The following is excerpted from the 2022 benefits tutorial shared by Fat Brother.

Do you have the following two questions when learning Spring Security:

  • How is Spring Security login configured?
  • What is the access control mechanism for Spring Security?

SpringBootWebSecurityConfiguration

The answer to the above two questions lies in configuration classesSpringBootWebSecurityConfigurationIn the. You can follow this mind map to understand this autoconfiguration:

SpringBootWebSecurityConfiguration for Spring Boot application provides a set of default Spring Security configuration.

	@Bean
	@Order(SecurityProperties.BASIC_AUTH_ORDER)
	SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
		http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
		return http.build();
	}
Copy the code

The configuration is as follows: All requests must be initiated by authenticated users, and the form login function and Http Basic Authentication function are enabled. We need login authentication to access /foo/bar and the form login is what works. This is our daily development needs to customize, in the HttpSecurity related article fat brother also explained. So what is this SecurityFilterChain?

SecurityFilterChain

HttpSecurity is a build class that builds a SecurityFilterChain:

public interface SecurityFilterChain {
   // Whether the current request matches
	boolean matches(HttpServletRequest request);
    // An ordered filter chain consisting of a package of filters
	List<Filter> getFilters(a);
}
Copy the code

When a requestHttpServletRequestEnter theSecurityFilterChain, will passmatchesMethod to determine if conditions are met to enter the filter chain. Just like you are a VIP walk is a VIP channel, enjoy a series of VIP treatment; You are an ordinary user, go through the ordinary user channel and enjoy the ordinary user treatment.Regardless of the role of the user, there is a chain of filters that exist in the application1-naSecurityFilterChain. Who’s going to manage moreSecurityFilterChain?

Remember the formula HttpSecurity ->SecurityFilterChain.

FilterChainProxy

FilterChainProxy is a GenericFilterBean (even if the Servlet Filter is also a Spring Bean) that manages all the SecurityFilterChain injected into the Spring IoC container. When I first got into Spring Security, I configured FilterChainProxy like this:

    <bean id="myfilterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <constructor-arg>
            <util:list>
                <security:filter-chain pattern="/do/not/filter*" filters="none"/>
                <security:filter-chain pattern="/ * *" filters="filter1,filter2,filter3"/>
            </util:list>
        </constructor-arg>
    </bean>
Copy the code

The request path matches the request pathSecurityFilterChain. Here’s a schematic:We’ll come back to this class, but now you just need to understand the diagram above.

Note: It is not recommended to have multiple Instances of FilterChainProxy in the same filter chain, and it should not be used as a pure filter. It should only manage the SecurityFilterChain.

DelegatingFilterProxy

ServletContainers andSpring IoCintercontainerFilterLife cycles do not match. In order to makeSpring IoCContainer managementFilterThe life cycle of,FilterChainProxyThen toSpring WebUnder theDelegatingFilterProxyTo the agent. andFilterChainProxyStandards are not invoked on any filter beans added to the application contextServletFilter life cycle approach,FilterChainProxyThe lifecycle method of theDelegatingFilterProxyTo execute. whileDelegatingFilterProxyAs aSpring IoCandServletThe connector exists.

Simple summary

The three concepts above are important and relate to the entire filter chain architecture of Spring Security. But as a beginner, can understand how much to understand how much, do not tangle what did not understand, because the current learning stage of the level is not up to is very normal. However, these concepts should be understood after you finish learning Spring Security.

Follow our public id: Felordcn for more information

Personal blog: https://felord.cn