投稿
  1. 首页
  2. 随笔

spring security 学习笔记

歌曲一万个理由 2022-11-10 随笔 阅读 14

spring security 学习笔记,第1张

spring security 学习笔记 springframework.security几个关键类及结构

  • 1.org.springframework.security.web.access.interceptFilterSecurityInterceptor

    • Filter
      • doFilter
        • FilterInvocation.invoke
          • beforeInvocation
            • SecurityContextHolder.getContext().getAuthentication()
            • authenticationManager.authenticate(authentication)
            • accessDecisionManager.decide(authenticated, object, attributes)
          • getChain().doFilter
          • afterInvocation
            • afterInvocationManager.decide(token.getSecurityContext().getAuthentication(), token.getSecureObject(), token.getAttributes(), returnedObject)
    • AbstractSecurityInterceptor
      • AuthenticationManager
      • AfterInvocationManager
        • AfterInvocationProviderManager
      • AccessDecisionManager
        • AbstractAccessDecisionManager
          • Affirmativebased
          • Consensusbased
          • Unanimousbased

  • 2.org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor

    • org.aopalliance.intercept.MethodInterceptor
      • org.aopalliance.aop.Advice.Interceptor
        • org.aopalliance.aop.Advice
    • AbstractSecurityInterceptor

  • 3.org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor

    • MethodInterceptor

  • 4.AuthenticationEntryPoint,主要是commence方法统一异常,由用户自定义实现

  • 5.AuthenticationManager, 用于验证,Processes an Authentication request

spring security过滤器设置先后顺序

FilterComparator 设置过滤器执行链

 FilterComparator.Step order = new FilterComparator.Step(100, 100);
 this.put(ChannelProcessingFilter.class, order.next());
 this.put(ConcurrentSessionFilter.class, order.next());
 this.put(WebAsyncManagerIntegrationFilter.class, order.next());
 this.put(SecurityContextPersistenceFilter.class, order.next());
 this.put(HeaderWriterFilter.class, order.next());
 this.put(CorsFilter.class, order.next());
 this.put(CsrfFilter.class, order.next());
 this.put(LogoutFilter.class, order.next());
 this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter", order.next());
 this.filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter", order.next());
 this.put(X509AuthenticationFilter.class, order.next());
 this.put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
 this.filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter", order.next());
 this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter", order.next());
 this.filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter", order.next());
 this.put(UsernamePasswordAuthenticationFilter.class, order.next());
 this.put(ConcurrentSessionFilter.class, order.next());
 this.filterToOrder.put("org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());
 this.put(DefaultLoginPageGeneratingFilter.class, order.next());
 this.put(DefaultLogoutPageGeneratingFilter.class, order.next());
 this.put(ConcurrentSessionFilter.class, order.next());
 this.put(DigestAuthenticationFilter.class, order.next());
 this.filterToOrder.put("org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter", order.next());
 this.put(BasicAuthenticationFilter.class, order.next());
 this.put(RequestCacheAwareFilter.class, order.next());
 this.put(SecurityContextHolderAwareRequestFilter.class, order.next());
 this.put(JaasApiIntegrationFilter.class, order.next());
 this.put(RememberMeAuthenticationFilter.class, order.next());
 this.put(AnonymousAuthenticationFilter.class, order.next());
 this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter", order.next());
 this.put(SessionManagementFilter.class, order.next());
 this.put(ExceptionTranslationFilter.class, order.next());
 this.put(FilterSecurityInterceptor.class, order.next());
 this.put(SwitchUserFilter.class, order.next());
oauth2关键类
  • OAuth2AuthenticationProcessingFilter OAuth2的Filter
    • doFilter
      • tokenExtractor.extract
      • authenticationManager.authenticate
      • 成功,publishAuthenticationSuccess和SecurityContextHolder.getContext().setAuthentication
      • 失败,authenticationEntryPoint.commence
  • OAuth2AuthenticationManager
    • ResourceServerTokenServices
      • DefaultTokenServices 实现类
        • loadAuthentication 方法
        • readAccessToken 方法
        • TokenStore 依赖
          • RedisTemplateTokenStore 实现类
            • getAccessToken 方法
            • removeRefreshToken 方法
            • removeAccessToken 方法
    • ClientDetailsService
      • RedisClientDetailsService,在Redis中缓存JdbcClientDetailsService维护的ClientDetails
      • JdbcClientDetailsService ,ClientDetails最终存储于数据库中
  • BearerTokenExtractor
  • OAuth2AuthenticationEntryPoint,统一的异常处理类

欢迎分享,转载请注明来源:内存溢出

原文地址: https://outofmemory.cn/zaji/4828306.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
歌曲一万个理由 歌曲一万个理由 一级用户组
0 0
上一篇 2022-11-10
下一篇 2022-11-10

发表评论

登录后才能评论

评论列表(0条)

保存