doubts in the article or my comments, please leave a message below the comment section and discuss with me.
I’m Ear, a pseudo-literary programmer who’s always wanted to export knowledge. See you next time.