The following is excerpted from the 2022 benefits tutorial shared by Fat Brother.
Do you have the following two questions when learning Spring Security:
- How is Spring Security login configured?
- What is the access control mechanism for Spring Security?
SpringBootWebSecurityConfiguration
The answer to the above two questions lies in configuration classesSpringBootWebSecurityConfiguration
In the. You can follow this mind map to understand this autoconfiguration:
SpringBootWebSecurityConfiguration for Spring Boot application provides a set of default Spring Security configuration.
@Bean
@Order(SecurityProperties.BASIC_AUTH_ORDER)
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
return http.build();
}
Copy the code
The configuration is as follows: All requests must be initiated by authenticated users, and the form login function and Http Basic Authentication function are enabled. We need login authentication to access /foo/bar and the form login is what works. This is our daily development needs to customize, in the HttpSecurity related article fat brother also explained. So what is this SecurityFilterChain?
SecurityFilterChain
HttpSecurity is a build class that builds a SecurityFilterChain:
public interface SecurityFilterChain {
// Whether the current request matches
boolean matches(HttpServletRequest request);
// An ordered filter chain consisting of a package of filters
List<Filter> getFilters(a);
}
Copy the code
When a requestHttpServletRequest
Enter theSecurityFilterChain
, will passmatches
Method to determine if conditions are met to enter the filter chain. Just like you are a VIP walk is a VIP channel, enjoy a series of VIP treatment; You are an ordinary user, go through the ordinary user channel and enjoy the ordinary user treatment.Regardless of the role of the user, there is a chain of filters that exist in the application1-n
aSecurityFilterChain
. Who’s going to manage moreSecurityFilterChain
?
Remember the formula HttpSecurity ->SecurityFilterChain.
FilterChainProxy
FilterChainProxy is a GenericFilterBean (even if the Servlet Filter is also a Spring Bean) that manages all the SecurityFilterChain injected into the Spring IoC container. When I first got into Spring Security, I configured FilterChainProxy like this:
<bean id="myfilterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<util:list>
<security:filter-chain pattern="/do/not/filter*" filters="none"/>
<security:filter-chain pattern="/ * *" filters="filter1,filter2,filter3"/>
</util:list>
</constructor-arg>
</bean>
Copy the code
The request path matches the request pathSecurityFilterChain
. Here’s a schematic:We’ll come back to this class, but now you just need to understand the diagram above.
Note: It is not recommended to have multiple Instances of FilterChainProxy in the same filter chain, and it should not be used as a pure filter. It should only manage the SecurityFilterChain.
DelegatingFilterProxy
ServletContainers andSpring IoCintercontainerFilterLife cycles do not match. In order to makeSpring IoCContainer managementFilterThe life cycle of,FilterChainProxy
Then toSpring WebUnder theDelegatingFilterProxy
To the agent. andFilterChainProxy
Standards are not invoked on any filter beans added to the application contextServletFilter life cycle approach,FilterChainProxy
The lifecycle method of theDelegatingFilterProxy
To execute. whileDelegatingFilterProxy
As aSpring IoCandServletThe connector exists.
Simple summary
The three concepts above are important and relate to the entire filter chain architecture of Spring Security. But as a beginner, can understand how much to understand how much, do not tangle what did not understand, because the current learning stage of the level is not up to is very normal. However, these concepts should be understood after you finish learning Spring Security.
Follow our public id: Felordcn for more information
Personal blog: https://felord.cn