知识点
- 请求先进入DefaultWebFilterChain,DefaultWebFilterChain中包含了DispatcherHandler,请求先经过DefaultWebFilterChain中的各个Filter(包含Spring Security的各种Filter),然后才进入DispatcherHandler(包含了Controller的处理以及Spring Cloud Gateway的处理路程)。
- 在同时有Controller和Spring Cloud Gateway的route配置时,Contoller对应的RequestMappingHandlerMapping将先于Gateway的RoutePredicateHandlerMapping而执行,因此Spring将先查找controller中对应的路劲匹配,然后才执行Gateway的路劲匹配。底层原理为:在DispatcherHandler中的handlerMappings列表中,RequestMappingHandlerMapping排在RoutePredicateHandlerMapping前面:
DispatcherHandler中的handlerMappings
- 默认情况下,Spring Webflux Security + Spring Cloud Gateway的对象图:
Spring Webflux Security + Spring Cloud Gateway
Spring Security Webflux中的请求处理流程
- 请求 ->
- NettyWebServer(持有ReactorHttpHandlerAdapter) ->
- ReactorHttpHandlerAdapter(持有HttpHandler) ->
- HttpWebHandlerAdapter(继承自HttpHandler,持有WebHandler) ->
- ExceptionHandlingWebHandler(持有FilteringWebHandler) ->
- FilteringWebHandler(继承自WebHandler,持有DefaultWebFilterChain) ->
- DefaultWebFilterChain(持有WebFilterChainProxy以及DispatcherHandler(用于Controller处理和Spring Cloud Gateway处理)) ->
- WebFilterChainProxy(持有SecurityWebFilterChain) ->
- SecurityWebFilterChain(由ServerHttpSecurity所build出来,唯一实现类为MatcherSecurityWebFilterChain,持有Spring Security配置的各种filter)。
各个Spring Security Filter依次为:
Filter |
作用 |
相关配置 |
HttpHeaderWriterWebFilter |
向response中加入各种header,比如与安全相关的X-Frame-Options
|
http.headers() |
CorsWebFilter |
CORS相关 |
http.cors() |
CsrfWebFilter |
CSRF安全配置 |
http.csrf() |
ReactorContextWebFilter |
用于根据session等创建SecurityContext |
http..securityContextRepository() |
AuthenticationWebFilter |
用于完成认证过程 |
http.formLogin() ,
http.httpBasic() ,
http.authenticationManager() ,
http.securityContextRepository()
|
LoginPageGeneratingWebFilter |
生成登录页面 |
|
LogoutPageGeneratingWebFilter |
生成登出之后的页面 |
|
SecurityContextServerWebExchangeWebFilter |
使ServerWebExchange.getPincipal()返回Authentication对象 |
|
ServerRequestCacheWebFilter |
缓存request |
http.requestCache() |
LogoutWebFilter |
处理登出 |
http.logout() |
ExceptionTranslationWebFilter |
用于处理认证或授权失败的情况(主要决定于AuthorizationWebFilter),如果认证失败(即SecurityConext中没有Authentication对象,更确切的说是ServerWebExchange.getPrincipal()返回空),那么将执行ServerAuthenticationEntryPoint,如果授权失败将执行ServerAccessDeniedHandler |
http.exceptionHandling().authenticationEntryPoint() ,
http.exceptionHandling().accessDeniedHandler()
|
AuthorizationWebFilter |
处理授权 |
http.authorizeExchange().pathMatchers() ,
http.authorizeExchange().anyExchange()
|
网友评论