spring security笔记
spring security core
核心概念
- Principal: 认证主体
- Authentication:认证信息。集成Principal。
- GrantedAuthority 受权信息
- SecurityContext:SecurityContextHolder持有对应上下文信息。对应全局或线程级 SecurityContextHolder.getContext().setAuthentication(anAuthentication);
- Token,TokenService
- UserDetails, AuthenticationUserDetailsService, UserDetailsService
- SessionRegistry
认证过程相关类
- AuthenticationManager
- AuthenticationProvider
- SecurityMetadataSource
- ConfigAttribute, PreInvocationAttribute, PostInvocationAttributePreInvocationAttribute
- AuthenticationTrustResolver
- AuthenticationEventPublisher
TODO详细待展开web
用户权限等维护相关类
- GroupManager
- UserDetailsManager
- MutableUserDetails
访问控制相关类
-
AccessDecisionManager 检查受权信息redis
- AffirmativeBased 至少一个投票者经过
- ConsensusBased 多数投票者经过
- UnanimousBased 没有投出过拒绝票
- AccessDecisionVoter 具体针对每类权限的判断vote(Authentication authentication, S object,Collection<ConfigAttribute> attributes)
AccessDecisionVoter子类:
RoleVoter (org.springframework.security.access.vote)
RoleHierarchyVoter (org.springframework.security.access.vote)
ScopeVoter (org.springframework.security.oauth2.provider.vote)
WebExpressionVoter (org.springframework.security.web.access.expression)
ClientScopeVoter (org.springframework.security.oauth2.provider.vote)
Jsr250Voter (org.springframework.security.access.annotation)
AuthenticatedVoter (org.springframework.security.access.vote)
AbstractAclVoter (org.springframework.security.access.vote)
PreInvocationAuthorizationAdviceVoter (org.springframework.security.access.prepost)
- SecurityMetadataSource 包含相似role权限信息。能够获取对象关联的权限角色
- ConfigAttribute 用字符串表示具体权限角色类型。
- PermissionEvaluator 能够用于相似ACL的细粒度的检查
spring security web
主要概念
- SecurityFilterChain 包含针对一组请求包含的过滤器。
- FilterChainProxy 做为security web的filter入口。包含一组SecurityFilterChain。针对请求选择对应的一组过滤器SecurityFilterChain进行拦截调用。都是安全相关的拦截。
好比获取token时,token的过滤器包含加载认证信息的过滤器。资源访问请求的过滤器则不包含,可是包含检查token的过滤器。 - AuthenticationEntryPoint 对某种认证模式的失败进行处理,针对响应设置对应的header等。好比针对Basic返回提示认证的信息和表单模式提交重定向到登录首页。
AuthenticationEntryPoint子类: Http401AuthenticationEntryPoint (org.springframework.boot.autoconfigure.security) DelegatingAuthenticationEntryPoint (org.springframework.security.web.authentication) BasicAuthenticationEntryPoint (org.springframework.security.web.authentication.www) DigestAuthenticationEntryPoint (org.springframework.security.web.authentication.www) Http403ForbiddenEntryPoint (org.springframework.security.web.authentication) LoginUrlAuthenticationEntryPoint (org.springframework.security.web.authentication) OAuth2AuthenticationEntryPoint (org.springframework.security.oauth2.provider.error) HttpStatusEntryPoint (org.springframework.security.web.authentication)
- RedirectStrategy
- PortResolver
认证主要类
- AuthenticationSuccessHandler,AuthenticationFailureHandler
- RememberMeServices
-
Basic相关spring
- BasicAuthenticationFilter
- BasicAuthenticationEntryPoint
-
Digest相关express
- DigestAuthenticationFilter
- DigestAuthenticationEntryPoint
访问控制相关类
- FilterSecurityInterceptor 经过实现Filter,在调用前调用AccessDecisionManager#decide判断是否容许访问
spring security oauth2
核心类
- TokenGranter 按照不一样方式对token受权。包含五种token生成方式。AuthorizationCode, Implicit, client_credentials, refreshToken, password
- ClientDetails 认证的客户信息。包含扩展的Map字段additionalInformation
- ClientDetailsService 加载客户信息
- ClientRegistrationService 维护客户信息。包含增删改等操做。
- OAuth2RequestFactory
token相关
- TokenStore token存储。包括内存,redis,jdbc,jwt,jwk等。
- TokenEnhancer token加强。能够扩展token附加信息。好比租户id。
- OAuth2AccessToken accessToken信息
- AuthorizationServerTokenServices 按照认证信息获取accessToken
大致是TokenGranter调用AuthorizationServerTokenServices,AuthorizationServerTokenServices调用TokenStore - ResourceServerTokenServices 资源服务器访问时,经过accessToken加载认证信息.
- AccessTokenConverter 相似token的序列化和反序列化
端点类
- TokenEndpoint 获取token端点
- CheckTokenEndpoint 检查token端点
消息执行过程
- 请求过滤器链。web原始的过滤器链为tomcat的ApplicationFilterChain。里面的springSecurityFilterChain做为web包的DelegatingFilterProxy会代理调用security包的FilterChainProxy。构建VirtualFilterChain调用additionalFilters中的filter。而后继续未完成的原始filter链ApplicationFilterChain。
chain = {FilterChainProxy$VirtualFilterChain@10122}
originalChain = {ApplicationFilterChain@10132}
filters = {ApplicationFilterConfig[10]@10359}
0 = {ApplicationFilterConfig@10362} 指标统计 "ApplicationFilterConfig[name=metricsFilter, filterClass=org.springframework.boot.actuate.autoconfigure.MetricsFilter]"
1 = {ApplicationFilterConfig@10363} 设置编码 "ApplicationFilterConfig[name=characterEncodingFilter, filterClass=org.springframework.boot.web.filter.OrderedCharacterEncodingFilter]"
2 = {ApplicationFilterConfig@10364} sleuth消息跟踪 "ApplicationFilterConfig[name=traceFilter, filterClass=org.springframework.cloud.sleuth.instrument.web.TraceFilter]"
3 = {ApplicationFilterConfig@10365} method转换 "ApplicationFilterConfig[name=hiddenHttpMethodFilter, filterClass=org.springframework.boot.web.filter.OrderedHiddenHttpMethodFilter]"
4 = {ApplicationFilterConfig@10366} 支持http的put和patch获取form的参数 "ApplicationFilterConfig[name=httpPutFormContentFilter, filterClass=org.springframework.boot.web.filter.OrderedHttpPutFormContentFilter]"
5 = {ApplicationFilterConfig@10367} 上下文设置 "ApplicationFilterConfig[name=requestContextFilter, filterClass=org.springframework.boot.web.filter.OrderedRequestContextFilter]"
6 = {ApplicationFilterConfig@10368} 代理调用springSecurityFilterChain TODO "ApplicationFilterConfig[name=springSecurityFilterChain, filterClass=org.springframework.boot.web.servlet.DelegatingFilterProxyRegistrationBean$1]"
7 = {ApplicationFilterConfig@10369} 消息调用记录,相似接口日志 "ApplicationFilterConfig[name=webRequestLoggingFilter, filterClass=org.springframework.boot.actuate.trace.WebRequestTraceFilter]"
8 = {ApplicationFilterConfig@10370} 响应头加入header:X-Application-Context "ApplicationFilterConfig[name=applicationContextIdFilter, filterClass=org.springframework.boot.web.filter.ApplicationContextHeaderFilter]"
9 = {ApplicationFilterConfig@10371} WebSocket支持 "ApplicationFilterConfig[name=Tomcat WebSocket (JSR356) Filter, filterClass=org.apache.tomcat.websocket.server.WsFilter]"
pos = 7
n = 10
servlet = {DispatcherServlet@10361}
servletSupportsAsync = true
additionalFilters = {ArrayList@10344} size = 11
0 = WebAsyncManager加入SecurityContext上下文拦截处理 {WebAsyncManagerIntegrationFilter@10127}
1 = SecurityContext获取和持久化,好比session中。{SecurityContextPersistenceFilter@10125}
2 = 支持向response写入header {HeaderWriterFilter@10124}
3 = 支持登出操做 {LogoutFilter@10123}
4 = 有token则认证 {OAuth2AuthenticationProcessingFilter@10118}
5 = 获取认证跳转前缓存的请求{RequestCacheAwareFilter@10353}
6 = 请求对象中包装认证对象从spring security获取而不是web容器{SecurityContextHolderAwareRequestFilter@10354}
7 = 没认证时,设置上下文为匿名用户对象{AnonymousAuthenticationFilter@10355}
8 = 用户关联session控制 {SessionManagementFilter@10356}
9 = filter异常处理。前面filter的异常,此时处理不了,好比认证过程 {ExceptionTranslationFilter@10357}
10 = 安全拦截器TODO {FilterSecurityInterceptor@10358}
firewalledRequest = {RequestWrapper@10179} "FirewalledRequest[ org.apache.catalina.connector.RequestFacade@5a96a1]"
size = 11
currentPosition = 5
debug = true
spring boot配置
- AuthorizationServerEndpointsConfiguration 加载自定义的AuthorizationServerConfigurer来设置共享的一个AuthorizationServerEndpointsConfigurer, 调用自定义的AuthorizationServerConfigurer的configure(AuthorizationServerEndpointsConfigurer endpoints)
- AuthorizationServerSecurityConfiguration加载自定义的AuthorizationServerConfigurer来设置spring 容器中的ClientDetailsServiceConfigurer。调用自定义的AuthorizationServerConfigurer的configure(ClientDetailsServiceConfigurer clients)
-
WebSecurityConfiguration加载全部SecurityConfigurer配置,并配置,但未实例化构建。WebSecurityConfiguration加载springSecurityFilterChain的Bean时,构建Filter对象。此时调用前面的SecurityConfigurer列表的init,调用configure(HttpSecurity http).apache
- 构建过程会建立AuthorizationServerSecurityConfigurer,
- AuthorizationServerSecurityConfiguration做为一个SecurityConfigurer, 会调用AuthorizationServerConfigurer的configure(AuthorizationServerSecurityConfigurer oauthServer)
WebSecurityConfiguration 加载安全配置
具体springSecurityFilterChain()会将全部SecurityConfigurer 加载到WebSecurity中,进行构建缓存
SecurityConfigurer子类
SecurityConfigurerAdapter (org.springframework.security.config.annotation)
ClientDetailsServiceConfigurer (org.springframework.security.oauth2.config.annotation.configurers)
OAuth2ClientAuthenticationConfigurer in SsoSecurityConfigurer (org.springframework.boot.autoconfigure.security.oauth2.client)
UserDetailsAwareConfigurer (org.springframework.security.config.annotation.authentication.configurers.userdetails)
AbstractDaoAuthenticationConfigurer (org.springframework.security.config.annotation.authentication.configurers.userdetails)
DaoAuthenticationConfigurer (org.springframework.security.config.annotation.authentication.configurers.userdetails)
UserDetailsServiceConfigurer (org.springframework.security.config.annotation.authentication.configurers.userdetails)
UserDetailsManagerConfigurer (org.springframework.security.config.annotation.authentication.configurers.provisioning)
JdbcUserDetailsManagerConfigurer (org.springframework.security.config.annotation.authentication.configurers.provisioning)
InMemoryUserDetailsManagerConfigurer (org.springframework.security.config.annotation.authentication.configurers.provisioning)
DefaultInMemoryUserDetailsManagerConfigurer in AuthenticationManagerConfiguration (org.springframework.boot.autoconfigure.security)
ResourceServerSecurityConfigurer (org.springframework.security.oauth2.config.annotation.web.configurers)
AbstractHttpConfigurer (org.springframework.security.config.annotation.web.configurers)
HttpBasicConfigurer (org.springframework.security.config.annotation.web.configurers)
LogoutConfigurer (org.springframework.security.config.annotation.web.configurers)
RememberMeConfigurer (org.springframework.security.config.annotation.web.configurers)
RequestCacheConfigurer (org.springframework.security.config.annotation.web.configurers)
ServletApiConfigurer (org.springframework.security.config.annotation.web.configurers)
DefaultLoginPageConfigurer (org.springframework.security.config.annotation.web.configurers)
SessionManagementConfigurer (org.springframework.security.config.annotation.web.configurers)
PortMapperConfigurer (org.springframework.security.config.annotation.web.configurers)
ExceptionHandlingConfigurer (org.springframework.security.config.annotation.web.configurers)
HeadersConfigurer (org.springframework.security.config.annotation.web.configurers)
CsrfConfigurer (org.springframework.security.config.annotation.web.configurers)
JeeConfigurer (org.springframework.security.config.annotation.web.configurers)
AnonymousConfigurer (org.springframework.security.config.annotation.web.configurers)
ChannelSecurityConfigurer (org.springframework.security.config.annotation.web.configurers)
CorsConfigurer (org.springframework.security.config.annotation.web.configurers)
SecurityContextConfigurer (org.springframework.security.config.annotation.web.configurers)
X509Configurer (org.springframework.security.config.annotation.web.configurers)
AbstractAuthenticationFilterConfigurer (org.springframework.security.config.annotation.web.configurers)
FormLoginConfigurer (org.springframework.security.config.annotation.web.configurers)
OpenIDLoginConfigurer (org.springframework.security.config.annotation.web.configurers.openid)
AbstractInterceptUrlConfigurer (org.springframework.security.config.annotation.web.configurers)
UrlAuthorizationConfigurer (org.springframework.security.config.annotation.web.configurers)
ExpressionUrlAuthorizationConfigurer (org.springframework.security.config.annotation.web.configurers)
AuthorizationServerSecurityConfigurer (org.springframework.security.oauth2.config.annotation.web.configurers)
ClientDetailsServiceBuilder (org.springframework.security.oauth2.config.annotation.builders)
JdbcClientDetailsServiceBuilder (org.springframework.security.oauth2.config.annotation.builders)
1 in ClientDetailsServiceBuilder (org.springframework.security.oauth2.config.annotation.builders)
InMemoryClientDetailsServiceBuilder (org.springframework.security.oauth2.config.annotation.builders)
LdapAuthenticationProviderConfigurer (org.springframework.security.config.annotation.authentication.configurers.ldap)
WebSecurityConfigurer (org.springframework.security.config.annotation.web)
WebSecurityConfigurerAdapter (org.springframework.security.config.annotation.web.configuration)
1 in WebSecurityConfiguration (org.springframework.security.config.annotation.web.configuration)
ResourceServerConfiguration (org.springframework.security.oauth2.config.annotation.web.configuration)
ApplicationNoWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
ManagementWebSecurityConfigurerAdapter in ManagementWebSecurityAutoConfiguration (org.springframework.boot.actuate.autoconfigure)
AuthorizationServerSecurityConfiguration (org.springframework.security.oauth2.config.annotation.web.configuration)
H2ConsoleSecurityConfigurer in H2ConsoleSecurityConfiguration in H2ConsoleAutoConfiguration (org.springframework.boot.autoconfigure.h2)
OAuth2SsoDefaultConfiguration (org.springframework.boot.autoconfigure.security.oauth2.client)
ApplicationWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
IgnoredPathsWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
GlobalAuthenticationConfigurerAdapter (org.springframework.security.config.annotation.authentication.configurers)
InitializeAuthenticationProviderBeanManagerConfigurer (org.springframework.security.config.annotation.authentication.configuration)
InitializeUserDetailsBeanManagerConfigurer (org.springframework.security.config.annotation.authentication.configuration)
InitializeUserDetailsManagerConfigurer in InitializeAuthenticationProviderBeanManagerConfigurer (org.springframework.security.config.annotation.authentication.configuration)
SpringBootAuthenticationConfigurerAdapter in AuthenticationManagerConfiguration (org.springframework.boot.autoconfigure.security)
BootGlobalAuthenticationConfigurationAdapter in BootGlobalAuthenticationConfiguration (org.springframework.boot.autoconfigure.security)
InitializeUserDetailsManagerConfigurer in InitializeUserDetailsBeanManagerConfigurer (org.springframework.security.config.annotation.authentication.configuration)
EnableGlobalAuthenticationAutowiredConfigurer in AuthenticationConfiguration (org.springframework.security.config.annotation.authentication.configuration)
WebSecurityConfigurer子类
WebSecurityConfigurerAdapter (org.springframework.security.config.annotation.web.configuration)
WebSecurityConfiguration (com.huawei.billingcloud.sysmgmt.oauth)
1 in WebSecurityConfiguration (org.springframework.security.config.annotation.web.configuration)
ResourceServerConfiguration (org.springframework.security.oauth2.config.annotation.web.configuration)
ApplicationNoWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
ManagementWebSecurityConfigurerAdapter in ManagementWebSecurityAutoConfiguration (org.springframework.boot.actuate.autoconfigure)
AuthorizationServerSecurityConfiguration (org.springframework.security.oauth2.config.annotation.web.configuration)
H2ConsoleSecurityConfigurer in H2ConsoleSecurityConfiguration in H2ConsoleAutoConfiguration (org.springframework.boot.autoconfigure.h2)
OAuth2SsoDefaultConfiguration (org.springframework.boot.autoconfigure.security.oauth2.client)
ApplicationWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
IgnoredPathsWebSecurityConfigurerAdapter in SpringBootWebSecurityConfiguration (org.springframework.boot.autoconfigure.security)
ResourceServerConfiguration 加载资源服务器配置ResourceServerConfigurer。
同时自身做为一个WebSecurityConfigurer被上面的WebSecurityConfiguration加载tomcat
RestTemplate 默认converter
0 = {ByteArrayHttpMessageConverter@8484}
1 = {StringHttpMessageConverter@8485}
2 = {ResourceHttpMessageConverter@8486}
3 = {SourceHttpMessageConverter@8487}
4 = {AllEncompassingFormHttpMessageConverter@8488}
5 = {Jaxb2RootElementHttpMessageConverter@8489}
6 = {MappingJackson2HttpMessageConverter@8490}
0 = {SpringBootWebSecurityConfiguration$IgnoredPathsWebSecurityConfigurerAdapter@11234}
1 = {ResourceServerConfiguration$$EnhancerBySpringCGLIB$$c6c322ec@8468}
2 = {SpringBootWebSecurityConfiguration$ApplicationNoWebSecurityConfigurerAdapter$$EnhancerBySpringCGLIB$$a64c52f7@11230}
启动配置
0 = {SpringBootWebSecurityConfiguration$IgnoredPathsWebSecurityConfigurerAdapter@13290}
1 = {AuthorizationServerSecurityConfiguration$$EnhancerBySpringCGLIB$$2aaaf2bf@9227}
2 = {WebSecurityConfiguration$$EnhancerBySpringCGLIB$$f14e4087@13291}
3 = {SpringBootWebSecurityConfiguration$ApplicationNoWebSecurityConfigurerAdapter$$EnhancerBySpringCGLIB$$a7a04c53@13292}
相关文章
- 1. 【笔记】Spring Security Oauth2
- 2. Spring Security 2.0学习笔记
- 3. spring security学习笔记
- 4. Spring security学习笔记-1
- 5. spring-security上手笔记
- 6. 【Spring Security OAuth2笔记系列】- spring security - 小结
- 7. Spring Security 随记
- 8. 【Spring Security OAuth2笔记系列】- Security控制受权- Spring Security源码解析
- 9. Spring security 学习使用笔记
- 10. Spring Security笔记:HTTP Basic 认证
- 更多相关文章...
- • ASP.NET Razor - 标记 - ASP.NET 教程
- • ADO 添加记录 - ADO 教程
- • Tomcat学习笔记(史上最全tomcat学习笔记)
- • Spring Cloud 微服务实战(三) - 服务注册与发现
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 外部其他进程嵌入到qt FindWindow获得窗口句柄 报错无法链接的外部符号 [email protected] 无法被([email protected]@[email protected]@@引用
- 2. UVa 11524 - InCircle
- 3. The Monocycle(bfs)
- 4. VEC-C滑窗
- 5. 堆排序的应用-TOPK问题
- 6. 实例演示ElasticSearch索引查询term,match,match_phase,query_string之间的区别
- 7. 数学基础知识 集合
- 8. amazeUI 复择框问题解决
- 9. 背包问题理解
- 10. 算数平均-几何平均不等式的证明,从麦克劳林到柯西
欢迎关注本站公众号,获取更多信息
相关文章
- 1. 【笔记】Spring Security Oauth2
- 2. Spring Security 2.0学习笔记
- 3. spring security学习笔记
- 4. Spring security学习笔记-1
- 5. spring-security上手笔记
- 6. 【Spring Security OAuth2笔记系列】- spring security - 小结
- 7. Spring Security 随记
- 8. 【Spring Security OAuth2笔记系列】- Security控制受权- Spring Security源码解析
- 9. Spring security 学习使用笔记
- 10. Spring Security笔记:HTTP Basic 认证