Detailed review

We have already analyzed the creation and running of FilterChainProxy, the core filter of Spring Security, to understand the roles of the builder and configurator.

We now know that WebSecurity as a builder is used to create instances of the core filter FilterChainProxy.

WebSecurity scans when initialization WebSecurityConfigurerAdapter configurator adapter subclasses (i.e., generate HttpSecurity configuration).

All configurators are called init(); configure(); Initialize the configuration, where each Generated HttpSecurity configurator represents a chain of filters.

This article describes how HttpSecurity, as a builder, builds instances of the SecurityFilterChain filter chain!

PS: if there are multiple WebSecurityConfigurerAdapter configurator adapter subclass, will produce multiple SecurityFilterChain filter chain instance. The Spring Security Oauth2 extension does just that, and I’ll talk about it later

How does Spring Security create filters

We already know the springSecurityFilterChain (type named FilterChainProxy) is the actual filter chain, DelegatingFilterProxy agent.

We create MySecurityConfig inherited WebSecurityConfigurerAdapter. WebSecurityConfigurerAdapter is used to create the filter chain, rewrite the configure (HttpSecurity HTTP) method is used to configure HttpSecurity.

protected void configure(HttpSecurity http) throws Exception {

        http

            .requestMatchers() // Specify which requests are matched by the current SecurityFilterChain instance

                .anyRequest().and()

            .authorizeRequests() / / intercept request, create FilterSecurityInterceptor

                .anyRequest().authenticated() // Some custom configurations based on creating filters

                .and() // Use and to indicate the end of the filter configuration so that the next filter can be created and configured

            .formLogin().and() / / set the form login, create UsernamePasswordAuthenticationFilter

            .httpBasic(); / / basic authentication, create BasicAuthenticationFilter

}

Copy the code

The configuration in the configure(HttpSecurity HTTP) method above ends up being the creation of a Filter.

HTTP. AuthorizeRequests (), HTTP. FormLogin (), HTTP. HttpBasic created ExpressionUrlAuthorizationConfigurer () respectively, FormLoginConfigurer, HttpBasicConfigurer. All three classes are subclasses of the SecurityConfigurer builder if you go all the way up from the parent. SecurityConfigurer also has the configure() method. This method is used by subclasses to create filters and add them to a List of filters maintained in HttpSecurity, such as the configure method in HttpBasicConfigurer.

HttpSecurity, as the builder, adds these configurators to the instance according to the API

Most of these configurators create and configure the appropriate filters, and eventually place the filter chain when HttpSecurity builds the SecurityFilterChain instance


Series of articles: Spring Security in Plain English part 1: Explaining framework Principles in three Sentences

Spring Security (Part 2) : Creating FilterChainProxy

Spring Security (part 3) : How FilterChainProxy Works

Spring Security (4) : WebSecurity and HttpSecurity

Series of articles: Spring Security in Plain English, Part 5: The Authentication and Authorization Process