Spring Security（三十七）：Part IV. Web Application Security

时间 2019-12-05

标签 spring security 三十七 web application 栏目 Spring 繁體版

原文原文链接

Most Spring Security users will be using the framework in applications which make user of HTTP and the Servlet API. In this part, we’ll take a look at how Spring Security provides authentication and access-control features for the web layer of an application. We’ll look behind the facade of the namespace and see which classes and interfaces are actually assembled to provide web-layer security. In some situations it is necessary to use traditional bean configuration to provide full control over the configuration, so we’ll also see how to configure these classes directly without the namespace.html

大多数Spring Security用户将在使用HTTP和Servlet API的应用程序中使用该框架。在本部分中，咱们将了解Spring Security如何为应用程序的Web层提供身份验证和访问控制功能。咱们将查看命名空间的外观，并查看实际组装的类和接口，以提供Web层安全性。在某些状况下，有必要使用传统的bean配置来提供对配置的彻底控制，所以咱们还将看到如何在没有命名空间的状况下直接配置这些类。

13. The Security Filter Chain

Spring Security’s web infrastructure is based entirely on standard servlet filters. It doesn’t use servlets or any other servlet-based frameworks (such as Spring MVC) internally, so it has no strong links to any particular web technology. It deals in HttpServletRequest s and HttpServletResponse s and doesn’t care whether the requests come from a browser, a web service client, an HttpInvoker or an AJAX application.java

Spring Security的Web基础结构彻底基于标准的servlet过滤器。它不在内部使用servlet或任何其余基于servlet的框架（例如Spring MVC），所以它没有与任何特定Web技术的强大连接。它处理HttpServletRequest和HttpServletResponse，并不关心请求是来自浏览器，Web服务客户端，HttpInvoker仍是AJAX应用程序。

Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them. If you have been using namespace configuration, then the filters are automatically configured for you and you don’t have to define any Spring beans explicitly but here may be times when you want full control over the security filter chain, either because you are using features which aren’t supported in the namespace, or you are using your own customized versions of classes.

Spring Security在内部维护一个过滤器链，每一个过滤器都有特定的责任，并根据所需的服务在配置中添加或删除过滤器。过滤器的顺序很重要，由于它们之间存在依赖关系。若是您一直在使用命名空间配置，那么将自动为您配置过滤器，您没必要明肯定义任何Spring bean，但这多是您但愿彻底控制安全过滤器链的时候，由于您正在使用功能命名空间中不支持，或者您使用本身的自定义版本的类。

13.1 DelegatingFilterProxy

When using servlet filters, you obviously need to declare them in your web.xml, or they will be ignored by the servlet container. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces. Spring’s DelegatingFilterProxy provides the link between web.xml and the application context.web

使用servlet过滤器时，显然须要在web.xml中声明它们，不然servlet容器将忽略它们。在Spring Security中，过滤器类也是在应用程序上下文中定义的Spring bean，所以可以利用Spring丰富的依赖注入工具和生命周期接口。 Spring的DelegatingFilterProxy提供了web.xml和应用程序上下文之间的连接。

When using DelegatingFilterProxy, you will see something like this in the web.xml file:

使用DelegatingFilterProxy时，您将在web.xml文件中看到相似的内容：

<filter>
<filter-name>myFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>myFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Notice that the filter is actually a DelegatingFilterProxy, and not the class that will actually implement the logic of the filter. What DelegatingFilterProxy does is delegate the Filter 's methods through to a bean which is obtained from the Spring application context. This enables the bean to benefit from the Spring web application context lifecycle support and configuration flexibility. The bean must implement javax.servlet.Filter and it must have the same name as that in the filter-name element. Read the Javadoc for DelegatingFilterProxy for more informationspring

请注意，过滤器其实是DelegatingFilterProxy，而不是实际实现过滤器逻辑的类。 DelegatingFilterProxy所作的是将Filter的方法委托给从Spring应用程序上下文中获取的bean。这使bean可以受益于Spring Web应用程序上下文生命周期支持和配置灵活性。 bean必须实现javax.servlet.Filter，它必须与filter-name元素中的名称相同。有关更多信息，请阅读Javadoc for DelegatingFilterProxy

13.2 FilterChainProxy

Spring Security’s web infrastructure should only be used by delegating to an instance of FilterChainProxy. The security filters should not be used by themselves. In theory you could declare each Spring Security filter bean that you require in your application context file and add a corresponding DelegatingFilterProxy entry to web.xml for each filter, making sure that they are ordered correctly, but this would be cumbersome and would clutter up the web.xml file quickly if you have a lot of filters. FilterChainProxy lets us add a single entry to web.xml and deal entirely with the application context file for managing our web security beans. It is wired using a DelegatingFilterProxy, just like in the example above, but with the filter-name set to the bean name "filterChainProxy". The filter chain is then declared in the application context with the same bean name. Here’s an example:浏览器

Spring Security的Web基础结构只能经过委托FilterChainProxy实例来使用。安全过滤器自己不该使用。从理论上讲，您能够在应用程序上下文文件中声明所需的每一个Spring Security过滤器bean，并为每一个过滤器添加相应的DelegatingFilterProxy条目到web.xml，确保它们正确排序，但这会很麻烦而且会使若是您有不少过滤器，请快速使用web.xml文件。 FilterChainProxy容许咱们向web.xml添加一个条目，并彻底处理应用程序上下文文件以管理咱们的Web安全bean。它使用DelegatingFilterProxy链接，就像上面的例子同样，可是filter-name设置为bean名称“filterChainProxy”。而后，在应用程序上下文中使用相同的bean名称声明过滤器链。这是一个例子：

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
	<list>
	<sec:filter-chain pattern="/restful/**" filters="
		securityContextPersistenceFilterWithASCFalse,
		basicAuthenticationFilter,
		exceptionTranslationFilter,
		filterSecurityInterceptor" />
	<sec:filter-chain pattern="/**" filters="
		securityContextPersistenceFilterWithASCTrue,
		formLoginFilter,
		exceptionTranslationFilter,
		filterSecurityInterceptor" />
	</list>
</constructor-arg>
</bean>

The namespace element filter-chain is used for convenience to set up the security filter chain(s) which are required within the application. ^[6]. It maps a particular URL pattern to a list of filters built up from the bean names specified in the filters element, and combines them in a bean of type SecurityFilterChain. The pattern attribute takes an Ant Paths and the most specific URIs should appear first ^[7]. At runtime the FilterChainProxy will locate the first URI pattern that matches the current web request and the list of filter beans specified by the filters attribute will be applied to that request. The filters will be invoked in the order they are defined, so you have complete control over the filter chain which is applied to a particular URL.安全

命名空间元素过滤器链用于方便设置应用程序中所需的安全过滤器链。 [6]。它将特定的URL模式映射到根据filters元素中指定的bean名称构建的过滤器列表，并将它们组合在SecurityFilterChain类型的bean中。 pattern属性采用Ant路径，最具体的URI应首先出现[7]。在运行时，FilterChainProxy将找到与当前Web请求匹配的第一个URI模式，而且filters属性指定的过滤器bean列表将应用于该请求。过滤器将按照定义的顺序调用，所以您能够彻底控制应用于特定URL的过滤器链。

You may have noticed we have declared two SecurityContextPersistenceFilter s in the filter chain ( ASC is short for allowSessionCreation, a property of SecurityContextPersistenceFilter). As web services will never present a jsessionid on future requests, creating HttpSession s for such user agents would be wasteful. If you had a high-volume application which required maximum scalability, we recommend you use the approach shown above. For smaller applications, using a single SecurityContextPersistenceFilter (with its default allowSessionCreation as true) would likely be sufficient.

您可能已经注意到咱们在过滤器链中声明了两个SecurityContextPersistenceFilter（ASC是allowSessionCreation的缩写，是SecurityContextPersistenceFilter的一个属性）。因为Web服务永远不会出现将来请求的jsessionid，所以为这样的用户代理建立HttpSession将是浪费。若是您的大批量应用程序须要最大的可扩展性，咱们建议您使用上面显示的方法。对于较小的应用程序，使用单个SecurityContextPersistenceFilter（默认的allowSessionCreation为true）可能就足够了。

Note that FilterChainProxy does not invoke standard filter lifecycle methods on the filters it is configured with. We recommend you use Spring’s application context lifecycle interfaces as an alternative, just as you would for any other Spring bean.

请注意，FilterChainProxy不会在配置的过滤器上调用标准过滤器生命周期方法。咱们建议您使用Spring的应用程序上下文生命周期接口做为替代方法，就像使用任何其余Spring bean同样。

When we looked at how to set up web security using namespace configuration, we used a DelegatingFilterProxy with the name "springSecurityFilterChain". You should now be able to see that this is the name of the FilterChainProxy which is created by the namespace.

当咱们查看如何使用命名空间配置设置Web安全性时，咱们使用了名为“springSecurityFilterChain”的DelegatingFilterProxy。您如今应该可以看到这是由命名空间建立的FilterChainProxy的名称。

13.2.1 Bypassing the Filter Chain

You can use the attribute filters = "none" as an alternative to supplying a filter bean list. This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible. If you want to make use of the contents of the SecurityContext contents during a request, then it must have passed through the security filter chain. Otherwise the SecurityContextHolder will not have been populated and the contents will be null.restful

您可使用属性filters =“none”做为提供过滤器bean列表的替代方法。这将彻底省略安全过滤器链中的请求模式。请注意，与此路径匹配的任何内容都将不会应用任何身份验证或受权服务，而且能够自由访问。若是要在请求期间使用SecurityContext内容的内容，则它必须已经过安全筛选器链。不然，将不会填充SecurityContextHolder，而且内容将为null。

13.3 Filter Ordering

The order that filters are defined in the chain is very important. Irrespective of which filters you are actually using, the order should be as follows:cookie

过滤器在链中定义的顺序很是重要。不管您实际使用哪一种过滤器，订单应以下：

ChannelProcessingFilter, because it might need to redirect to a different protocol
ChannelProcessingFilter，由于它可能须要重定向到不一样的协议
SecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request, and any changes to the SecurityContext can be copied to the HttpSession when the web request ends (ready for use with the next web request)
SecurityContextPersistenceFilter，所以能够在Web请求开始时在SecurityContextHolder中设置SecurityContext，而且当Web请求结束时（可使用下一个Web请求准备好），能够将对SecurityContext的任何更改复制到HttpSession。
ConcurrentSessionFilter, because it uses the SecurityContextHolder functionality and needs to update the SessionRegistry to reflect ongoing requests from the principal
ConcurrentSessionFilter，由于它使用SecurityContextHolder功能并须要更新SessionRegistry以反映来自主体的持续请求
Authentication processing mechanisms - UsernamePasswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter etc - so that the SecurityContextHolder can be modified to contain a valid Authentication request token
身份验证处理机制 - UsernamePasswordAuthenticationFilter，CasAuthenticationFilter，BasicAuthenticationFilter等 - 以即可以修改SecurityContextHolder以包含有效的身份验证请求令牌
The SecurityContextHolderAwareRequestFilter, if you are using it to install a Spring Security aware HttpServletRequestWrapper into your servlet container
SecurityContextHolderAwareRequestFilter，若是您使用它将Spring安全感知HttpServletRequestWrapper安装到您的servlet容器中
The JaasApiIntegrationFilter, if a JaasAuthenticationToken is in the SecurityContextHolder this will process the FilterChain as the Subject in the JaasAuthenticationToken
JaasApiIntegrationFilter，若是JaasAuthenticationToken位于SecurityContextHolder中，则会将FilterChain做为JaasAuthenticationToken中的Subject进行处理
RememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a suitable remembered Authentication object will be put there
RememberMeAuthenticationFilter，这样若是没有更早的身份验证处理机制更新SecurityContextHolder，而且请求提供了一个启用记住我服务的cookie，那么一个合适的记忆身份验证对象将放在那里
AnonymousAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, an anonymous Authentication object will be put there
AnonymousAuthenticationFilter，这样若是没有更早的身份验证处理机制更新SecurityContextHolder，那么匿名身份验证对象将被放在那里
ExceptionTranslationFilter, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriate AuthenticationEntryPoint can be launched
ExceptionTranslationFilter，用于捕获任何Spring Security异常，以即可以返回HTTP错误响应或启动相应的AuthenticationEntryPoint
FilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied
FilterSecurityInterceptor，用于保护Web URI并在访问被拒绝时引起异常