msb-public
/
source-code-hunter
mirror of https://github.com/doocs/source-code-hunter.git
6
2
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd636197346'
${ noResults }
source-code-hunter/docs/SpringSecurity/SpringSecurity流程补充.md

5.4 KiB
Raw Blame History

注意:

  1. 基于spring-boot-dependencies:2.7.7
  2. 首先需要了解springboot2.7升级 Changes to Auto-configuration 以后使用autoconfigure进行自动注入

启动

我们每次添加 <artifactId>spring-boot-starter-security</artifactId> ,启动的时候启动日志会有一条类似 `Using generated security password: 1db8eb87-e2ee-4c72-88e7-9b85268c4430

This generated password is for development use only. Your security configuration must be updated before running your application in production.`

的日志.找到UserDetailsServiceAutoConfiguration#InMemoryUserDetailsManager类,它是springboot自动装配的.

下面这些都是springboot自动装配类,在spring-boot-autoconfigure-2.7.7.jar>META-INF>spring> org.springframework.boot.autoconfigure.AutoConfiguration.imports中. 这些类就是security的全部了.

org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration
org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration
org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration
org.springframework.boot.autoconfigure.security.reactive.ReactiveUserDetailsServiceAutoConfiguration
org.springframework.boot.autoconfigure.security.rsocket.RSocketSecurityAutoConfiguration
org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration
..........
org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration
org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientAutoConfiguration
org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration
org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerAutoConfiguration

SecurityAutoConfiguration


/**
 * {@code EnableAutoConfiguration} for Spring Security.
 *
 * @author Dave Syer
 * @author Andy Wilkinson
 * @author Madhura Bhave
 * @since 1.0.0
 */
@AutoConfiguration
@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
@EnableConfigurationProperties(SecurityProperties.class)
@Import({SpringBootWebSecurityConfiguration.class, SecurityDataConfiguration.class})
public class SecurityAutoConfiguration {

    @Bean
    @ConditionalOnMissingBean(AuthenticationEventPublisher.class)
    public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {
        return new DefaultAuthenticationEventPublisher(publisher);
    }

}

@EnableConfigurationProperties(SecurityProperties.class)

这个是security的核心配置类SecurityProperties,里面能配置 filter: 过滤,user : 用户信息

这个有个问题,filter是属于tomcat的,security中使用什么方式让filter变的有序的

@Import({ SpringBootWebSecurityConfiguration.class, SecurityDataConfiguration.class })

这里导入了2个类 SpringBootWebSecurityConfigurationSecurityDataConfiguration,SecurityDataConfiguration是Spring Security与Spring数据的集成,暂时不做讲解,重点是SpringBootWebSecurityConfiguration

SpringBootWebSecurityConfiguration

SecurityFilterChainConfiguration

其中第一个子类SecurityFilterChainConfiguration添加了@ConditionalOnDefaultWebSecurity,这个类有个注解 @Conditional(DefaultWebSecurityCondition.class),而DefaultWebSecurityCondition类继承了AllNestedConditions

所以下面代码就是判断该类是否生效,如果不存在SecurityFilterChainWebSecurityConfigurerAdapter 的bean,就生效.创建默认的SecurityFilterChain

/**
 * {@link Condition} for
 * {@link ConditionalOnDefaultWebSecurity @ConditionalOnDefaultWebSecurity}.
 *
 * @author Phillip Webb
 */
class DefaultWebSecurityCondition extends AllNestedConditions {

    DefaultWebSecurityCondition() {
        super(ConfigurationPhase.REGISTER_BEAN);
    }

    @ConditionalOnClass({SecurityFilterChain.class, HttpSecurity.class})
    static class Classes {

    }

    @ConditionalOnMissingBean({
            org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.class,
            SecurityFilterChain.class})
    @SuppressWarnings("deprecation")
    static class Beans {

    }

}
ErrorPageSecurityFilterConfiguration

这是第二个子类,主要就是通过FilterRegistrationBean注入了一个ErrorPageSecurityFilter. 用于拦截错误调度,以确保对错误页面的授权访问。

WebSecurityEnablerConfiguration

这个类主要就是添加了@EnableWebSecurity注解,这个注解也很重要,后面跟SecurityFilterChain一样讲解

DefaultAuthenticationEventPublisher

在类中还存在SecurityAutoConfigurationbean,这个是属于spring的发布订阅.改装一下,就是security的成功和失败事件,可以订阅失败后的一些处理,如日志打印等

/**
 * @author Luke Taylor
 * @since 3.0
 */
public interface AuthenticationEventPublisher {

	void publishAuthenticationSuccess(Authentication authentication);

	void publishAuthenticationFailure(AuthenticationException exception, Authentication authentication);

}

UserDetailsServiceAutoConfiguration

SecurityFilterAutoConfiguration