BASE64严格地说,属于编码格式,而非加密算法MD5(Message Digest algorithm 5,信息摘要算法)SHA(Secure Hash Algorithm,安全散列算法)HMAC(Hash Message Authentication Code,散列消息鉴别码)PBKDF2scryptbcrypt
DES(Data Encryption Standard,数据加密算法)PBE(Password-based encryption,基于密码验证)RSA(算法的名字以发明者的名字命名:Ron Rivest, AdiShamir 和Leonard Adleman)DH(Diffie-Hellman算法,密钥一致协议)DSA(Digital Signature Algorithm,数字签名)ECC(Elliptic Curves Cryptography,椭圆曲线密码编码学)
-
javax.servlet.ServletContainerInitializer
-
org.springframework.web.SpringServletContainerInitializer
-
org.springframework.web.WebApplicationInitializer
-
org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer
-
进入
onStartup方法 -
初始化
org.springframework.web.filter.DelegatingFilterProxyorg.springframework.security.web.context.AbstractSecurityWebApplicationInitializer#insertSpringSecurityFilterChain
-
-
-
-
生产 生成被代理 filter
- org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration
org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration#springSecurityFilterChain
- org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration
-
程序经过调用之后会进入
DelegatingFilterProxy- 然后委派给
FilterChainProxy然后进入org.springframework.security.web.FilterChainProxy.VirtualFilterChain - 迭代交给其他
filter处理
- 然后委派给
-
Firewalled- 在
org.springframework.security.web.FilterChainProxy#doFilterInternal处理中转为FirewalledRequest
- 在
-
org.springframework.security.web.SecurityFilterChain接口-
默认实现
DefaultSecurityFilterChain -
在
FilterChainProxy代理之后 遍历寻找进入哪个Chain然后获取到Filter列表org.springframework.security.web.FilterChainProxy#doFilterInternal; private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { FirewalledRequest fwRequest = firewall .getFirewalledRequest((HttpServletRequest) request); HttpServletResponse fwResponse = firewall .getFirewalledResponse((HttpServletResponse) response); List<Filter> filters = getFilters(fwRequest); if (filters == null || filters.size() == 0) { if (logger.isDebugEnabled()) { logger.debug(UrlUtils.buildRequestUrl(fwRequest) + (filters == null ? " has no matching filters" : " has an empty filter list")); } fwRequest.reset(); chain.doFilter(fwRequest, fwResponse); return; } VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters); vfc.doFilter(fwRequest, fwResponse); } private List<Filter> getFilters(HttpServletRequest request) { for (SecurityFilterChain chain : filterChains) { if (chain.matches(request)) { return chain.getFilters(); } } return null; }
-
-
HttpSecurity核心是Filter -
每一个Filter 对应一个功能
-
org.springframework.security.web.csrf.CsrfFilter -
org.springframework.security.web.header.HeaderWriterFilter -
org.springframework.security.web.session.SessionManagementFilter -
org.springframework.web.filter.CorsFilter -
org.springframework.security.web.access.ExceptionTranslationFilter- 该接口过滤器用于处理处理异常情况捕捉 401 和 403
-
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter-
需要认证的过滤器实现继承
AbstractAuthenticationProcessingFilter通过该接口方法实现 -
AuthenticationFailureHandler -
AuthenticationSuccessHandler -
SessionAuthenticationStrategy认证成功回调
-
-
org.springframework.security.web.access.intercept.FilterSecurityInterceptor- 实现权限控制核心过滤器
org.springframework.security.access.intercept.AbstractSecurityInterceptor
- 实现权限控制核心过滤器
-
org.springframework.security.web.authentication.AnonymousAuthenticationFilter- 用于处理
SecurityContextHolder#getContext()为空是设置为匿名AnonymousAuthenticationToken
- 用于处理
-
org.springframework.security.web.authentication.www.BasicAuthenticationFilter -
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter -
org.springframework.security.web.context.SecurityContextPersistenceFilter- 用于处理 通过 cookie 里面获取到ID 然后转化为获取到
SecurityContextAuthentication
- 用于处理 通过 cookie 里面获取到ID 然后转化为获取到
-
-
Filter 扩展配置
-
org.springframework.security.config.annotation.web.configurers.CsrfConfigurer- 存储
org.springframework.security.web.csrf.CsrfTokenRepositoryCookieCsrfTokenRepositoryHttpSessionCsrfTokenRepositoryLazyCsrfTokenRepository
- 存储
-
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer -
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer- 存储
ServerSecurityContextRepositoryHttpSessionSecurityContextRepositoryNullSecurityContextRepository
org.springframework.security.core.session.SessionRegistryorg.springframework.security.core.session.SessionRegistryImpl
- 存储
-
org.springframework.security.config.annotation.web.configurers.CorsConfigurer -
org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurerHttpSecurity#exceptionHandling()该返回返回ConfigurerExceptionHandlingConfigurer#accessDeniedHandler用于处理 没有权限的情况ExceptionHandlingConfigurer#authenticationEntryPoint用于处理认证失败的情况
-
org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer -
org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurerHttpSecurity#authorizeRequests()
-
org.springframework.security.config.annotation.web.configurers.AnonymousConfigurer -
org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer -
org.springframework.security.config.annotation.web.configurers.RememberMeConfigurer-
存储
-
org.springframework.security.web.authentication.RememberMeServices-
默认实现
PersistentTokenBasedRememberMeServices -
PersistentTokenRepository
-
-
-
-
org.springframework.security.config.annotation.web.configurers.SecurityContextConfigurer
-
-
Filter 内置排序
org.springframework.security.config.annotation.web.builders.FilterComparator通过该类实现内部排序
-
禁止掉Filter
AbstractHttpConfigurer#disable
-
扩展
- 通过
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder#apply(C)实现可配置的Buildr式Filter - 也可以通过
org.springframework.security.config.annotation.web.builders.HttpSecurity#addFilter添加策略Filter
- 通过
WebSecurity核心是ChainWebSecurity#ignoring处理忽略不仅过核心ChainWebSecurity#addSecurityFilterChainBuilder自定义 Chain
org.springframework.web.filter.OncePerRequestFilterorg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterorg.springframework.web.filter.GenericFilterBean
-
AuthenticationManager- 默认实现
org.springframework.security.authentication.ProviderManager- 处理多个
AuthenticationProvider
- 处理多个
- 默认实现
-
AuthenticationProvider -
Authentication凭证
Authentication#getAuthorities权限- 辅助工具类
AuthorityUtils
- 辅助工具类
Authentication#getCredentials凭证 通常会设置为 密码Authentication#getDetails认证详细系信息UserDetailsAuthentication#getPrincipal通常为用户名
-
UserDetailsServiceUserDetailsUserDetails#getAuthorities- 用于存储用户角色或者其他标识用户权限信息
-
SecurityContextHolder- 持有当前请求的
SecurityContext
- 持有当前请求的
-
AbstractSecurityInterceptorMethodSecurityInterceptorFilterSecurityInterceptorWeb Servlet 的实现拦截器权限
-
AccessDecisionManager -
SecurityMetadataSource-
实现接口
FilterInvocationSecurityMetadataSourceWeb ServletMethodSecurityMetadataSource编程方式
-
SecurityConfig#createList辅助工具类
-
-
PasswordEncoderBCryptPasswordEncoder推荐使用
-
SecurityContext -
AbstractUserDetailsAuthenticationProvider- 用于
UserDetails认证
- 用于