本文主要是介绍【个人版】SpringBoot下Spring-Security核心概念解读【一】,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
SpringBoot + Spring-Security + FilterChainProxy
Spring-Security全局导读:
1、Security核心类设计
2、HttpSecurity结构和执行流程解读
3、Spring-Security个人落地篇
背景: 凡项目内存在与外部系统交互,基本安全校验少不了。因项目规模与框架发展原因,历史项目中很多时候直接在Filter中完成安全校验(HandlerInterceptor同理),基本需求完全够用。现在因微服务、中心化等原因,自己写权限管理逻辑代码量较多,后期修改工作量可能较大,所以spring全家桶中的安全框架spring-security随SpringBoot发展而热门起来。最近走读源码,发现spring-security其实还是以Filter为基础,只是把周边功能及场景通过逻辑封装,进而成为开箱即用的安全框架。
Spring-Securiy的核心类是FilterChainProxy,FilterChainProxy的顶层接口是Filter
所以只要理解了FilterChainProxy类的架构设计、构建流程、执行细节,那么这个框架基本就了解了。关于Filter的深入理解,可以看之前解读:
Filter系列解读:
1、SpringBoot下Filter自动适配
2、SpringBoot下Filter注册流程
3、Filter链式执行设计解读
下面直接上FilterChainProxy二改版源码:
public class org.springframework.security.web.FilterChainProxy extends GenericFilterBean implements Filter, BeanNameAware, EnvironmentAware, EnvironmentCapable, ServletContextAware, InitializingBean, DisposableBean{// 鉴权过滤器链,根据请求匹配,一般一个(匹配/*)就足够,除非网关类项目且鉴权逻辑差异较大private List<SecurityFilterChain> filterChains;// 请求包装类,授权框架处理定制版private HttpFirewall firewall;// SecurityFilterChain就是spring-security封装的权限处理类,其内部核心就是鉴权Filter// SecurityFilterChain的定义、生成流程及逻辑后续篇说明public FilterChainProxy(List<SecurityFilterChain> filterChains) {this.firewall = new StrictHttpFirewall();this.filterChains = filterChains;}// FilterChainProxy本身就是Filter,且url pattern为/*,所有请求都会在此进入执行public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {try {this.doFilterInternal(request, response, chain);} catch (Exception var11) {// 异常处理,此处忽略} finally {SecurityContextHolder.clearContext();request.removeAttribute(FILTER_APPLIED);}}private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {// 请求响应预包装,可不关注FirewalledRequest firewallRequest = this.firewall.getFirewalledRequest((HttpServletRequest)request);HttpServletResponse firewallResponse = this.firewall.getFirewalledResponse((HttpServletResponse)response);// 这里根据请求URI匹配对应SecurityFilterChain,进而获取其包装的【鉴权相关】Filter集合List<Filter> filters = this.getFilters((HttpServletRequest)firewallRequest);if (filters != null && filters.size() != 0) {// 将参数chain和filters用内部类封装成新的FilterChain,使执行流程完全等同于普通过滤器VirtualFilterChain virtualFilterChain = new VirtualFilterChain(firewallRequest, chain, filters);// 内部定义FilterChain执行入口virtualFilterChain.doFilter(firewallRequest, firewallResponse);} else {firewallRequest.reset();// 无权限处理相关类,执行外部过滤器链的下一个,直接忽略FilterChainProxy过滤器chain.doFilter(firewallRequest, firewallResponse);}}// 通过请求获取鉴权过滤器列表,逻辑较为简单private List<Filter> getFilters(HttpServletRequest request) {int count = 0;Iterator var3 = this.filterChains.iterator();SecurityFilterChain chain;do {if (!var3.hasNext()) {return null;}chain = (SecurityFilterChain)var3.next();} while(!chain.matches(request));// 根据匹配到的SecurityFilterChain,返回其包含的所有Filterreturn chain.getFilters();}//VirtualFilterChain可类比ApplicationFilterChain,此设计极高解耦代码执行流程private static final class VirtualFilterChain implements FilterChain {// 保存原始chain对象,执行完所有授权Filter后,继续执行原始链的下一个过滤器private final FilterChain originalChain;// 授权过滤器集合private final List<Filter> additionalFilters;private final FirewalledRequest firewalledRequest;// 鉴权过滤器总数private final int size;// 当前过滤器执行位置索引private int currentPosition;private VirtualFilterChain(FirewalledRequest firewalledRequest, FilterChain chain, List<Filter> additionalFilters) {this.currentPosition = 0;this.originalChain = chain;this.additionalFilters = additionalFilters;this.size = additionalFilters.size();this.firewalledRequest = firewalledRequest;}// 此块逻辑完美体现数组 + Filter类设计的美感public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {if (this.currentPosition == this.size) {// 授权过滤器执行完成this.firewalledRequest.reset();this.originalChain.doFilter(request, response);} else {// 循环做权限上下文中的所有检查及鉴权操作,注意索引自增Filter nextFilter = (Filter)this.additionalFilters.get(this.currentPosition++);nextFilter.doFilter(request, response, this);}}}
}
FilterChainProxy的核心代码及相关介绍已在上面具体标注了,框架帮我们把业务无关的代码全部封装起来,我们只需要关注核心的鉴权管理,剩下的全交给框架了。
除了FilterChainProxy源码解读,还有几个问题需要弄明白:
1、FilterChainProxy作为过滤器,是怎么注册到Spring容器的?和普通过滤器注册是否不同?
2、FilterChainProxy作为过滤器,有没有优先级要求?
3、我们自定义的鉴权类过滤器,是否会影响ApplicationFilterChain原始链的执行?
4、security框架,为我们封装了哪些内部过滤器?
5、我们定义的普通过滤器,会自动添加到授权过滤器列表吗?
FilterChainProxy注册:
@Configuration(proxyBeanMethods = false
)
public class org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {@Bean(name = {"springSecurityFilterChain"})public Filter springSecurityFilterChain() throws Exception {boolean hasConfigurers = this.webSecurityConfigurers != null && !this.webSecurityConfigurers.isEmpty();boolean hasFilterChain = !this.securityFilterChains.isEmpty();Iterator var7 = this.securityFilterChains.iterator();while(true) {while(var7.hasNext()) {SecurityFilterChain securityFilterChain = (SecurityFilterChain)var7.next();this.webSecurity.addSecurityFilterChainBuilder(() -> {return securityFilterChain;});Iterator var5 = securityFilterChain.getFilters().iterator();while(var5.hasNext()) {Filter filter = (Filter)var5.next();if (filter instanceof FilterSecurityInterceptor) {this.webSecurity.securityInterceptor((FilterSecurityInterceptor)filter);break;}}}var7 = this.webSecurityCustomizers.iterator();while(var7.hasNext()) {WebSecurityCustomizer customizer = (WebSecurityCustomizer)var7.next();customizer.customize(this.webSecurity);}return (Filter)this.webSecurity.build();}}
}@Autowired(required = false)void setFilterChains(List<SecurityFilterChain> securityFilterChains) {this.securityFilterChains = securityFilterChains;}
protected Filter performBuild() throws Exception {int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();List<SecurityFilterChain> securityFilterChains = new ArrayList(chainSize);List<RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>>> requestMatcherPrivilegeEvaluatorsEntries = new ArrayList();var4 = this.securityFilterChainBuilders.iterator();while(var4.hasNext()) {SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder = (SecurityBuilder)var4.next();SecurityFilterChain securityFilterChain = (SecurityFilterChain)securityFilterChainBuilder.build();securityFilterChains.add(securityFilterChain);requestMatcherPrivilegeEvaluatorsEntries.add(this.getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));}FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);Filter result = filterChainProxy;this.postBuildAction.run();return (Filter)result;
}
重点:
1、securityFilterChains由外部实例化后,注入到该配置类中【列表注入】
2、SecurityFilterChain由HttpSecurity类构建而来,WebSecurity构建结果为FilterChainProxy
3、FilterSecurityInterceptor负责安全检查,未授权请求在此拒绝
4、FilterSecurityInterceptor在SecurityFilterChain的Filter列表中最后一个
我们知道过滤器真正执行是否两块逻辑组成:Filter实例 + 匹配|执行元数据,所以在过去spring时代我们通常需要FilterRegistrationBean完成注册。元数据关系到过滤器执行的时机及顺序,这块在哪里配置的呢?
@ConfigurationProperties(prefix = "spring.security"
)
public class SecurityProperties {public static final int BASIC_AUTH_ORDER = 2147483642;public static final int IGNORED_ORDER = Integer.MIN_VALUE;public static final int DEFAULT_FILTER_ORDER = -100;private final Filter filter = new Filter();private final User user = new User();public static class Filter {private int order = -100;private Set<DispatcherType> dispatcherTypes;public Filter() {this.dispatcherTypes = new HashSet(Arrays.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST));}}
}
@EnableConfigurationProperties({SecurityProperties.class})
public class org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration {@Bean@ConditionalOnBean(name = {"springSecurityFilterChain"})public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(SecurityProperties securityProperties) {DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean("springSecurityFilterChain", new ServletRegistrationBean[0]);registration.setOrder(securityProperties.getFilter().getOrder());registration.setDispatcherTypes(this.getDispatcherTypes(securityProperties));return registration;}
}
说明:
1、配置文件中,以spring.security前缀可配置security过滤器顺序
2、过滤器默认优先级为-100,我们自定义过滤器不要设置负数,负数留给其他框架提前预处理
3、Filter封装类不是FilterRegistrationBean,DelegatingFilterProxyRegistrationBean延迟了FilterChainProxy的实例化,为自定义配置执行留下较大的配置事件
4、通过RegistrationBean,我们在处理请求时,就可以在原始ApplicationFilterChain链的靠前位置执行鉴权逻辑了
5、一般我们在Filter获取Request对象的实际类型时,基本都是RequestFacade类型,但当使用security框架后,我们接收到的可能是其他请求Wrapper类型,这时候如果自定义Filter存在Request类型的反射处理,就会报错了。
以下为security框架自带的部分Filter清单:
DisableEncodeUrlFilterWebAsyncManagerlntegrationFilterSecurityContextPersistenceFilter // 上下文管理HeaderWriterFilterCsrfFilter // 防止Csrf攻击,网关/多端类根据需要关闭LogoutFilter //退出管理UsernamePasswordAuthenticationFilter //核心,用户名及密码验证DefaultLoginPageGeneratingFilterDefaultLogoutPageGeneratingFilterBasicAuthenticationFilter // Basic授权管理RequestCacheAwareFilterSecurityContextHolderAwareRequestFilterAnonymousAuthenticationFilterSessionManagementFilter // Session会话管理ExceptionTranslationFilterFilterSecurityInterceptor // 授权状态检查,最后兜底关口
解答最后两个问题:
3、我们自定义的鉴权类过滤器,是否会影响ApplicationFilterChain原始链的执行?
---- 自定义Security框架Filter不会影响原始链执行,但是也会在ApplicationFilterChain保存一份,只不过doFilter方法检测无需处理。我们自定义权限过滤器肯定是处理某一登录场景,URL是固定值。
5、我们定义的普通过滤器,会自动添加到授权过滤器列表吗?
---- 不会,授权过滤器链内容由HttpSecurity构建,除非我们手工将Filter添加到配置上下文中,否则只会在原始ApplicationFilterChain出现。
这篇关于【个人版】SpringBoot下Spring-Security核心概念解读【一】的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
