spring security梳理

时间 2019-11-17

原文原文链接

核心服务：AuthenticationManager，UserDetailsService和AccessDecisionManagerjava

The AuthenticationManager, ProviderManager and AuthenticationProvider

AuthenticationManager是一个接口，它默认的实现类是ProviderManager，ProviderManager 并非本身直接对请求进行验证，而是将其委派给一个AuthenticationProvider 列表。web

spring-security.xml中配置spring

Web应用程序的安全性

The Security Filter Chain

在web.xml配置DelegatingFilterProxy。api

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

DelegatingFilterProxy这个类自己与springsecurity无关。它的做用是充当代理，将Spring应用程序上下文中的bean委托给servlet 容器中的filter，将其关联起来。安全

DelegatingFilterProxy类继承于抽象类GenericFilterBean,间接地implement 了javax.servlet.Filter接口。session

Servlet容器在启动时，首先会调用Filter的init方法。app

GenericFilterBean的做用主要是能够把Filter的初始化参数自动地set到继承于GenericFilterBean类的Filter中去。ide

标准过滤器别名和顺序
Alias	Filter Class	Namespace Element or Attribute
CHANNEL_FILTERui	`ChannelProcessingFilter`url	`http/intercept-url@requires-channel`
SECURITY_CONTEXT_FILTER	`SecurityContextPersistenceFilter`	`http`
CONCURRENT_SESSION_FILTER	`ConcurrentSessionFilter`	`session-management/concurrency-control`
HEADERS_FILTER	`HeaderWriterFilter`	`http/headers`
CSRF_FILTER	`CsrfFilter`	`http/csrf`
LOGOUT_FILTER	`LogoutFilter`	`http/logout`
X509_FILTER	`X509AuthenticationFilter`	`http/x509`
PRE_AUTH_FILTER	`AbstractPreAuthenticatedProcessingFilter`Subclasses	N/A
CAS_FILTER	`CasAuthenticationFilter`	N/A
FORM_LOGIN_FILTER	`UsernamePasswordAuthenticationFilter`	`http/form-login`
BASIC_AUTH_FILTER	`BasicAuthenticationFilter`	`http/http-basic`
SERVLET_API_SUPPORT_FILTER	`SecurityContextHolderAwareRequestFilter`	`http/@servlet-api-provision`
JAAS_API_SUPPORT_FILTER	`JaasApiIntegrationFilter`	`http/@jaas-api-provision`
REMEMBER_ME_FILTER	`RememberMeAuthenticationFilter`	`http/remember-me`
ANONYMOUS_FILTER	`AnonymousAuthenticationFilter`	`http/anonymous`
SESSION_MANAGEMENT_FILTER	`SessionManagementFilter`	`session-management`
EXCEPTION_TRANSLATION_FILTER	`ExceptionTranslationFilter`	`http`
FILTER_SECURITY_INTERCEPTOR	`FilterSecurityInterceptor`	`http`
SWITCH_USER_FILTER	`SwitchUserFilter`	N/A