Detailed review
- At the heart of the framework is a filter, the filter
The name
callspringSecurityFilterChain
.type
isFilterChainProxy
WebSecurity
andHttpSecurity
Are allThe builders
WebSecurity
The building goal isFilterChainProxy
objectHttpSecurity
The build goal of theFilterChainProxy
One of theSecurityFilterChain
.@EnableWebSecurity
Annotation, importedWebSecurityConfiguration
classWebSecurityConfiguration
The builder object is created inWebSecurity
, and core filtersFilterChainProxy
fromWebSecurityConfiguration
start
There are two methods to focus on in WebSecurityConfiguration:
setFilterChainProxySecurityConfigurer()
methods
Create a WebSecurity Builder object that will be used later to build FilterChainProxy filters
springSecurityFilterChain()
methods
Call webSecurity.build () to create a FilterChainProxy filter object
WebSecurity
The creation process of:setFilterChainProxySecurityConfigurer()
methods
This method collects the list of configuration class objects, webSecurityConfigurers, and creates WebSecurity:
@value (“#{}”) is an SpEl expression usually used to get a bean property or call a bean method.
Method execution, will first get webSecurityConfigurers and sorted (all realized WebSecurityConfigurerAdapter configuration class instance)
New out the WebSecurity object and initialize it using Spring’s container tools
Determines if the @order of the Element in webSecurityConfigurers is identical. The same Order throws an exception.
Default order is equal to the LOWEST_PRECEDENCE = 2147483647 (refer to Integer order = AnnotationAwareOrderComparator. LookupOrder (config))
Will WebSecurityConfigurerAdapter subclasses of the apply () into the websecurity List < SecurityConfigurer < O, B > > configurersAddedInInitializing.
Below is through AutowiredWebSecurityConfigurersIgnoreParents getWebSecurityConfigurers () method, obtain all realize WebSecurityConfigurer configuration class
FilterChainProxy
The creation process of:springSecurityFilterChain()
methods
In springSecurityFilterChain webSecurity () method calls. The build () to create a named FilterChainProxy.
PS: according to the following code, we can know if you are creating MySecurityConfig classes have not been to sping scan, new new framework will give a WebSecurityConfigureAdapter object, which can lead to we configure the user name and password of the failure.
Let’s continue with the FilterChainProxy creation process: WebSecurity is a builder, so let’s look at these methods build(); doBuild(); init(); configure(); performBuild();
The build() method is defined in the WebSecurity object’s AbstractSecurityBuilder parent:
Build () method will be called WebSecurity object of the superclass AbstractConfiguredSecurityBuilder# doBuild () :
DoBuild () calls init(); configure(); Methods such as Is all we have learned above configurersAddedInInitializing configuration class object, as shown here will be executed in sequence configuration class of the configure (); The init () method
DoBuild () finally calls perfomBuild() of the WebSecurity object, To create the object named FilterChainProxy performBuild () in the traversal securityFilterChainBuilders builders build list each SecurityBuilder builder object into SecurityFilterChain instance Finally, create and return FilterChainProxy
securityFilterChainBuilders
When is the builder list initialized
Noted WebSecurityConfigurerAdapter, at this time of this class to create a HttpSecurity and into the securityFilterChainBuilders
WebSecurityConfigurerAdapter is a security configuration, we know that the builders in performBuild () before the cycle call security configurator init (); configure(); Methods, and then create HttpSecurity and into their own securityFilterChainBuilders.
PS: as mentioned earlier, when the WebSecurity initialization, will in turn put WebSecurityConfigurerAdapter subclasses in WebSecurity.
public abstract class WebSecurityConfigurerAdapter implements
WebSecurityConfigurer<WebSecurity> {}public interface WebSecurityConfigurer<T extends SecurityBuilder<Filter>> extends
SecurityConfigurer<Filter.T> {}Copy the code
Series of articles: Spring Security in Plain English part 1: Explaining framework Principles in three Sentences
Spring Security (part 2) : Creating FilterChainProxy
Spring Security (part 3) : How FilterChainProxy Works
Spring Security: WebSecurity and HttpSecurity
Series of articles: Spring Security in Plain English, Part 5: The Authentication and Authorization Process