目錄

?SecurityConfigurerAdapter

AbstractHttpConfigurer

AnonymousConfigurer

AbstractAuthenticationFilterConfigurer

FormLoginConfigurer

HttpBasicConfigurer

AbstractInterceptUrlConfigurer

---

HttpSecurity的performBuild()方法，會構造一個DefaultSecurityFilterChain，需要傳入Filters。

private List<Filter> filters = new ArrayList<>();@Overrideprotected DefaultSecurityFilterChain performBuild() {filters.sort(comparator);return new DefaultSecurityFilterChain(requestMatcher, filters);}

filters通過addFilter()方法添加Filter。

public HttpSecurity addFilter(Filter filter) {Class<? extends Filter> filterClass = filter.getClass();if (!comparator.isRegistered(filterClass)) {throw new IllegalArgumentException("The Filter class "+ filterClass.getName()+ " does not have a registered order and cannot be added without a specified order. Consider using addFilterBefore or addFilterAfter instead.");}this.filters.add(filter);return this;}

?還可以控制Filter的順序。

H addFilterAfter(Filter filter, Class<? extends Filter> afterFilter);H addFilterBefore(Filter filter, Class<? extends Filter> beforeFilter);

?HttpSecurity通過一些方法用來增加不同的Filter。例如formLogin()

public FormLoginConfigurer<HttpSecurity> formLogin() throws Exception {return getOrApply(new FormLoginConfigurer<>());}private <C extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>> C getOrApply(C configurer) throws Exception {C existingConfig = (C) getConfigurer(configurer.getClass());if (existingConfig != null) {return existingConfig;}return apply(configurer);}public <C extends SecurityConfigurerAdapter<O, B>> C apply(C configurer)throws Exception {configurer.addObjectPostProcessor(objectPostProcessor);configurer.setBuilder((B) this);add(configurer);return configurer;}

例如：logout

public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) throws Exception {logoutCustomizer.customize(getOrApply(new LogoutConfigurer<>()));return HttpSecurity.this;} @FunctionalInterface public interface Customizer<T> {void customize(T t);static <T> Customizer<T> withDefaults() {return t -> {};} }

?SecurityConfigurerAdapter

HttpSecurity通過apply(SecurityConfigurerAdapter) 方法來增加配置。SecurityConfigurerAdapter的繼承結構如下：

?

public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>implements SecurityConfigurer<O, B> {private B securityBuilder;private CompositeObjectPostProcessor objectPostProcessor = new CompositeObjectPostProcessor();//初始化public void init(B builder) throws Exception {} //配置public void configure(B builder) throws Exception {}//配置完成，返回public B and() {return getBuilder();}protected final B getBuilder() {if (securityBuilder == null) {throw new IllegalStateException("securityBuilder cannot be null");}return securityBuilder;}

AbstractHttpConfigurer

提供了disable功能。

public B disable() {getBuilder().removeConfigurer(getClass());return getBuilder();}

AnonymousConfigurer

匿名訪問控制。

Filter：AnonymousAuthenticationFilter

AuthenticationProvider ：AnonymousAuthenticationProvider。

private AuthenticationProvider authenticationProvider;private AnonymousAuthenticationFilter authenticationFilter;private Object principal = "anonymousUser";private List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS");

AbstractAuthenticationFilterConfigurer

驗證Filter。默認loginPage：login。

需要AuthenticationDetailsSource

private F authFilter;private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;private SavedRequestAwareAuthenticationSuccessHandler defaultSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();private AuthenticationSuccessHandler successHandler = this.defaultSuccessHandler;private LoginUrlAuthenticationEntryPoint authenticationEntryPoint;private boolean customLoginPage;private String loginPage;private String loginProcessingUrl;private AuthenticationFailureHandler failureHandler;private boolean permitAll;private String failureUrl;protected AbstractAuthenticationFilterConfigurer() {setLoginPage("/login");}

?構造Filter。

設置：AuthenticationManager，AuthenticationSuccessHandler，AuthenticationFailureHandler，AuthenticationDetailsSource，SessionAuthenticationStrategy，RememberMeServices

public void configure(B http) throws Exception {PortMapper portMapper = http.getSharedObject(PortMapper.class);if (portMapper != null) {authenticationEntryPoint.setPortMapper(portMapper);}RequestCache requestCache = http.getSharedObject(RequestCache.class);if (requestCache != null) {this.defaultSuccessHandler.setRequestCache(requestCache);}authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));authFilter.setAuthenticationSuccessHandler(successHandler);authFilter.setAuthenticationFailureHandler(failureHandler);if (authenticationDetailsSource != null) {authFilter.setAuthenticationDetailsSource(authenticationDetailsSource);}SessionAuthenticationStrategy sessionAuthenticationStrategy = http.getSharedObject(SessionAuthenticationStrategy.class);if (sessionAuthenticationStrategy != null) {authFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);}RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);if (rememberMeServices != null) {authFilter.setRememberMeServices(rememberMeServices);}F filter = postProcess(authFilter);http.addFilter(filter);}

FormLoginConfigurer

表單登錄。

Filter：UsernamePasswordAuthenticationFilter

AuthenticationProvider ：AnonymousAuthenticationProvider。

public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extendsAbstractAuthenticationFilterConfigurer<H, FormLoginConfigurer<H>, UsernamePasswordAuthenticationFilter> {/*** Creates a new instance* @see HttpSecurity#formLogin()*/public FormLoginConfigurer() {super(new UsernamePasswordAuthenticationFilter(), null);usernameParameter("username");passwordParameter("password");} }

HttpBasicConfigurer

HttpBase驗證。

Filter：BasicAuthenticationFilter

AbstractInterceptUrlConfigurer

Filter：AccessDecisionManager

?

?

總結

以上是生活随笔為你收集整理的Spring Security源码解析（三）—— HttpSecurity的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。