Spring Security源码解析
秒懂SpringBoot之全网最易懂的Spring Security教程
SpringBoot整合Spring-Security 认证篇(保姆级教程)
SpringBoot整合Spring Security【超详细教程】
spring security 超详细使用教程(接入springboot、前后端分离)
Security 自定义 UsernamePasswordAuthenticationFilter 替换原拦截器
SpringSecurity自定义UsernamePasswordAuthenticationFilter
自定义过滤器替换 UsernamePasswordAuthenticationFilter
Spring Security 实战干货:必须掌握的一些内置 Filter
Spring Security权限控制框架使用指南
你真的了解 Cookie 和 Session 吗?
Session 、Cookie和Token三者的关系和区别
简单使用 Spring Security
pom.xml
<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><!--springSecurity--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency>
</dependencies>
启动类
@SpringBootApplication
public class SpringBootSecurityApplication {public static void main(String[] args) {SpringApplication.run(SpringBootSecurityApplication.class, args);}
}
配置文件
server:port: 8001spring:security:user:name: adminpassword: 123456
controller
@RestController
@RequestMapping("/auth")
public class TestController {@GetMapping("/hello")public String sayHello(){return "hello security";}
}
启动项目
访问 http://localhost:8001/auth/hello 会出现登录页面
输入账号密码 正常输出
如果没有配置账号密码
username:user
password:随机生成,会打印在你的控制台日志上。
Spring Security 代码执行流程
一个请求过来Spring Security会按照下图的步骤处理:
进入到Filter中 UsernamePasswordAuthenticationFilter
进入 UsernamePasswordAuthenticationFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) req;HttpServletResponse response = (HttpServletResponse) res;if (!requiresAuthentication(request, response)) {chain.doFilter(request, response);return;}if (logger.isDebugEnabled()) {logger.debug("Request is to process authentication");}Authentication authResult;try {authResult = attemptAuthentication(request, response);if (authResult == null) {return;}//此处底层会设置 JSESSIONID 并存储 JSESSIONIDsessionStrategy.onAuthentication(authResult, request, response);}catch (InternalAuthenticationServiceException failed) {//失败处理unsuccessfulAuthentication(request, response, failed);return;}catch (AuthenticationException failed) {//失败处理unsuccessfulAuthentication(request, response, failed);return;}// Authentication successif (continueChainBeforeSuccessfulAuthentication) {chain.doFilter(request, response);}//成功后处理successfulAuthentication(request, response, chain, authResult);
}//UsernamePasswordAuthenticationFilter.java
public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response) throws AuthenticationException {...String username = obtainUsername(request);String password = obtainPassword(request);...UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);...//this.getAuthenticationManager() 默认为 ProviderManagerreturn this.getAuthenticationManager().authenticate(authRequest);
}
进入 ProviderManager
循环执行 AuthenticationProvider 的 authenticate 方法
//ProviderManager.java
public Authentication authenticate(Authentication authentication)throws AuthenticationException {...for (AuthenticationProvider provider : getProviders()) {...result = provider.authenticate(authentication);if (result != null) {if (eraseCredentialsAfterAuthentication&& (result instanceof CredentialsContainer)) {...//此处会将密码设置为空((CredentialsContainer) result).eraseCredentials();}...return result;}...}...
}
默认执行 DaoAuthenticationProvider 的 authenticate
//AbstractUserDetailsAuthenticationProvider.java
public Authentication authenticate(Authentication authentication)throws AuthenticationException {...// Determine usernameString username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED": authentication.getName();...//获取用户信息user = retrieveUser(username,(UsernamePasswordAuthenticationToken) authentication);...try {//校验用户密码additionalAuthenticationChecks(user,(UsernamePasswordAuthenticationToken) authentication);}...return createSuccessAuthentication(principalToReturn, authentication, user);
}SessionId 处理
sessionStrategy.onAuthentication 最终回执行到
//设置 Set-Cookie
// sessionStrategy.onAuthentication 最终回执行到
//org.apache.catalina.connector.Request
public String changeSessionId() {Session session = this.getSessionInternal(false);if (session == null) {throw new IllegalStateException(sm.getString("coyoteRequest.changeSessionId"));}// StandardManagerManager manager = this.getContext().getManager();//获取新的 SessionIdString newSessionId = manager.rotateSessionId(session);//将 SessionId 设置到 response 中this.changeSessionId(newSessionId);return newSessionId;
}- 获取新 SessionId 并将 SessionId 存储
manager.rotateSessionId 会生成新的 SessionId 并将 SessionId 存储到 StandardManager(父级 ManagerBase) 的
protected Map<String, Session> sessions = new ConcurrentHashMap<>()
中
@Override
public String rotateSessionId(Session session) {String newId = generateSessionId();changeSessionId(session, newId, true, true);return newId;
}protected void changeSessionId(Session session, String newId,boolean notifySessionListeners, boolean notifyContainerListeners) {String oldId = session.getIdInternal();session.setId(newId, false);session.tellChangedSessionId(newId, oldId,notifySessionListeners, notifyContainerListeners);
}@Override
public void setId(String id, boolean notify) {if ((this.id != null) && (manager != null))manager.remove(this);this.id = id;if (manager != null)manager.add(this);if (notify) {tellNew();}
}@Override
public void add(Session session) {sessions.put(session.getIdInternal(), session);int size = getActiveSessions();if( size > maxActive ) {synchronized(maxActiveUpdateLock) {if( size > maxActive ) {maxActive = size;}}}
}
- 重设 需要返回的 SessionId
public void changeSessionId(String newSessionId) {...if (response != null) {Cookie newCookie = ApplicationSessionCookieConfig.createSessionCookie(context,newSessionId, isSecure());response.addSessionCookieInternal(newCookie);}
}public void addSessionCookieInternal(final Cookie cookie) {if (isCommitted()) {return;}String name = cookie.getName();final String headername = "Set-Cookie";...if (!set) {addHeader(headername, header);}
}
登录时session 校验
通过断点可发现 最终回执行到 StandardManager(父级 ManagerBase) 的 findSession 中
刚好使用了 上面生成的 sessionId
//ManagerBase.java
@Override
public Session findSession(String id) throws IOException {if (id == null) {return null;}return sessions.get(id);
}
获取用户信息
//DaoAuthenticationProvider.java
protected final UserDetails retrieveUser(String username,UsernamePasswordAuthenticationToken authentication)throws AuthenticationException {...UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);if (loadedUser == null) {throw new InternalAuthenticationServiceException("UserDetailsService returned null, which is an interface contract violation");}return loadedUser;...
}
执行 getUserDetailsService(UserDetailsService) 获取 用户信息
默认执行到 InMemoryUserDetailsManager 中的 loadUserByUsername方法
// InMemoryUserDetailsManager.java
public UserDetails loadUserByUsername(String username)throws UsernameNotFoundException {UserDetails user = users.get(username.toLowerCase());if (user == null) {throw new UsernameNotFoundException(username);}return new User(user.getUsername(), user.getPassword(), user.isEnabled(),user.isAccountNonExpired(), user.isCredentialsNonExpired(),user.isAccountNonLocked(), user.getAuthorities());
}
校验用户密码是否正确
//DaoAuthenticationProvider.java
protected void additionalAuthenticationChecks(UserDetails userDetails,UsernamePasswordAuthenticationToken authentication)throws AuthenticationException {if (authentication.getCredentials() == null) {logger.debug("Authentication failed: no credentials provided");throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials","Bad credentials"));}String presentedPassword = authentication.getCredentials().toString();//判断密码是否正确if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {logger.debug("Authentication failed: password does not match stored value");throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials","Bad credentials"));}
}
根据以上执行流程 可针对相应步骤自定义内容
自定义配置相关步骤
自定义 UserDetailsService
默认是 InMemoryUserDetailsManager
@Service
public class UserDetailService implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();SysUser sysUser = new SysUser();sysUser.setUsername("admin");sysUser.setPassword(bCryptPasswordEncoder.encode("13579"));Map<String, SysUser> map = new HashMap<>();map.put(sysUser.getUsername(), sysUser);return map.get(username);}
}
用自定义的 UserDetailsService 时 需设置加密方式
@Bean
public BCryptPasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();
}
也可通过在 config 中配置对应的实现类
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {//配置对应的权限相关对象}
}
自定义 AuthenticationProvider
默认是 DaoAuthenticationProvider
@Component
public class MyAuthenticationProvider implements AuthenticationProvider {@Autowiredprivate UserDetailService userDetailService;@Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {String username = authentication.getName();String presentedPassword = (String) authentication.getCredentials();// 根据用户名获取用户信息UserDetails userDetails = this.userDetailService.loadUserByUsername(username);if (StringUtils.isEmpty(userDetails)) {throw new BadCredentialsException("用户名不存在");} else {//校验 将输入的密码presentedPassword加密 和 数据库中的密码userDetails.getPassword() 校验是否一致UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(userDetails, authentication.getCredentials(), userDetails.getAuthorities());result.setDetails(authentication.getDetails());return result;}}@Overridepublic boolean supports(Class<?> authentication) {return true;}
}
自定义 AuthenticationManager
默认是 ProviderManager
@Beanprotected AuthenticationManager authenticationManager() throws Exception {ProviderManager manager = new ProviderManager(Arrays.asList(myAuthenticationProvider));return manager;}
自定义 Filter, 重写 UsernamePasswordAuthenticationFilter
public class LoginFilter extends UsernamePasswordAuthenticationFilter {private AuthenticationManager authenticationManager;public LoginFilter(AuthenticationManager authenticationManager) {this.authenticationManager = authenticationManager;}//这个方法是用来去尝试验证用户的@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {try {String username = request.getParameter("username");String password = request.getParameter("password");return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));} catch (Exception e) {try {response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);PrintWriter out = response.getWriter();Map<String, Object> map = new HashMap<>();map.put("code", HttpServletResponse.SC_UNAUTHORIZED);map.put("message", "账号或密码错误!");out.write(new ObjectMapper().writeValueAsString(map));out.flush();out.close();} catch (Exception e1) {e1.printStackTrace();}throw new RuntimeException(e);}}//成功之后执行的方法@Overridepublic void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {SysUser sysUser = new SysUser();sysUser.setUsername(authResult.getName());String token = JwtToolUtils.tokenCreate(authResult.getName(), 600);response.addHeader("Authorization", "RobodToken " + token); //将Token信息返回给用户try {//登录成功时,返回json格式进行提示response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_OK);PrintWriter out = response.getWriter();Map<String, Object> map = new HashMap<String, Object>(4);map.put("code", HttpServletResponse.SC_OK);map.put("message", "登陆成功!");out.write(new ObjectMapper().writeValueAsString(map));out.flush();out.close();} catch (Exception e1) {e1.printStackTrace();}//执行父级流程//super.successfulAuthentication(request, response, chain, authResult);}
}
自定义 Filter, 添加在 UsernamePasswordAuthenticationFilter 之前
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException, ServletException, IOException {//获取tokenString token = request.getHeader("token");if (!StringUtils.hasText(token)) {//token为空的话, 就不管它, 让SpringSecurity中的其他过滤器处理请求//请求放行filterChain.doFilter(request, response);return;}//jwt 解析token 后的用户信息SysUser securityUser = new SysUser();securityUser.setUsername("aa");securityUser.setPassword("123");//将用户安全信息存入SecurityContextHolder, 在之后SpringSecurity的过滤器就不会拦截UsernamePasswordAuthenticationToken authenticationToken =new UsernamePasswordAuthenticationToken(securityUser, null, null);SecurityContextHolder.getContext().setAuthentication(authenticationToken);//放行filterChain.doFilter(request, response);}
}
配置自定义的过滤器
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@AutowiredJwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;//配置SpringSecurity Http 相关信息@Overridepublic void configure(HttpSecurity http) throws Exception {http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);}
}
项目启动相关初始化
Security 账号密码加载
UserDetailsServiceAutoConfiguration 加载时
获取 SecurityProperties 配置文件中配置的账号密码, 如果密码是默认的随机生成的,将密码输入到控制台
//UserDetailsServiceAutoConfiguration.java
@Bean
@ConditionalOnMissingBean(type = "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository")
@Lazy
public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties,ObjectProvider<PasswordEncoder> passwordEncoder) {SecurityProperties.User user = properties.getUser();List<String> roles = user.getRoles();return new InMemoryUserDetailsManager(User.withUsername(user.getName()).password(getOrDeducePassword(user, passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build());
}private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {String password = user.getPassword();//如果是默认动态生成的,输出到控制台if (user.isPasswordGenerated()) {logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));}if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {return password;}return NOOP_PASSWORD_PREFIX + password;
}
SecurityProperties.java
默认账号 user
默认密码随机生成
passwordGenerated 设置密码是否是随机生成的。 默认为true, 当配置的密码不为空时,置为false
public class SecurityProperties {...private User user = new User();...public static class User {private String name = "user";private String password = UUID.randomUUID().toString();private boolean passwordGenerated = true;...public void setPassword(String password) {if (!StringUtils.hasLength(password)) {return;}this.passwordGenerated = false;this.password = password;}...}
}
设置默认的用户账号信息(users)
public InMemoryUserDetailsManager(UserDetails... users) {for (UserDetails user : users) {createUser(user);}
}
public void createUser(UserDetails user) {Assert.isTrue(!userExists(user.getUsername()), "user should not exist");users.put(user.getUsername().toLowerCase(), new MutableUser(user));
}
WebSecurityConfiguration 加载
涉及到的Configuration
ReactiveUserDetailsServiceAutoConfiguration@AutoConfigureAfterRSocketMessagingAutoConfigurationSecurityAutoConfiguration#importSpringBootWebSecurityConfigurationWebSecurityEnablerConfiguration@EnableWebSecurity #importWebSecurityConfigurationSpringWebMvcImportSelectorOAuth2ImportSelector@EnableGlobalAuthenticationAuthenticationConfiguration@ImportObjectPostProcessorConfigurationSecurityDataConfigurationSecurityFilterAutoConfiguration UserDetailsServiceAutoConfiguration
加载流程
当未配置自定义的 WebSecurityConfigurerAdapter 时
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration {@Configuration(proxyBeanMethods = false)@Order(SecurityProperties.BASIC_AUTH_ORDER)static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {}
}@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(AuthenticationManager.class)
@ConditionalOnBean(ObjectPostProcessor.class)
@ConditionalOnMissingBean(value = { AuthenticationManager.class, AuthenticationProvider.class, UserDetailsService.class },type = { "org.springframework.security.oauth2.jwt.JwtDecoder","org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector" })
public class UserDetailsServiceAutoConfiguration {private static final String NOOP_PASSWORD_PREFIX = "{noop}";private static final Pattern PASSWORD_ALGORITHM_PATTERN = Pattern.compile("^\\{.+}.*$");private static final Log logger = LogFactory.getLog(UserDetailsServiceAutoConfiguration.class);@Bean@ConditionalOnMissingBean(type = "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository")@Lazypublic InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties,ObjectProvider<PasswordEncoder> passwordEncoder) {SecurityProperties.User user = properties.getUser();List<String> roles = user.getRoles();return new InMemoryUserDetailsManager(User.withUsername(user.getName()).password(getOrDeducePassword(user, passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build());}private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {String password = user.getPassword();if (user.isPasswordGenerated()) {logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));}if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {return password;}return NOOP_PASSWORD_PREFIX + password;}}@Configuration(proxyBeanMethods = false)
@Import(ObjectPostProcessorConfiguration.class)
public class AuthenticationConfiguration {@Autowired(required = false)public void setGlobalAuthenticationConfigurers(List<GlobalAuthenticationConfigurerAdapter> configurers) {configurers.sort(AnnotationAwareOrderComparator.INSTANCE);this.globalAuthConfigurers = configurers;}
}WebSecurityConfiguration 中的 setFilterChainProxySecurityConfigurer 加载会 获取所有 SecurityConfigurer 的实现类 对 获取到的 SecurityConfigurer 集合排序循环执行 webSecurity.apply(webSecurityConfigurer) 将 webSecurityConfigurer 添加到 webSecurity 的 configurers 中设置 this.webSecurityConfigurers = webSecurityConfigurers;@Configuration(proxyBeanMethods = false)
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {@Autowired(required = false)public void setFilterChainProxySecurityConfigurer(ObjectPostProcessor<Object> objectPostProcessor,@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers)throws Exception {webSecurity = objectPostProcessor.postProcess(new WebSecurity(objectPostProcessor));if (debugEnabled != null) {webSecurity.debug(debugEnabled);}webSecurityConfigurers.sort(AnnotationAwareOrderComparator.INSTANCE);Integer previousOrder = null;Object previousConfig = null;for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) {Integer order = AnnotationAwareOrderComparator.lookupOrder(config);if (previousOrder != null && previousOrder.equals(order)) {throw new IllegalStateException("@Order on WebSecurityConfigurers must be unique. Order of "+ order + " was already used on " + previousConfig + ", so it cannot be used on "+ config + " too.");}previousOrder = order;previousConfig = config;}for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {webSecurity.apply(webSecurityConfigurer);}this.webSecurityConfigurers = webSecurityConfigurers;}@Bean@DependsOn(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)public SecurityExpressionHandler<FilterInvocation> webSecurityExpressionHandler() {return webSecurity.getExpressionHandler();}@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)public Filter springSecurityFilterChain() throws Exception {boolean hasConfigurers = webSecurityConfigurers != null&& !webSecurityConfigurers.isEmpty();if (!hasConfigurers) {WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor.postProcess(new WebSecurityConfigurerAdapter() {});webSecurity.apply(adapter);}return webSecurity.build();}
}WebSecurityConfiguration 中的 webSecurityExpressionHandler 加载 @DependsOn 依赖 springSecurityFilterChainWebSecurityConfiguration 中的 springSecurityFilterChain 加载1、判断是否有定义的 webSecurityConfigurers2、执行 webSecurity.build()执行到 AbstractSecurityBuilder 中的 build 方法执行到 AbstractConfiguredSecurityBuilder 中的 doBuild 方法@Overrideprotected final O doBuild() throws Exception {synchronized (configurers) {buildState = BuildState.INITIALIZING;beforeInit();init();buildState = BuildState.CONFIGURING;beforeConfigure();configure();buildState = BuildState.BUILDING;O result = performBuild();buildState = BuildState.BUILT;return result;}}整体执行流程1、beforeInit();2、init(); 循环执行 configurers 的 init 方法执行到 WebSecurityConfigurerAdapter 中的 init 方法public void init(final WebSecurity web) throws Exception {final HttpSecurity http = getHttp();web.addSecurityFilterChainBuilder(http).postBuildAction(() -> {FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class);web.securityInterceptor(securityInterceptor);});}protected final HttpSecurity getHttp() throws Exception {if (http != null) {return http;}AuthenticationEventPublisher eventPublisher = getAuthenticationEventPublisher();localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);AuthenticationManager authenticationManager = authenticationManager();authenticationBuilder.parentAuthenticationManager(authenticationManager);Map<Class<?>, Object> sharedObjects = createSharedObjects();http = new HttpSecurity(objectPostProcessor, authenticationBuilder,sharedObjects);...configure(http);return http;}authenticationManager(); 获取 AuthenticationManager protected AuthenticationManager authenticationManager() throws Exception {...authenticationManager = authenticationConfiguration.getAuthenticationManager();...}public AuthenticationManager getAuthenticationManager() throws Exception {...for (GlobalAuthenticationConfigurerAdapter config : globalAuthConfigurers) {authBuilder.apply(config);}authenticationManager = authBuilder.build();...}globalAuthConfigurers 获取 GlobalAuthenticationConfigurerAdapter 的实现类 //TODO 循环执行 authBuilder.apply(config) 将 GlobalAuthenticationConfigurerAdapter 添加到 authBuilder 的 configurers 中authBuilder.build();public final O build() throws Exception {if (this.building.compareAndSet(false, true)) {this.object = doBuild();return this.object;}throw new AlreadyBuiltException("This object has already been built");}执行到 AbstractSecurityBuilder 中的 build 方法执行到 AbstractConfiguredSecurityBuilder 中的 doBuild 方法执行流程同上InitializeUserDetailsManagerConfigurerpublic void configure(AuthenticationManagerBuilder auth) throws Exception {if (auth.isConfigured()) {return;}UserDetailsService userDetailsService = getBeanOrNull(UserDetailsService.class);if (userDetailsService == null) {return;}PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class);UserDetailsPasswordService passwordManager = getBeanOrNull(UserDetailsPasswordService.class);DaoAuthenticationProvider provider = new DaoAuthenticationProvider();provider.setUserDetailsService(userDetailsService);if (passwordEncoder != null) {provider.setPasswordEncoder(passwordEncoder);}if (passwordManager != null) {provider.setUserDetailsPasswordService(passwordManager);}provider.afterPropertiesSet();auth.authenticationProvider(provider);}1、获取 UserDetailsService (InMemoryUserDetailsManager)2、获取 PasswordEncoder 为空3、获取 UserDetailsPasswordService (InMemoryUserDetailsManager)4、DaoAuthenticationProvider provider = new DaoAuthenticationProvider();public DaoAuthenticationProvider() {setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());}public static PasswordEncoder createDelegatingPasswordEncoder() {String encodingId = "bcrypt";Map<String, PasswordEncoder> encoders = new HashMap<>();encoders.put(encodingId, new BCryptPasswordEncoder());encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());encoders.put("scrypt", new SCryptPasswordEncoder());encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());encoders.put("argon2", new Argon2PasswordEncoder());return new DelegatingPasswordEncoder(encodingId, encoders);}设置加密方式5、设置对应的 UserDetailsService、PasswordEncoder、UserDetailsPasswordService6、执行 afterPropertiesSet7、auth.authenticationProvider 往 AuthenticationManagerBuilder 的 authenticationProviders 中添加数据会执行到 AuthenticationManagerBuilder@Overrideprotected ProviderManager performBuild() throws Exception {if (!isConfigured()) {logger.debug("No authenticationProviders and no parentAuthenticationManager defined. Returning null.");return null;}ProviderManager providerManager = new ProviderManager(authenticationProviders,parentAuthenticationManager);if (eraseCredentials != null) {providerManager.setEraseCredentialsAfterAuthentication(eraseCredentials);}if (eventPublisher != null) {providerManager.setAuthenticationEventPublisher(eventPublisher);}providerManager = postProcess(providerManager);return providerManager;}为 http 的 configurers 添加对应的 configurerconfigure(http);protected void configure(HttpSecurity http) throws Exception {logger.debug("Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).");http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();}public FormLoginConfigurer<HttpSecurity> formLogin() throws Exception {return getOrApply(new FormLoginConfigurer<>());}public FormLoginConfigurer() {super(new UsernamePasswordAuthenticationFilter(), null);usernameParameter("username");passwordParameter("password");}// 调用 login 接口才会进入 UsernamePasswordAuthenticationFilter过滤器public UsernamePasswordAuthenticationFilter() {super(new AntPathRequestMatcher("/login", "POST"));}protected AbstractAuthenticationFilterConfigurer(F authenticationFilter,String defaultLoginProcessingUrl) {this();this.authFilter = authenticationFilter;if (defaultLoginProcessingUrl != null) {loginProcessingUrl(defaultLoginProcessingUrl);}}addSecurityFilterChainBuilder(http)//为 WebSecurity 的 securityFilterChainBuilders 中添加数据public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder) {this.securityFilterChainBuilders.add(securityFilterChainBuilder);return this;}3、beforeConfigure();4、configure(); 循环执行 configurers 的 configure 方法执行 自定义的 configure 方法5、performBuild();@Overrideprotected Filter performBuild() throws Exception {...for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {securityFilterChains.add(securityFilterChainBuilder.build());}...Filter result = filterChainProxy;postBuildAction.run();return result;}此时的 securityFilterChainBuilders 是 HttpSecuritysecurityFilterChainBuilder.build()循环执行 securityFilterChainBuilder 中的 configurers执行 FormLoginConfigurer 的 configure 方法 // AbstractAuthenticationFilterConfigurer.class@Overridepublic void configure(B http) throws Exception {PortMapper portMapper = http.getSharedObject(PortMapper.class);if (portMapper != null) {authenticationEntryPoint.setPortMapper(portMapper);}RequestCache requestCache = http.getSharedObject(RequestCache.class);if (requestCache != null) {this.defaultSuccessHandler.setRequestCache(requestCache);}authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));authFilter.setAuthenticationSuccessHandler(successHandler);authFilter.setAuthenticationFailureHandler(failureHandler);if (authenticationDetailsSource != null) {authFilter.setAuthenticationDetailsSource(authenticationDetailsSource);}SessionAuthenticationStrategy sessionAuthenticationStrategy = http.getSharedObject(SessionAuthenticationStrategy.class);if (sessionAuthenticationStrategy != null) {authFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);}RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);if (rememberMeServices != null) {authFilter.setRememberMeServices(rememberMeServices);}F filter = postProcess(authFilter);http.addFilter(filter);}//authFilter 为 UsernamePasswordAuthenticationFilter.java将 filter 添加到 HttpSecurity 中, 在过滤器中使用过滤器链
FilterComparator() {Step order = new Step(INITIAL_ORDER, ORDER_STEP);put(ChannelProcessingFilter.class, order.next());put(ConcurrentSessionFilter.class, order.next());put(WebAsyncManagerIntegrationFilter.class, order.next());put(SecurityContextPersistenceFilter.class, order.next());put(HeaderWriterFilter.class, order.next());put(CorsFilter.class, order.next());put(CsrfFilter.class, order.next());put(LogoutFilter.class, order.next());filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter",order.next());filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter",order.next());put(X509AuthenticationFilter.class, order.next());put(AbstractPreAuthenticatedProcessingFilter.class, order.next());filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter",order.next());filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter",order.next());filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter",order.next());put(UsernamePasswordAuthenticationFilter.class, order.next());put(ConcurrentSessionFilter.class, order.next());filterToOrder.put("org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());put(DefaultLoginPageGeneratingFilter.class, order.next());put(DefaultLogoutPageGeneratingFilter.class, order.next());put(ConcurrentSessionFilter.class, order.next());put(DigestAuthenticationFilter.class, order.next());filterToOrder.put("org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter", order.next());put(BasicAuthenticationFilter.class, order.next());put(RequestCacheAwareFilter.class, order.next());put(SecurityContextHolderAwareRequestFilter.class, order.next());put(JaasApiIntegrationFilter.class, order.next());put(RememberMeAuthenticationFilter.class, order.next());put(AnonymousAuthenticationFilter.class, order.next());filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter",order.next());put(SessionManagementFilter.class, order.next());put(ExceptionTranslationFilter.class, order.next());put(FilterSecurityInterceptor.class, order.next());put(SwitchUserFilter.class, order.next());}
异常问题处理过程
1、通过 postman 访问登录接口异常
未配置自定义的 WebSecurityConfigurerAdapter 时
通过 postman 访问页面登录的接口, 获取 JSESSIONID 失败
curl --location 'http://localhost:8001/login' \
--header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: JSESSIONID=24E4E66AD4D606C8F98022A30ABD49F9' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=2'
是因为 CsrfFilter 中 doFilterInternal 有个 !csrfToken.getToken().equals(actualToken) 导致获取失败
protected void doFilterInternal(HttpServletRequest request,HttpServletResponse response, FilterChain filterChain)throws ServletException, IOException {request.setAttribute(HttpServletResponse.class.getName(), response);CsrfToken csrfToken = this.tokenRepository.loadToken(request);...if (!csrfToken.getToken().equals(actualToken)) {...}filterChain.doFilter(request, response);
}
处理方式
-
1、需要在 headers 中增加 X-CSRF-TOKEN 参数
-
2、禁用 csrf
参照 WebSecurityConfigurerAdapter 的配置 增加 禁用 csrf
@Override
protected void configure(HttpSecurity http) throws Exception {http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
}