主要参考了https://mp.weixin.qq.com/s/D0weIKPto4lcuwl9DQpmvQ。
SpringSecurity版本是2.7.9。将SpringBoot和SpringSecurity结合使用,SpringSecurity自动配置类是SecurityAutoConfiguration.class。
@AutoConfiguration
@ConditionalOnClass({DefaultAuthenticationEventPublisher.class})
@EnableConfigurationProperties({SecurityProperties.class})
@Import({SpringBootWebSecurityConfiguration.class, SecurityDataConfiguration.class})
public class SecurityAutoConfiguration {
public SecurityAutoConfiguration() {
}
@Bean
@ConditionalOnMissingBean({AuthenticationEventPublisher.class})
public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {
return new DefaultAuthenticationEventPublisher(publisher);
}
}
SecurityAutoConfiguration导入了SpringBootWebSecurityConfiguration配置类。
@Configuration(
proxyBeanMethods = false
)
@ConditionalOnWebApplication(
type = Type.SERVLET
)
class SpringBootWebSecurityConfiguration {
SpringBootWebSecurityConfiguration() {
}
@Configuration(
proxyBeanMethods = false
)
@ConditionalOnMissingBean(
name = {"springSecurityFilterChain"}
)
@ConditionalOnClass({EnableWebSecurity.class})
@EnableWebSecurity
static class WebSecurityEnablerConfiguration {
WebSecurityEnablerConfiguration() {
}
}
@Configuration(
proxyBeanMethods = false
)
@ConditionalOnClass({WebInvocationPrivilegeEvaluator.class})
@ConditionalOnBean({WebInvocationPrivilegeEvaluator.class})
static class ErrorPageSecurityFilterConfiguration {
ErrorPageSecurityFilterConfiguration() {
}
@Bean
FilterRegistrationBean<ErrorPageSecurityFilter> errorPageSecurityFilter(ApplicationContext context) {
FilterRegistrationBean<ErrorPageSecurityFilter> registration = new FilterRegistrationBean(new ErrorPageSecurityFilter(context), new ServletRegistrationBean[0]);
registration.setDispatcherTypes(DispatcherType.ERROR, new DispatcherType[0]);
return registration;
}
}
@Configuration(
proxyBeanMethods = false
)
@ConditionalOnDefaultWebSecurity
static class SecurityFilterChainConfiguration {
SecurityFilterChainConfiguration() {
}
@Bean
@Order(2147483642)
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl)http.authorizeRequests().anyRequest()).authenticated();
http.formLogin();
http.httpBasic();
return (SecurityFilterChain)http.build();
}
}
}
SecurityFilterChainConfiguration是默认的SecurityFilterChain配置类。WebSecurityEnablerConfiguration类上@EnableWebSecurity做了自动化配置Security的主要工作。
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE})
@Documented
@Import({WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class, HttpSecurityConfiguration.class})
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
boolean debug() default false;
}
@EnableWebSecurity注解导入了WebSecurityConfiguration配置类,同时引入了@EnableGlobalAuthentication注解。来看下WebSecurityConfiguration类。
WebSecurityConfiguration实现了ImportAware,BeanClassLoaderAware两个接口。BeanClassLoaderAware主要是为了获取ClassLoader。ImportAware的作用在松哥的博客说了。是为了获取到 @EnableWebSecurity 中的属性值,这里主要是 debug 属性。WebSecurityConfiguration主要看springSecurityFilterChain()和setFilterChainProxySecurityConfigurer(ObjectPostProcessor