​

​

活动地址：

CSDN21天学习挑战赛

前言

在

SpringSecurity – 启动流程分析（三）

这篇文章的最后，我们知道了

SpringSecurity

最后会在

ApplicationFilterConfig

中加入一个名为

springSecurityFilterChain

的

Filter

：

其中包含了

SpringSecurity

默认提供的

12

个过滤器：

同时我们也可以看到

FilterChains

中只有一个

DefaultSecurityFilterChain

，这里贴一下源码：

// security 的 Filter 排序规则
private FilterComparator comparator = new FilterComparator();

@Override
protected DefaultSecurityFilterChain performBuild() {
	// 排序
	filters.sort(comparator);
	return new DefaultSecurityFilterChain(requestMatcher, filters);
}

看一下

FilterComparator

的源码：

final class FilterComparator implements Comparator<Filter>, Serializable {
	// 初始顺序值为100
	private static final int INITIAL_ORDER = 100;
	// 步长为100
	private static final int ORDER_STEP = 100;
	private final Map<String, Integer> filterToOrder = new HashMap<>();

	FilterComparator() {
		Step order = new Step(INITIAL_ORDER, ORDER_STEP);
		put(ChannelProcessingFilter.class, order.next());
		put(ConcurrentSessionFilter.class, order.next());
		put(WebAsyncManagerIntegrationFilter.class, order.next());
		put(SecurityContextPersistenceFilter.class, order.next());
		put(HeaderWriterFilter.class, order.next());
		put(CorsFilter.class, order.next());
		put(CsrfFilter.class, order.next());
		put(LogoutFilter.class, order.next());
		filterToOrder.put(
			"org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter",
				order.next());
		filterToOrder.put(
				"org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter",
				order.next());
		put(X509AuthenticationFilter.class, order.next());
		put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
		filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter",
				order.next());
		filterToOrder.put(
			"org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter",
				order.next());
		filterToOrder.put(
				"org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter",
				order.next());
		put(UsernamePasswordAuthenticationFilter.class, order.next());
		put(ConcurrentSessionFilter.class, order.next());
		filterToOrder.put(
				"org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());
		put(DefaultLoginPageGeneratingFilter.class, order.next());
		put(DefaultLogoutPageGeneratingFilter.class, order.next());
		put(ConcurrentSessionFilter.class, order.next());
		put(DigestAuthenticationFilter.class, order.next());
		filterToOrder.put(
				"org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter", order.next());
		put(BasicAuthenticationFilter.class, order.next());
		put(RequestCacheAwareFilter.class, order.next());
		put(SecurityContextHolderAwareRequestFilter.class, order.next());
		put(JaasApiIntegrationFilter.class, order.next());
		put(RememberMeAuthenticationFilter.class, order.next());
		put(AnonymousAuthenticationFilter.class, order.next());
		filterToOrder.put(
			"org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter",
				order.next());
		put(SessionManagementFilter.class, order.next());
		put(ExceptionTranslationFilter.class, order.next());
		put(FilterSecurityInterceptor.class, order.next());
		put(SwitchUserFilter.class, order.next());
	}
	...
}

这里定义了

SpringSecurity

提供的默认过滤器的执行顺序。

分析

下面我们就按照上面给出的执行顺序看一下这些默认的

Filter

s，由于这里的

Filter

比较多，所以这里就只是简单介绍一下每一个

Filter

的作用，重要的

Filter

后面再通过几篇文章重点说，比如

UsernamePasswordAuthenticationFilter

：

1、

WebAsyncManagerIntegrationFilter


/**
 * Provides integration between the {@link SecurityContext} and Spring Web's
 * {@link WebAsyncManager} by using the
 * {@link SecurityContextCallableProcessingInterceptor#beforeConcurrentHandling(org.springframework.web.context.request.NativeWebRequest, Callable)}
 * to populate the {@link SecurityContext} on the {@link Callable}.
 */
public final class WebAsyncManagerIntegrationFilter extends OncePerRequestFilter {}

从源码注释中可以看出，该

Filter

的作用提供了

SecurityContext

与

Spring Web

的

WebAsyncManager

的集成，处理在异步线程中的

SecurityContext

。

2、

SecurityContextPersistenceFilter


/**
 * Populates the {@link SecurityContextHolder} with information obtained from the
 * configured {@link SecurityContextRepository} prior to the request and stores it back in
 * the repository once the request has completed and clearing the context holder. By
 * default it uses an {@link HttpSessionSecurityContextRepository}. See this class for
 * information <tt>HttpSession</tt> related configuration options.
 */
public class SecurityContextPersistenceFilter extends GenericFilterBean {}

该

Filter

的主要作用是为了加载

SecurityContext

到

SecurityContextHolder

中，从命名中就可以看出来（

Spring

的命名很是严谨，一般都可以见名知意）。

3、

HeaderWriterFilter


/**
 * Filter implementation to add headers to the current response. Can be useful to add
 * certain headers which enable browser protection. Like X-Frame-Options, X-XSS-Protection
 * and X-Content-Type-Options.
 */
public class HeaderWriterFilter extends OncePerRequestFilter {}

该

Filter

的作用主要是对响应信息的请求头添加一些配置

4、

CsrfFilter


/**
 * <p>
 * Applies
 * <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)" >CSRF</a>
 * protection using a synchronizer token pattern. Developers are required to ensure that
 * {@link CsrfFilter} is invoked for any request that allows state to change. Typically
 * this just means that they should ensure their web application follows proper REST
 * semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).
 * </p>
 */
public final class CsrfFilter extends OncePerRequestFilter {}

该

Filter

的作用主要是防止跨站请求伪造

5、

LogoutFilter


/**
 * Logs a principal out.
 * <p>
 * Polls a series of {@link LogoutHandler}s. The handlers should be specified in the order
 * they are required. Generally you will want to call logout handlers
 * <code>TokenBasedRememberMeServices</code> and <code>SecurityContextLogoutHandler</code>
 * (in that order).
 * <p>
 * After logout, a redirect will be performed to the URL determined by either the
 * configured <tt>LogoutSuccessHandler</tt> or the <tt>logoutSuccessUrl</tt>, depending on
 * which constructor was used.
 */
public class LogoutFilter extends GenericFilterBean {}

该

Filter

的作用主要是对登出操作做处理，我们可以自定义

LogoutHandle

s 来处理登出逻辑，并且可以配置

LogoutSuccessHandle

或者指定

logoutSuccessUrl


6、

UsernamePasswordAuthenticationFilter


/**
 * Processes an authentication form submission. Called
 * {@code AuthenticationProcessingFilter} prior to Spring Security 3.0.
 * <p>
 * Login forms must present two parameters to this filter: a username and password. The
 * default parameter names to use are contained in the static fields
 * {@link #SPRING_SECURITY_FORM_USERNAME_KEY} and
 * {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}. The parameter names can also be changed by
 * setting the {@code usernameParameter} and {@code passwordParameter} properties.
 * <p>
 * This filter by default responds to the URL {@code /login}.
 */
public class UsernamePasswordAuthenticationFilter extends
		AbstractAuthenticationProcessingFilter {}

该

Filter

的作用是处理默认的

/login

请求，也是

SpringSecurity

提供的默认用户密码登录认证，后面会详细分析该

Filter


7、

RequestCacheAwareFilter


/**
 * Responsible for reconstituting the saved request if one is cached and it matches the
 * current request.
 * <p>
 * It will call
 * {@link RequestCache#getMatchingRequest(HttpServletRequest, HttpServletResponse)
 * getMatchingRequest} on the configured <tt>RequestCache</tt>. If the method returns a
 * value (a wrapper of the saved request), it will pass this to the filter chain's
 * <tt>doFilter</tt> method. If null is returned by the cache, the original request is
 * used and the filter has no effect.
 */
public class RequestCacheAwareFilter extends GenericFilterBean {}

该

Filter

的作用是用于用户登录成功后，重新恢复跳转到登录之前的请求

8、

SecurityContextHolderAwareRequestFilter


/**
 * A <code>Filter</code> which populates the <code>ServletRequest</code> with a request
 * wrapper which implements the servlet API security methods.
 * <p>
 * {@link SecurityContextHolderAwareRequestWrapper} is extended to provide the following
 * additional methods:
 * </p>
 */
public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {}

该

Filter

的作用是拓展了

HttpServletRequest

，在每一个请求中添加了一些额外的方法，比如：

getPrincipal()

方法。可以在任何地方获取

SecurityContext

。

9、

AnonymousAuthenticationFilter


/**
 * Detects if there is no {@code Authentication} object in the
 * {@code SecurityContextHolder}, and populates it with one if needed.
 */
public class AnonymousAuthenticationFilter extends GenericFilterBean implements
		InitializingBean {}

该

Filter

的作用是对匿名用户做一些处理，比如：设置

principal

和

authorities


10、

SessionManagementFilter


/**
 * Detects that a user has been authenticated since the start of the request and, if they
 * have, calls the configured {@link SessionAuthenticationStrategy} to perform any
 * session-related activity such as activating session-fixation protection mechanisms or
 * checking for multiple concurrent logins.
 */
public class SessionManagementFilter extends GenericFilterBean {}

该

Filter

的作用是管理

Session


11、

ExceptionTranslationFilter


/**
 * Handles any <code>AccessDeniedException</code> and <code>AuthenticationException</code>
 * thrown within the filter chain.
 * <p>
 * This filter is necessary because it provides the bridge between Java exceptions and
 * HTTP responses. It is solely concerned with maintaining the user interface. This filter
 * does not do any actual security enforcement.
 */
public class ExceptionTranslationFilter extends GenericFilterBean {}

该

Filter

的作用是对于任意的

AccessDeniedException

类型的异常和

AuthenticationException

类型异常的处理

12、

FilterSecurityInterceptor


/**
 * Performs security handling of HTTP resources via a filter implementation.
 * <p>
 * The <code>SecurityMetadataSource</code> required by this security interceptor is of
 * type {@link FilterInvocationSecurityMetadataSource}.
 * <p>
 * Refer to {@link AbstractSecurityInterceptor} for details on the workflow.
 * </p>
 */
public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements
		Filter {}

该

Filter

的作用主要是做认证和授权拦截，比如我们配置了对某个

url

限制某种角色能够访问，就是在这里进行鉴权，判断是否放行

总结

以上就是基于

SpringSecurity 5.3.9.RELEASE

对默认

Filter

s 的简单分析，目前还不具备详细分析每一个

Filter

实现过程的能力，还有一些概念需要了解，后面会在

SpringSecurity 学习

专栏中对一些重要的

Filter

展开讨论