Springsecurity从helloworld到源码解析(二):springsecurity配置加载解析

时间:2024-03-27 21:23:52

Springsecurity从helloworld到源码解析(二):springsecurity配置加载解析

Springsecurity从helloworld到源码解析(二):springsecurity配置加载解析

上一篇博客我们介绍了hellowrold入门,并且成功的看到了springsecurity的拦截效果,接下来我们就来看看springsecurity是如何做到的。

启动配置详解

我们知道(不知道的就当知道吧,哈哈),springboot启动时会帮我自动配置好很多的默认配置项,并且加载配置类都会写在spring.factories文件中,所以我们这里开始,看看springsecurity做了
那些配置,打开idea,ctrl+shift+n * 2,查找spring.factories文件:如下:

Springsecurity从helloworld到源码解析(二):springsecurity配置加载解析

spring.factories


随后在该配置文件中,查找security,如下:
Springsecurity从helloworld到源码解析(二):springsecurity配置加载解析

security


我们可以看到,一共初始化了9个security相关的类,这里我们不关注oauth2(以后再说)和reactive(springboot2以后新特性),还有
SecurityAutoConfiguration, SecurityRequestMatcherProviderAutoConfiguration, SecurityFilterAutoConfiguration, UserDetailsServiceAutoConfiguration这四个类,首先我们看下

 

SecurityAutoConfiguration:

 [email protected]
 [email protected](DefaultAuthenticationEventPublisher.class)
 [email protected](SecurityProperties.class)
 [email protected]({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
 5        SecurityDataConfiguration.class })
 6public class SecurityAutoConfiguration {
 7
 8    @Bean
 9    @ConditionalOnMissingBean(AuthenticationEventPublisher.class)
10    public DefaultAuthenticationEventPublisher authenticationEventPublisher(
11            ApplicationEventPublisher publisher) {
12        return new DefaultAuthenticationEventPublisher(publisher);
13    }
14
15}
  • 1.可以看出,这个类初始化了DefaultAuthenticationEventPublisher,看名字就知道,一个事件发布器,其内部实现就是spring的ApplicationEventPublisher,
    用于springsecurity各种权限时间的交互,如登陆失败,会发布一个事件,然后通知其它组件做出相应的响应。

  • 2.导入了一个配置类,SecurityProperties,如下:

1private String name = "user";
2
3private String password = UUID.randomUUID().toString();
4
5private List<String> roles = new ArrayList<>();
6
7private boolean passwordGenerated = true;

现在我们知道,我们上一篇博客中yml文件中配置的用户名密码就是这这里的配置,如果不进行配置,默认生成一个uuid的密码,从控制台可以看到该密码。

  • 3.另外导入了三个配置项
    SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class
    其中data相关的因为此处我们没有导入spring-data相关的引用,不生效。
    然后我们继续观察 WebSecurityEnablerConfiguration.class,看名字我们知道这是web环境下的初始化的配置,如下:
[email protected]
[email protected](WebSecurityConfigurerAdapter.class)
[email protected](name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
[email protected](type = ConditionalOnWebApplication.Type.SERVLET)
[email protected]
6public class WebSecurityEnablerConfiguration {
7
8}

主要作用帮我们加入了 @EnableWebSecurity注解,该注解的作用为开启springsecurity httpsecurity的自定义配置,即我们可以自己定义web环境的url配置(后面的主要关注点)。
接下来就是@SpringBootWebSecurityConfiguration,如下:

 [email protected]
 [email protected](WebSecurityConfigurerAdapter.class)
 [email protected](WebSecurityConfigurerAdapter.class)
 [email protected](type = Type.SERVLET)
 5public class SpringBootWebSecurityConfiguration {
 6
 7    @Configuration
 8    @Order(SecurityProperties.BASIC_AUTH_ORDER)
 9    static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {
10
11    }
12
13}

关键点来了,这个配置项检查了servlet环境下spring容器中是否有WebSecurityConfiguraerAdapter这个bean,如果没有,就帮我们默认初始化了一个。所以我们对于springsecurity
的配置就要继承WebSecurityConfigurerAdapter,然后实现自定义的配置。
以上就是SecurityAutoConfiguration该配置项的作用,接下来我们看下SecurityRequestMatcherProviderAutoConfiguration

SecurityRequestMatcherProviderAutoConfiguration

 [email protected]
 [email protected]({ RequestMatcher.class })
 [email protected](type = ConditionalOnWebApplication.Type.SERVLET)
 4public class SecurityRequestMatcherProviderAutoConfiguration {
 5
 6    @Configuration
 7    @ConditionalOnClass(DispatcherServlet.class)
 8    @ConditionalOnBean(HandlerMappingIntrospector.class)
 9    public static class MvcRequestMatcherConfiguration {
10
11        @Bean
12        @ConditionalOnClass(DispatcherServlet.class)
13        public RequestMatcherProvider requestMatcherProvider(
14                HandlerMappingIntrospector introspector) {
15            return new MvcRequestMatcherProvider(introspector);
16        }
17
18    }
19
20    @Configuration
21    @ConditionalOnClass(ResourceConfig.class)
22    @ConditionalOnMissingClass("org.springframework.web.servlet.DispatcherServlet")
23    @ConditionalOnBean(JerseyApplicationPath.class)
24    public static class JerseyRequestMatcherConfiguration {
25
26        @Bean
27        public RequestMatcherProvider requestMatcherProvider(
28                JerseyApplicationPath applicationPath) {
29            return new JerseyRequestMatcherProvider(applicationPath);
30        }
31
32    }
33
34}

可以看出,主要初始化了一个MvcRequestMatcherProvider,了解过springmvc的同学应该知道,springmvc处理请求映射的主要类就是HandlerMapping,而HandlerMappingIntrospector
类是HandlerMapping的集合工具类,springsecurity此处就是从spring容器中获取了该工具类,然后供自己内部使用(处理我们的自定义映射,后面具体讲解)。

 1public class MvcRequestMatcherProvider implements RequestMatcherProvider {
 2
 3    private final HandlerMappingIntrospector introspector;
 4
 5    public MvcRequestMatcherProvider(HandlerMappingIntrospector introspector) {
 6        this.introspector = introspector;
 7    }
 8
 9    @Override
10    public RequestMatcher getRequestMatcher(String pattern) {
11        return new MvcRequestMatcher(this.introspector, pattern);
12    }
13
14}

接下来就是SecurityFilterAutoConfiguration了:

SecurityFilterAutoConfiguration

 [email protected]
 [email protected](type = Type.SERVLET)
 [email protected](SecurityProperties.class)
 [email protected]({ AbstractSecurityWebApplicationInitializer.class,
 5        SessionCreationPolicy.class })
 [email protected](SecurityAutoConfiguration.class)
 7public class SecurityFilterAutoConfiguration {
 8
 9    private static final String DEFAULT_FILTER_NAME = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME;
10
11    @Bean
12    @ConditionalOnBean(name = DEFAULT_FILTER_NAME)
13    public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(
14            SecurityProperties securityProperties) {
15        DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(
16                DEFAULT_FILTER_NAME);
17        registration.setOrder(securityProperties.getFilter().getOrder());
18        registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
19        return registration;
20    }
21
22    private EnumSet<DispatcherType> getDispatcherTypes(
23            SecurityProperties securityProperties) {
24        if (securityProperties.getFilter().getDispatcherTypes() == null) {
25            return null;
26        }
27        return securityProperties.getFilter().getDispatcherTypes().stream()
28                .map((type) -> DispatcherType.valueOf(type.name())).collect(Collectors
29                        .collectingAndThen(Collectors.toSet(), EnumSet::copyOf));
30    }
31
32}

首先,我们发现这个类有一个@AutoConfigureAfter(SecurityAutoConfiguration.class),也就是说这个类要在我们讲的第一个SecurityAutoConfiguration才行(why? 别急),
然后它拿到我们一开始说的SecurityProperties,帮我们做了一个Filter:但是!这个filter具体是啥,它沒有直接告訴我們,只把它在spring中的bean的名字给出来了,springSecurityFilterChain
也就是説存在一个这样名字的springsecurity的filter,然后被spring代理了,管理它的生命周期。但是从名字我们大概可以猜出,不只是一个filter,是一个filter列表,既然这样,那我们直接在项目中搜索,看那个地方有这个名字的bean
最终在该地方找到:

Springsecurity从helloworld到源码解析(二):springsecurity配置加载解析

springSecurityFilterChain

 

发现该类是在WebSecurityConfiguration中初始化的,那WebSecurityConfiguration又是在哪来的呢,上面我们说到@EnableWebSecurity的时候,开启WebSecurityAdapter的配置,其实那个时候已经导入了(哈哈,上面我也没注意到),

springSecurityFilterChain

 1    private WebSecurity webSecurity;
 2
 3    private Boolean debugEnabled;
 4
 5    private List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers;
 6
 7    private ClassLoader beanClassLoader;
 8
 9    @Bean(name = "springSecurityFilterChain")
10    public Filter springSecurityFilterChain() throws Exception {
11        boolean hasConfigurers = webSecurityConfigurers != null
12                && !webSecurityConfigurers.isEmpty();
13        if (!hasConfigurers) {
14            WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
15                    .postProcess(new WebSecurityConfigurerAdapter() {
16                    });
17            webSecurity.apply(adapter);
18        }
19        return webSecurity.build();
20    }

我们注意到这个初始化类有两个主要成员变量,WebSecurity和webSecurityConfigurers,而从这个springSecurityFilterChain方法我们可以看到该filter是通过构造器WebSecurity构造而来,
纳尼? 既然Websecurity构造了springSecurityFilterChain,那为什么下面还有一个 webSecurityConfigurers,并且是一个WebSecurity的list呢?
别急,我们来看下他们之间的关系。我们注意到还有这样一个方法:

 [email protected](required = false)
 2public void setFilterChainProxySecurityConfigurer(
 3        ObjectPostProcessor<Object> objectPostProcessor,
 4        @Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers)
 5        throws Exception {
 6    webSecurity = objectPostProcessor
 7            .postProcess(new WebSecurity(objectPostProcessor));
 8    if (debugEnabled != null) {
 9        webSecurity.debug(debugEnabled);
10    }
11
12    Collections.sort(webSecurityConfigurers, AnnotationAwareOrderComparator.INSTANCE);
13
14    Integer previousOrder = null;
15    Object previousConfig = null;
16    for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) {
17        Integer order = AnnotationAwareOrderComparator.lookupOrder(config);
18        if (previousOrder != null && previousOrder.equals(order)) {
19            throw new IllegalStateException(
20                    "@Order on WebSecurityConfigurers must be unique. Order of "
21                            + order + " was already used on " + previousConfig + ", so it cannot be used on "
22                            + config + " too.");
23        }
24        previousOrder = order;
25        previousConfig = config;
26    }
27    for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {
28        webSecurity.apply(webSecurityConfigurer);
29    }
30    this.webSecurityConfigurers = webSecurityConfigurers;
31}

从这里我们就知道他们的关系了, 这个webSecurityConfigurers是通过spring注入进去的(尼玛,我都快整蒙圈了),他就代表那个过滤器链,也就是权限控制的关键,而我们一开始看到的Websecurity就是这个过滤器链的入口,由它来一个个的将
过过滤器链引用作为自己的成员变量,好了,他们之间的关系我们搞清楚了,接下来就又多了一个新问题,那个过滤器链又是在哪里给初始化了呢。

@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}")

这个el表达式的bean同样在这个配置类中:

[email protected]
2public static AutowiredWebSecurityConfigurersIgnoreParents autowiredWebSecurityConfigurersIgnoreParents(
3        ConfigurableListableBeanFactory beanFactory) {
4    return new AutowiredWebSecurityConfigurersIgnoreParents(beanFactory);
5}

那我们继续看这个AutowiredWebSecurityConfigurersIgnoreParents,它拿到了spring的容器beanFactory,然后得到了那个过滤器链,然后我还是太天真:

 [email protected]({ "rawtypes", "unchecked" })
 2    public List<SecurityConfigurer<Filter, WebSecurity>> getWebSecurityConfigurers() {
 3        List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers = new ArrayList<SecurityConfigurer<Filter, WebSecurity>>();
 4        Map<String, WebSecurityConfigurer> beansOfType = beanFactory
 5                .getBeansOfType(WebSecurityConfigurer.class);
 6        for (Entry<String, WebSecurityConfigurer> entry : beansOfType.entrySet()) {
 7            webSecurityConfigurers.add(entry.getValue());
 8        }
 9        return webSecurityConfigurers;
10    }

它居然不是直接初始化的,而是从beanFactory中取出来了所有WebSecurityConfigurer类型的bean,尼玛!那我们接着看实现了WebSecurityConfigurer并且作为bean在spring中已经初始化了类是哪一个,
不着不知道,依照吓一跳,查看类关系,居然又回到了最初的起点:

Springsecurity从helloworld到源码解析(二):springsecurity配置加载解析

springSecurityFilterChain


又是它!,我们继续查看他,终于!我们找到了那个过滤器链!

 

 1protected final HttpSecurity getHttp() throws Exception {
 2    if (http != null) {
 3        return http;
 4    }
 5
 6    DefaultAuthenticationEventPublisher eventPublisher = objectPostProcessor
 7            .postProcess(new DefaultAuthenticationEventPublisher());
 8    localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);
 9
10    AuthenticationManager authenticationManager = authenticationManager();
11    authenticationBuilder.parentAuthenticationManager(authenticationManager);
12    authenticationBuilder.authenticationEventPublisher(eventPublisher);
13    Map<Class<? extends Object>, Object> sharedObjects = createSharedObjects();
14
15    http = new HttpSecurity(objectPostProcessor, authenticationBuilder,
16            sharedObjects);
17    if (!disableDefaults) {
18        // @formatter:off
19        http
20            .csrf().and()
21            .addFilter(new WebAsyncManagerIntegrationFilter())
22            .exceptionHandling().and()
23            .headers().and()
24            .sessionManagement().and()
25            .securityContext().and()
26            .requestCache().and()
27            .anonymous().and()
28            .servletApi().and()
29            .apply(new DefaultLoginPageConfigurer<>()).and()
30            .logout();
31        // @formatter:on
32        ClassLoader classLoader = this.context.getClassLoader();
33        List<AbstractHttpConfigurer> defaultHttpConfigurers =
34                SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);
35
36        for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
37            http.apply(configurer);
38        }
39    }
40    configure(http);
41    return http;
42    }

由此方法我们得知,最终的过滤器链是保存在HttpSecuriry中,并且通过spring把所有AbstractHttpConfigurer子类都加入到容器中并且加入到了过滤器链中 http:apply(…)
那我们看下AbstractHttpConfigurer有哪些子类

Springsecurity从helloworld到源码解析(二):springsecurity配置加载解析

springSecurityFilterChain


:sob: 终于找到了,顺便看下HttpSecurity构成:

 

1public final class HttpSecurity extends
2        AbstractConfiguredSecurityBuilder<DefaultSecurityFilterChain, HttpSecurity>
3        implements SecurityBuilder<DefaultSecurityFilterChain>,
4        HttpSecurityBuilder<HttpSecurity> {
5    private final RequestMatcherConfigurer requestMatcherConfigurer;
6    private List<Filter> filters = new ArrayList<>();
7    private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;
8    private FilterComparator comparator = new FilterComparator();

另外从上面那个方法中,我们还看到了一个很熟悉的过滤器:DefaultLoginPageConfigurer,我们查看它。

1private DefaultLoginPageGeneratingFilter loginPageGeneratingFilter = new DefaultLoginPageGeneratingFilter();
2private DefaultLogoutPageGeneratingFilter logoutPageGeneratingFilter = new DefaultLogoutPageGeneratingFilter();

它有两个过滤器,登陆页面和注销页面,我们继续查看登陆页面,这个时候发现一点意外的收获:

  1public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
  2            throws IOException, ServletException {
  3        HttpServletRequest request = (HttpServletRequest) req;
  4        HttpServletResponse response = (HttpServletResponse) res;
  5
  6        boolean loginError = isErrorPage(request);
  7        boolean logoutSuccess = isLogoutSuccess(request);
  8        if (isLoginUrlRequest(request) || loginError || logoutSuccess) {
  9            String loginPageHtml = generateLoginPageHtml(request, loginError,
 10                    logoutSuccess);
 11            response.setContentType("text/html;charset=UTF-8");
 12            response.setContentLength(loginPageHtml.getBytes(StandardCharsets.UTF_8).length);
 13            response.getWriter().write(loginPageHtml);
 14
 15            return;
 16        }
 17
 18        chain.doFilter(request, response);
 19    }
 20
 21    private String generateLoginPageHtml(HttpServletRequest request, boolean loginError,
 22            boolean logoutSuccess) {
 23        String errorMsg = "Invalid credentials";
 24
 25        if (loginError) {
 26            HttpSession session = request.getSession(false);
 27
 28            if (session != null) {
 29                AuthenticationException ex = (AuthenticationException) session
 30                        .getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
 31                errorMsg = ex != null ? ex.getMessage() : "Invalid credentials";
 32            }
 33        }
 34
 35        StringBuilder sb = new StringBuilder();
 36
 37        sb.append("<!DOCTYPE html>\n"
 38                + "<html lang=\"en\">\n"
 39                + "  <head>\n"
 40                + "    <meta charset=\"utf-8\">\n"
 41                + "    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n"
 42                + "    <meta name=\"description\" content=\"\">\n"
 43                + "    <meta name=\"author\" content=\"\">\n"
 44                + "    <title>Please sign in</title>\n"
 45                + "    <link href=\"https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M\" crossorigin=\"anonymous\">\n"
 46                + "    <link href=\"https://getbootstrap.com/docs/4.0/examples/signin/signin.css\" rel=\"stylesheet\" crossorigin=\"anonymous\"/>\n"
 47                + "  </head>\n"
 48                + "  <body>\n"
 49                + "     <div class=\"container\">\n");
 50
 51        String contextPath = request.getContextPath();
 52        if (this.formLoginEnabled) {
 53            sb.append("      <form class=\"form-signin\" method=\"post\" action=\"" + contextPath + this.authenticationUrl + "\">\n"
 54                    + "        <h2 class=\"form-signin-heading\">Please sign in</h2>\n"
 55                    + createError(loginError, errorMsg)
 56                    + createLogoutSuccess(logoutSuccess)
 57                    + "        <p>\n"
 58                    + "          <label for=\"username\" class=\"sr-only\">Username</label>\n"
 59                    + "          <input type=\"text\" id=\"username\" name=\"" + this.usernameParameter + "\" class=\"form-control\" placeholder=\"Username\" required autofocus>\n"
 60                    + "        </p>\n"
 61                    + "        <p>\n"
 62                    + "          <label for=\"password\" class=\"sr-only\">Password</label>\n"
 63                    + "          <input type=\"password\" id=\"password\" name=\"" + this.passwordParameter + "\" class=\"form-control\" placeholder=\"Password\" required>\n"
 64                    + "        </p>\n"
 65                    + createRememberMe(this.rememberMeParameter)
 66                    + renderHiddenInputs(request)
 67                    + "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
 68                    + "      </form>\n");
 69        }
 70
 71        if (openIdEnabled) {
 72            sb.append("      <form name=\"oidf\" class=\"form-signin\" method=\"post\" action=\"" + contextPath + this.openIDauthenticationUrl + "\">\n"
 73                    + "        <h2 class=\"form-signin-heading\">Login with OpenID Identity</h2>\n"
 74                    + createError(loginError, errorMsg)
 75                    + createLogoutSuccess(logoutSuccess)
 76                    + "        <p>\n"
 77                    + "          <label for=\"username\" class=\"sr-only\">Identity</label>\n"
 78                    + "          <input type=\"text\" id=\"username\" name=\"" + this.openIDusernameParameter + "\" class=\"form-control\" placeholder=\"Username\" required autofocus>\n"
 79                    + "        </p>\n"
 80                    + createRememberMe(this.openIDrememberMeParameter)
 81                    + renderHiddenInputs(request)
 82                    + "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
 83                    + "      </form>\n");
 84        }
 85
 86        if (oauth2LoginEnabled) {
 87            sb.append("<h2 class=\"form-signin-heading\">Login with OAuth 2.0</h3>");
 88            sb.append(createError(loginError, errorMsg));
 89            sb.append(createLogoutSuccess(logoutSuccess));
 90            sb.append("<table class=\"table table-striped\">\n");
 91            for (Map.Entry<String, String> clientAuthenticationUrlToClientName : oauth2AuthenticationUrlToClientName.entrySet()) {
 92                sb.append(" <tr><td>");
 93                String url = clientAuthenticationUrlToClientName.getKey();
 94                sb.append("<a href=\"").append(contextPath).append(url).append("\">");
 95                String clientName = HtmlUtils.htmlEscape(clientAuthenticationUrlToClientName.getValue());
 96                sb.append(clientName);
 97                sb.append("</a>");
 98                sb.append("</td></tr>\n");
 99            }
100            sb.append("</table></div>\n");
101        }
102
103        sb.append("</body></html>");
104
105        return sb.toString();
106    }

我们的helloworld那一篇博客中的登陆页面即来源于此!(还有点惊喜哈:joy:),谈到这,突然记起我们上面谈了一个问题。
@AutoConfigureAfter(SecurityAutoConfiguration.class)为什么要用这个,现在应该知道了吧(:joy:),因为它要代理的filter在上一个注解。


然后我们继续回来看WebSecurity这个构造器(是不是都已经忘记我们是在说这个类的:joy:),这个类很长,我们直接看注释以及主要成员变量

 1/**
 2 * <p>
 3 * The {@link WebSecurity} is created by {@link WebSecurityConfiguration} to create the
 4 * {@link FilterChainProxy} known as the Spring Security Filter Chain
 5 * (springSecurityFilterChain). The springSecurityFilterChain is the {@link Filter} that
 6 * the {@link DelegatingFilterProxy} delegates to.
 7 * </p>
 8 *
 9 * <p>
10 * Customizations to the {@link WebSecurity} can be made by creating a
11 * {@link WebSecurityConfigurer} or more likely by overriding
12 * {@link WebSecurityConfigurerAdapter}.
13 * </p>
14 *
15 * @see EnableWebSecurity
16 * @see WebSecurityConfiguration
17 *
18 * @author Rob Winch
19 * @since 3.2
20 */
21private final Log logger = LogFactory.getLog(getClass());
22
23private final List<RequestMatcher> ignoredRequests = new ArrayList<>();
24
25private final List<SecurityBuilder<? extends SecurityFilterChain>> securityFilterChainBuilders = new ArrayList<SecurityBuilder<? extends SecurityFilterChain>>();
26
27private IgnoredRequestConfigurer ignoredRequestRegistry;
28
29private FilterSecurityInterceptor filterSecurityInterceptor;
30
31private HttpFirewall httpFirewall;
32
33private boolean debugEnabled;
34
35private WebInvocationPrivilegeEvaluator privilegeEvaluator;
36
37private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
38
39private SecurityExpressionHandler<FilterInvocation> expressionHandler = defaultWebSecurityExpressionHandler;
40
41private Runnable postBuildAction = new Runnable() {
42    public void run() {
43    }
44};

大概意思就是说这个类是被专门用来创建FilterChainProxy,即我们所知道的(springSecurityFilterChain),然后它的配置均来自于
WebSecurityConfigurer,默认实现是WebSecurityConfigurerAdapter,这是它第N次出现了!
接下来我们研究下它的主要成员变量,List ignoredRequests = new ArrayList<>();一个匹配请求url的处理器,这处的作用是用来存储我们要忽略的url(不走springsecurity的过滤器链),
FilterSecurityInterceptor,过滤器链就是由它来调用的,HttpFirewall,看名字就知道起到了额外的配置作用(事实上初始化是一个空对象)。
securityFilterChainBuilders可以看成是WebSecurity内部过滤器链的引用。
defaultWebSecurityExpressionHandler是springsecurity el表达式处理器(后面讲解注解时我们再来回顾),比如说 hasAnyAuthority(…),就可以由它来处理
另外还有一个 WebInvocationPrivilegeEvaluator,它叫做权限计算器,其实就是和防火墙一样,多了一层判断,它的默认实现是

public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator {

表示所有用户都由权限(因为是默认的)

最后,还有最后一个配置类UserDetailsServiceAutoConfiguration

UserDetailsServiceAutoConfiguration

 [email protected]
 [email protected](AuthenticationManager.class)
 [email protected](ObjectPostProcessor.class)
 [email protected]({ AuthenticationManager.class, AuthenticationProvider.class,
 5        UserDetailsService.class })
 6public class UserDetailsServiceAutoConfiguration {
 7
 8    private static final String NOOP_PASSWORD_PREFIX = "{noop}";
 9
10    private static final Pattern PASSWORD_ALGORITHM_PATTERN = Pattern
11            .compile("^\\{.+}.*$");
12
13    private static final Log logger = LogFactory
14            .getLog(UserDetailsServiceAutoConfiguration.class);
15
16    @Bean
17    @ConditionalOnMissingBean(type = "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository")
18    @Lazy
19    public InMemoryUserDetailsManager inMemoryUserDetailsManager(
20            SecurityProperties properties,
21            ObjectProvider<PasswordEncoder> passwordEncoder) {
22        SecurityProperties.User user = properties.getUser();
23        List<String> roles = user.getRoles();
24        return new InMemoryUserDetailsManager(User.withUsername(user.getName())
25                .password(getOrDeducePassword(user, passwordEncoder.getIfAvailable()))
26                .roles(StringUtils.toStringArray(roles)).build());
27    }
28
29    private String getOrDeducePassword(SecurityProperties.User user,
30            PasswordEncoder encoder) {
31        String password = user.getPassword();
32        if (user.isPasswordGenerated()) {
33            logger.info(String.format("%n%nUsing generated security password: %s%n",
34                    user.getPassword()));
35        }
36        if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {
37            return password;
38        }
39        return NOOP_PASSWORD_PREFIX + password;
40    }
41
42}

这次这个配置很简单,因为我们没有配置oauth2,所以它帮我们做了一个UserDetails,并且是根据我们配置的用户密码,把他们load到内存(因为没有db),以后的权限判断就根据
userDetails来判断了,由此可知,如果我们要扩展,实现该类也是必然的。

总结

这次,我们从源码的角度查看了springboot帮我们做的配置(还真是绕了不少圈子),并且只得到了login页面的来源,接下来,我们就探究下springsecurity的具体配置!

本文原创地址,我的博客:https://jsbintask.cn/2019/01/08/springsecurity-configsourcecode/  未经允许,禁止转载!