Spring Security常見的15個攔截器

1 . org.springframework.security.web.context.SecurityContextPersistenceFilter

首當其沖的一個過濾器，作用之重要，自不必多言。

SecurityContextPersistenceFilter主要是使用SecurityContextRepository在session中保存或更新一個 SecurityContext，并將SecurityContext給以后的過濾器使用，來為后續filter建立所需的上下文。 SecurityContext中存儲了當前用戶的認證以及權限信息。

2 . org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter

此過濾器用于集成SecurityContext到Spring異步執行機制中的WebAsyncManager

3 . org.springframework.security.web.header.HeaderWriterFilter

向請求的Header中添加相應的信息,可在http標簽內部使用security:headers來控制

4 . org.springframework.security.web.csrf.CsrfFilter

csrf又稱跨域請求偽造，SpringSecurity會對所有post請求驗證是否包含系統生成的csrf的token信息，

如果不包含，則報錯。起到防止csrf攻擊的效果。

5. org.springframework.security.web.authentication.logout.LogoutFilter

匹配 URL為/logout的請求，實現用戶退出,清除認證信息。

6 . org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter

認證操作全靠這個過濾器，默認匹配URL為/login且必須為POST請求。

7 . org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter

如果沒有在配置文件中指定認證頁面，則由該過濾器生成一個默認認證頁面。

8 . org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter

由此過濾器可以生產一個默認的退出登錄頁面

9 . org.springframework.security.web.authentication.www.BasicAuthenticationFilter

此過濾器會自動解析HTTP請求中頭部名字為Authentication，且以Basic開頭的頭信息。

10 . org.springframework.security.web.savedrequest.RequestCacheAwareFilter

通過HttpSessionRequestCache內部維護了一個RequestCache，用于緩存HttpServletRequest

11 . org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter

針對ServletRequest進行了一次包裝，使得request具有更加豐富的API

12 . org.springframework.security.web.authentication.AnonymousAuthenticationFilter

當SecurityContextHolder中認證信息為空,則會創建一個匿名用戶存入到SecurityContextHolder中。

spring security為了兼容未登錄的訪問，也走了一套認證流程，只不過是一個匿名的身份。

13 . org.springframework.security.web.session.SessionManagementFilter

SecurityContextRepository限制同一用戶開啟多個會話的數量

14 . org.springframework.security.web.access.ExceptionTranslationFilter

異常轉換過濾器位于整個springSecurityFilterChain的后方，用來轉換整個鏈路中出現的異常

15 . org.springframework.security.web.access.intercept.FilterSecurityInterceptor

獲取所配置資源訪問的授權信息，根據SecurityContextHolder中存儲的用戶信息來決定其是否有權限。

那么，是不是spring security一共就這么多過濾器呢？答案是否定的！隨著spring-security.xml配置的添加，還會出現新的過濾器。

那么，是不是spring security每次都會加載這些過濾器呢？答案也是否定的！隨著spring-security.xml配置的修改，有些過濾器可能會被去掉。

spring security 過濾器鏈加載原理

public class DelegatingFilterProxy extends GenericFilterBean {@Nullableprivate String contextAttribute;@Nullableprivate WebApplicationContext webApplicationContext;@Nullableprivate String targetBeanName;private boolean targetFilterLifecycle;@Nullableprivate volatile Filter delegate;//注：這個過濾器才是真正加載的過濾器private final Object delegateMonitor;//注：doFilter才是過濾器的入口，直接從這看！public void doFilter(ServletRequest request, ServletResponse response, FilterChainfilterChain) throws ServletException, IOException {Filter delegateToUse = this.delegate;if (delegateToUse == null) {synchronized(this.delegateMonitor) {delegateToUse = this.delegate;if (delegateToUse == null) {WebApplicationContext wac = this.findWebApplicationContext();if (wac == null) {throw new IllegalStateException('No WebApplicationContext found: noContextLoaderListener or DispatcherServlet registered?');}//第一步：doFilter中最重要的一步，初始化上面私有過濾器屬性delegatedelegateToUse = this.initDelegate(wac);}this.delegate = delegateToUse;}}//第三步：執行FilterChainProxy過濾器this.invokeDelegate(delegateToUse, request, response, filterChain);}//第二步：直接看最終加載的過濾器到底是誰protected Filter initDelegate(WebApplicationContext wac) throws ServletException {//debug得知targetBeanName為：springSecurityFilterChainString targetBeanName = this.getTargetBeanName();Assert.state(targetBeanName != null, 'No target bean name set');//debug得知delegate對象為：FilterChainProxyFilter delegate = (Filter)wac.getBean(targetBeanName, Filter.class);if (this.isTargetFilterLifecycle()) {delegate.init(this.getFilterConfig());}return delegate;}protected void invokeDelegate(Filter delegate, ServletRequest request, ServletResponseresponse, FilterChain filterChain) throws ServletException, IOException {delegate.doFilter(request, response, filterChain);}}

第二步debug結果如下：

由此可知， DelegatingFilterProxy通過springSecurityFilterChain這個名稱，得到了一個FilterChainProxy過濾器，最終在第三步執行了這個過濾器。

FilterChainProxy

public class FilterChainProxy extends GenericFilterBean {private static final Log logger = LogFactory.getLog(FilterChainProxy.class);private static final String FILTER_APPLIED =FilterChainProxy.class.getName().concat('.APPLIED');private List<SecurityFilterChain> filterChains;private FilterChainProxy.FilterChainValidator filterChainValidator;private HttpFirewall firewall;//咿！？可以通過一個叫SecurityFilterChain的對象實例化出一個FilterChainProxy對象//這FilterChainProxy又是何方神圣？會不會是真正的過濾器鏈對象呢？先留著這個疑問！public FilterChainProxy(SecurityFilterChain chain) {this(Arrays.asList(chain));}//又是SecurityFilterChain這家伙！嫌疑更大了！public FilterChainProxy(List<SecurityFilterChain> filterChains) {this.filterChainValidator = new FilterChainProxy.NullFilterChainValidator();this.firewall = new StrictHttpFirewall();this.filterChains = filterChains;}//注：直接從doFilter看public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;if (clearContext) {try {request.setAttribute(FILTER_APPLIED, Boolean.TRUE);this.doFilterInternal(request, response, chain);} finally {SecurityContextHolder.clearContext();request.removeAttribute(FILTER_APPLIED);}} else {//第一步：具體操作調用下面的doFilterInternal方法了this.doFilterInternal(request, response, chain);}}private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChainchain) throws IOException, ServletException {FirewalledRequest fwRequest =this.firewall.getFirewalledRequest((HttpServletRequest)request);HttpServletResponse fwResponse =this.firewall.getFirewalledResponse((HttpServletResponse)response);//第二步：封裝要執行的過濾器鏈，那么多過濾器就在這里被封裝進去了！List<Filter> filters = this.getFilters((HttpServletRequest)fwRequest);if (filters != null && filters.size() != 0) {FilterChainProxy.VirtualFilterChain vfc = newFilterChainProxy.VirtualFilterChain(fwRequest, chain, filters);//第四步：加載過濾器鏈vfc.doFilter(fwRequest, fwResponse);} else {if (logger.isDebugEnabled()) {logger.debug(UrlUtils.buildRequestUrl(fwRequest) + (filters == null ? ' has nomatching filters' : ' has an empty filter list'));}fwRequest.reset();chain.doFilter(fwRequest, fwResponse);}}private List<Filter> getFilters(HttpServletRequest request) {Iterator var2 = this.filterChains.iterator();//第三步：封裝過濾器鏈到SecurityFilterChain中！SecurityFilterChain chain;do {if (!var2.hasNext()) {return null;}chain = (SecurityFilterChain)var2.next();} while(!chain.matches(request));return chain.getFilters();}}

SecurityFilterChain

最后看SecurityFilterChain，這是個接口，實現類也只有一個，這才是web.xml中配置的過濾器鏈對象！

public interface SecurityFilterChain { boolean matches(HttpServletRequest request); List<Filter> getFilters();}

public final class DefaultSecurityFilterChain implements SecurityFilterChain { private static final Log logger = LogFactory.getLog(DefaultSecurityFilterChain.class); private final RequestMatcher requestMatcher; private final List<Filter> filters; public DefaultSecurityFilterChain(RequestMatcher requestMatcher, Filter... filters) { this(requestMatcher, Arrays.asList(filters)); } public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) { logger.info('Creating filter chain: ' + requestMatcher + ', ' + filters); this.requestMatcher = requestMatcher; this.filters = new ArrayList<>(filters); } public RequestMatcher getRequestMatcher() { return requestMatcher; } public List<Filter> getFilters() { return filters; } public boolean matches(HttpServletRequest request) { return requestMatcher.matches(request); } @Override public String toString() { return '[ ' + requestMatcher + ', ' + filters + ']'; }}

以上就是本文的全部內容，希望對大家的學習有所幫助，也希望大家多多支持好吧啦網。