Spring Security文档的The Security Filter Chain一章指出Spring Security完全基于标准的servlet过滤器,本文结合笔者的看法对该文档进行一些补充说明。
DelegatingFilterProxy类
DelegatingFilterProxy用于代理其他的过滤器,位于spring-web.jar中,这使得Spring可以通过它方便地使用Spring容器管理的过滤器。DelegatingFilterProxy的部分代码如下所示,它继承自GenericFilterBean类,GenericFilterBean的作用与DispatcherServlet的初始化过程这篇文章中介绍的HttpServletBean相似。
public class DelegatingFilterProxy extends GenericFilterBean {
private String contextAttribute;
private WebApplicationContext webApplicationContext;
private String targetBeanName;
private boolean targetFilterLifecycle = false;
private volatile Filter delegate;
private final Object delegateMonitor = new Object();
// 省略一些代码
@Override
protected void initFilterBean() throws ServletException {
synchronized (this.delegateMonitor) {
if (this.delegate == null) {
// If no target bean name specified, use filter name.
if (this.targetBeanName == null) {
this.targetBeanName = getFilterName();
}
// Fetch Spring root application context and initialize the delegate early,
// if possible. If the root application context will be started after this
// filter proxy, we'll have to resort to lazy initialization.
WebApplicationContext wac = findWebApplicationContext();
if (wac != null) {
this.delegate = initDelegate(wac);
}
}
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
// Lazily initialize the delegate if necessary.
Filter delegateToUse = this.delegate;
if (delegateToUse == null) {
synchronized (this.delegateMonitor) {
delegateToUse = this.delegate;
if (delegateToUse == null) {
WebApplicationContext wac = findWebApplicationContext();
if (wac == null) {
throw new IllegalStateException("No WebApplicationContext found: " +
"no ContextLoaderListener or DispatcherServlet registered?");
}
delegateToUse = initDelegate(wac);
}
this.delegate = delegateToUse;
}
}
// Let the delegate perform the actual doFilter operation.
invokeDelegate(delegateToUse, request, response, filterChain);
}
protected Filter initDelegate(WebApplicationContext wac) throws ServletException {
Filter delegate = wac.getBean(getTargetBeanName(), Filter.class);
if (isTargetFilterLifecycle()) {
delegate.init(getFilterConfig());
}
return delegate;
}
// 省略一些代码
}
- 在initFilterBean方法初始化DelegatingFilterProxy对象或者第一次执行doFilter方法时会调用findWebApplicationContext方法查找上下文;
- targetBeanName表示被代理的过滤器bean的名称;
- delegate保存被代理的过滤器实例,该实例即是initDelegate方法从上下文中查找的名为targetBeanName的过滤器bean;
- delegateMonitor是初始化时用的锁。
doFilter方法利用invokeDelegate方法将调用委托给被代理的过滤器执行。
protected void invokeDelegate(
Filter delegate, ServletRequest request, ServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
delegate.doFilter(request, response, filterChain);
}
FilterChainProxy类
文档提到“Spring Security的基础设施只应该委托给一个FilterChainProxy实例,如果在web.xml中配置每个Spring Security的过滤器那就会显得很笨拙”。
FilterChainProxy继承自GenericFilterBean类,可以看成一个过滤器的集合。
public class FilterChainProxy extends GenericFilterBean {
private static final Log logger = LogFactory.getLog(FilterChainProxy.class);
private final static String FILTER_APPLIED = FilterChainProxy.class.getName().concat(
".APPLIED");
private List<SecurityFilterChain> filterChains;
private FilterChainValidator filterChainValidator = new NullFilterChainValidator();
private HttpFirewall firewall = new DefaultHttpFirewall();
public FilterChainProxy() {
}
public FilterChainProxy(SecurityFilterChain chain) {
this(Arrays.asList(chain));
}
public FilterChainProxy(List<SecurityFilterChain> filterChains) {
this.filterChains = filterChains;
}
@Override
public void afterPropertiesSet() {
filterChainValidator.validate(this);
}
// 省略一些代码
}
- filterChains字段可以看成保存了所有与Spring Security相关的过滤器,这些过滤器由SecurityFilterChain组织起来。
public interface SecurityFilterChain { boolean matches(HttpServletRequest request); List<Filter> getFilters(); }
doFilter方法则调用了doFilterInternal方法,该方法及相关代码如下:
private void doFilterInternal(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
FirewalledRequest fwRequest = firewall
.getFirewalledRequest((HttpServletRequest) request);
HttpServletResponse fwResponse = firewall
.getFirewalledResponse((HttpServletResponse) response);
List<Filter> filters = getFilters(fwRequest);
if (filters == null || filters.size() == 0) {
if (logger.isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl(fwRequest)
+ (filters == null ? " has no matching filters"
: " has an empty filter list"));
}
fwRequest.reset();
chain.doFilter(fwRequest, fwResponse);
return;
}
VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters);
vfc.doFilter(fwRequest, fwResponse);
}
private List<Filter> getFilters(HttpServletRequest request) {
for (SecurityFilterChain chain : filterChains) {
if (chain.matches(request)) {
return chain.getFilters();
}
}
return null;
}
- getFilters方法根据请求查找第一个匹配的SecurityFilterChain,因此SecurityFilterChain的添加顺序非常重要;
- VirtualFilterChain依次调用匹配的SecurityFilterChain中的每个过滤器。
Spring Security的过滤器
众所周知,Spring Security的实现基于servlet的过滤器,以下按照在SecurityFilterChain中的排列顺序列出了Spring Security中主要的过滤器:
- SecurityContextPersistenceFilter;
- CorsFilter;
- LogoutFilter;
- UsernamePasswordAuthenticationFilter、CasAuthenticationFilter和BasicAuthenticationFilter等认证过滤器;
- RememberMeAuthenticationFilter;
- AnonymousAuthenticationFilter;
- ExceptionTranslationFilter;
- FilterSecurityInterceptor。
更多过滤器可以参见Filter Ordering和Core Security Filters,下面简要分析各过滤器的功能。
1. SecurityContextPersistenceFilter
SecurityContextPersistenceFilter从所配置的SecurityContextRepository中获取与该请求关联的SecurityContext,并在请求结束后清除SecurityContextHolder。一般需要将该过滤器配置在其他认证过滤器前,因为认证过滤器如Basic、CAS等要求SecurityContextHolder包含有效的SecurityContext。
2. CorsFilter
CorsFilter根据CORS配置处理预检请求、简单请求和非简单请求,CORS配置由CorsConfiguration类表示。
3. LogoutFilter
若收到注销的请求,LogoutFilter会首先清除认证信息,然后依次执行配置的所有注销处理器LogoutHandler的logout方法,最后执行配置的注销成功处理器LogoutSuccessHandler的onLogoutSuccess方法。
4. UsernamePasswordAuthenticationFilter
若收到登录的请求,UsernamePasswordAuthenticationFilter执行基于表单提交的认证,默认配置下表单的用户名和密码字段分别是username和password,但是可以通过setUsernameParameter和setPasswordParameter进行配置,用户提交的用户名和密码则是通过obtainUsername和obtainPassword方法分别得到。具体的认证过程在该Filter的超类AbstractAuthenticationProcessingFilter中执行。
5. ExceptionTranslationFilter
ExceptionTranslationFilter处理位于它之后的过滤器如FilterSecurityInterceptor抛出的AccessDeniedException或AuthenticationException异常,它只是一个Java异常和HTTP响应之间的桥梁,并不做任何实际的安全认证。
- 处理AuthenticationException异常:该过滤器会委托给配置的AuthenticationEntryPoint处理;
- 处理AccessDeniedException异常:如果是匿名用户则委托给配置的AuthenticationEntryPoint处理,否则委托给配置的AccessDeniedHandler。
6. FilterSecurityInterceptor
FilterSecurityInterceptor用来保护HTTP资源,若没有认证则抛出AuthenticationException异常,若权限不足则抛出AccessDeniedException异常,这些异常都会被ExceptionTranslationFilter捕获。
参考文献
https://stackoverflow.com/questions/41480102/how-spring-security-filter-chain-works
跨域资源共享 CORS 详解
网友评论