spring security源码分析.pdf

所需积分/C币:22 2014-07-11 09:58:32 688KB PDF

spring security源码分析.pdf
http://dead-knight.iteye.com 1.20 Spring Security3源码分析-CAS支持.. ..∴,,,,,,,,,,,,111 第3/117页 TYE http://dead-knight.iteye.com 1.1 Spring security3源码分析- FilterChain Proxy初始化 11 Spring Security.3源码分析- Filter Chain Proxy初始化 发表时间:2012-05-04关键字: ecurity, spring 很久没有更新博客了,最近对 Spring Security做了比较深入的研究 spring security的教程网上很多 http://lengyun3566.iteye.com/category/153689 http://wenku.baidu.com/view/b0codc0b79563clec5da7179.html 以上教程足够应付在实际项目中使用 spring security这一安全框架了。如果想深入研究下,网上的资料就很少 了,比如 http://www.blogiava.net/spartayeW/archive/2011/05/19/spingsecurity3.html http://www.blogiava.net/youxia/archive/2008/12107/244883.html http://www.cnbloqs.com/hzhuxin/archive/2011/12/19/2293730.html 但还是没有从 filter配置开始进行一步一步分析。 带着很多疑问,逐步拨开 spring securIty3的面纱 spring security在 web.xm中的配置为 <filter> <filter-name>springSecurityFilterchain</filter-name> <filter-class>org. springframework web filter. DelegatingFilter Proxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterchain</filter-name> <url-pattern>/*</url-pattern> </千i1ter- mapping> 看就知道,这是 sprIng的类,这个类位于 org. springframework web-30.1. RELEASE jar这个jar下面,说明 这个类本身是和 spring Security无关。 Delegating FilterProxy类继承于抽象类 Genericfilter Bean间接地实现了 javax. servlet Filter接口。细节方面就不—一讲述了。看 do filte方法 public void doFilter(ServletRequest request, ServletResponse response, FilterChain filt throws ServletException, IOException t // Lazily initialize the delegate if necessary Filter delegateToUse null; 第4/117页 TYE http://dead-knight.iteye.com 1.1 Spring security3源码分析- FilterChain Proxy初始化 synchronized(this. delegateMonitor)i f(this, delegate = null)t WebApplicationContext wac findWebApplicationContext(; if (wac = null)[ throw new IllegalStateException("No WebApplicationConte this, delegate initDelegate(wac ); delegateToUse this delegate; Let the delegate perform the actual doFilter operation invokeDelegate( delegate ToUse, request, response, filterChain)j 这里做了两件事 nitDelegate(Wac//7始化 Filter Chain Proxy protected Filter initDelegate(WebApplicationContext wac) throws ServletException Filter delegate wac getBean (getTargetBeanName(), Filter class); if (isTargetFilterLifecycle()[ delegate init(getFilterConfig()); return delegate; getT Name返回的是 Filter的 name: s pring Security Filter Chain Filter delegate= wac getBean(getTargetBeanNameO, Filter class); 这里根据 spring Security Filter Chain的 bean name直接获取 FilterChain Proxy的实例。 这里大家会产生疑问, spring Security Filter Chain这个bean在哪里定义的呢? 此时似乎忽略了 spring security的bean配置文件了 <?xml version="1.0 encoding="UTF-8"?> <beans:beansxmins="hTtp://www.springframework.org/schema/security xmins:xsi=http://www.w3.org/2001/xmlschema-instance 第5/117页 TYE http://dead-knight.iteye.com 1.1 Spring security3源码分析- FilterChain Proxy初始化 xmins:beans="http://www.springframework.org/schema/beans xsi: schemalocation http://www.springframework,org/schema/beans http://www.springframeworkorg/schema/beans/spring-beans.xsD http://www.sprinGframework.org/schema/security http://www.springframework.org/schema/security/ spring-security-3.0.xsd"> httpauto-config="true> kintercept-url pattern="/* access="ROLE_ USER"/ </http> <authentication-manager alias="authenticationManager> <authentication-provider> <user-serylce> <user authorities="ROLE USEr" name="guest password="guest"/> </user-seryice> </authentication-provider> </authentication-manager> </beans: beans> 这是最简单的配置了,同时也是解开 spring Security FilterChain这个bean没有定义的疑问了。 这里主要利用了 spring的自定义标签。具体参见 [url]http://www.w3school.com.cn/schema/schema_example.aspl/url] 首先 spring securIty的标签解析部分的源码包为 spring-security-config-3.0.2. RELEASE.jar 这个a包的 META-INF目录下面有 spring. handlers, spring schemas两个文件,其中 spring schemas文件主要 是标签的规范、约束;而 ispring handlers这个文件时真正解析自定义标签的类,这个文件的内容为: http\://www.springframework.org/schema/security=org.springframeworksecurityconfigSecuritynan 从这里可以看出来 spring security的标签解析由 org. springframework security. config. Security Namespace Handler 来处理。该类实现接囗: Namespace Handler; spring中自定义标签都要实现该接口,这个接口有三个方法 init、 parse、 decorate,其中init用于自定义标签的初始化, parse用于解析标签, decorate用于装饰。 Security NamespaceHandler类的ini方法完成了标签解析类的注册工作 第6/117页 TYE http://dead-knight.iteye.com 1.1 Spring security3源码分析- FilterChain Proxy初始化 public void initoi / Parsers parsers put(Elements, LDAP PROVIDER, new LdapProviderBeanDefinitionParser o); parsers put(Elements. LDAP SERVER, new LdapServerBeanDefinitionParser()) parsers put(Elements. LDAP USER SERVICE, new LdapUserServiceBeanDefinitionParser (); parsers put(Elements, USER_ SERVICE, new User ServiceBeanDefinitionParser()) parsers put(Elements. JDBC_ USER_ SERVICE, new JdbcUserServiceBeanDefinition Parser ()) parsers put(Elements. AUTHENTICATION_ PROVIDER, new AuthenticationProviderBeanDefinitionF parsers put(Elements, GLOBAL METHOD SECURITY, new GlobalMethodSecurity BeanDefinitionPars parsers put(elements. AUTHENTICATION MANAGER, new AuthenticationManagerBeanDefinitionPar registerBeanDefinitionDecorator (Elements. INTERCEPT_ METHODS, new InterceptMethods Bean[ Only load the web-namespace parsers if the web classes are available if (classutils, isPresent("org. springframework, security web Filter ChainProxy", getclass( parsers put(elements. Http, new HttpsecuritybeaNdefinitionparser o); parsers, put(Elements. FILTER_ INVOCATION_ DEFINITION SOURCE, new FilterInvocationSecur parsers put(Elements. FILTER SECURITY_ METADATA SOURCE, new FilterInvocation Securityl filter ChainMapBDD= new Filter ChainMapBeanDefinitionDecorator() //registerBeanDefinitionDecorator (Elements. FILTER CHAIN MAP, new FilterchainMapBear 可以看出http的标签解析类注册代码为 parsers put(elements. Http, new HttpsecuritybeAndefinitionparser(); authentication- manager的标签解析类注册代码为 parsers put(Elements. AUTHENTICAT ION MANAGER, new AuthenticationManagerBeanDefinitionParser (); Http security Bean Definition Parser的 parse方法源码为: public BeanDefinition parse(Element element, ParserContext pc)t CompositeComponentDefinition compositeDef new Composite ComponentDefinition (element. getTagName(, pc. extractSource (element)); 第7/117页 TYE http://dead-knight.iteye.com 1.1 Spring security3源码分析- FilterChain Proxy初始化 pc. pushContaining Component( compositeDef); final Object source pc, extractSource(element) final String portMapper Name createPortMapper(element, pc); final Ur lMatcher matcher createUr lMatcher(element) HttpconfiguratiOnbuilderhttpbldr=newHttpconfiguratiOnbuilder(element,pc,matcher ttpBldr. parseInterceptUrlsForEmptyFilterchains (j httpbldr.createsecuritycontextpErsistencefilter(; httpbldr.createsessionmanagemenTfilters(i ManagedList<BeanReference>authenticationProviders new ManagedList<BeanReference>(; BeanReference authenticationManager createAuthentication Manager(element, pc, authenti httpbldr.createservletapifilter(; httpbldr,createchannelprocessiNgfilter() httpbldr.createfiltersecurityInterceptor(authenticAtionmanager) AuthenticationConfigBuilder authBldr new AuthenticationConfigBuilder(element, pc, httpbldr.isalloWsessioncreation(),portmappernamE) authBldr. createAnonymousFilter (j authBldr, createRememberMeFilter(authenticationManager ) authBldr, createRequestCache() authBldr, createBasicFilter(authenticationManager )i authbldr. createformloginfilter(Httpbldr. getsessionsTrategy (, authenticationmanager); authbldr.createopenidloginfiltEr(httpbldr.getsessionsTrategy(),authenticationmanager) authBldr, createX509Filter(authenticationManager); authBldr, createLogoutFilter (i authBldr, createLoginPageFilterIfNeeded (); authBldr, createUser ServiceInjector( authBldr, createExceptionTranslationFilter(; List<OrderDecorator> unorderedFilter Chain new ArrayList<orderDecorator>() unorderedfilterchain.addall(httpBldr.getfilters()) 第8/117页 TYE http://dead-knight.iteye.com 1.1 Spring security3源码分析- FilterChain Proxy初始化 unorderedFilterchain, addAll(authBldr getFilterso) authenticationProviders, addAll(authBldr getProviders(); BeanDefinition requestCacheAwareFilter new RootBeanDefinition (requestcacheAwareFilter request CacheAwareFilter getPropertyValues().addPropertyValue ("requestCache", authBldr g unorderedFilterchain, add(new OrderDecorator (requestCacheAwareFilter, REQUEST CACHE FILT unorderedFilterchain, addAll(buildCustomFilterList(element, pc)); Collections, sort(unorderedFilterchain, new Order Comparator ())i checkFilterChainorder(unorderedFilter Chain, pc, source) List<BeanMetadataElement> filter Chain=new ManagedList<BeanMetadataElement>(; for (OrderDecorator od unorderedFilterChain )t filterChain, add(od. bean) Managedmap<beandefinition,List<beanmetadataelEment>>filterchAinmap=httpbldr.getfilt BeanDefinition universalMatch new RootBeanDefinition(String class); universalMatch. getConstructorArgumentValues(). addGenericArgumentValue(matcher. getUniver filterChainMap. put(universalMatch, filterChain); registerFilterChainProxy(pc, filterChainMap, matcher, source); pc. popAndRegisterContainingComponent() eturn null; 很多springsecurIty的教程都会说http标签配置了auto-config="true属性springsecurIty就会自动配置好 了过滤器链。但是这些过滤器是如何添加到链中的呢,教程没说。 但是上面的代码已经告诉我们,就在这里设置的 httpbldr.createsecuritycontextpeRsistencefiltero httpbldr.createsessionmanagemenTfiltersoi 第9/117页 TYE http://dead-knight.iteye.com 1.1 Spring security3源码分析- FilterChain Proxy初始化 httpbldr.createservletapifilter(j httpbldr.createchannelprocessinGfilter(; httpbldr,createfiltersecurityinTerceptor(authenticaTionmanager) authBldr, createAnonymousFilter(j authBldr. createRememberMeFilter(authenticationManager); authBldr, createRequestCache() authBldr, createBasicFilter(authenticationManager uthbldr, createformloginfilter(Httpbldr. getsessionstrategy(, authenticationmanager); authbldr.createopenidloginfiltEr(httpbldr.getsessionsTrategy(),authenticationmanager) authBldr, createX509Filter(authenticationManager); authBldr, createLogoutFilter(; authBldr, createLoginPageFilterIfNeeded(); authBldr, createUser ServiceInjector(; authBldr. createExceptionTranslationFilter() 具体 create分析下一篇再细说。接下来完成 Filter的排序、并添加到 filter Chain Map集合中 ListcorderDecorator> unorderedFilterchain new ArrayListcorderDecorator>o; unorderedfilterchain.addall(httpBldrgetfilters()i unorderedFilterChain, addAll(authBldr getFilters()); authenticationProviders, addAll(authBldr getProviders ()); BeanDefinition requestCacheAwareFilter new RootBeanDefinition( RequestCacheAwareFilter requestCacheAwareFilter. getPropertyvalues().addPropertyValue("requestcache", authBldr g unorderedFilterChain, add(new orderDecorator (requestCacheAwareFilter, REQUEST CACHE_ FILl unorderedFilter Chain, addAll (buildCustomFilterList(element, pc); Collections. sort(unorderedFilterchain, new Ordercomparator()) checkFilterchainorder (unorderedFilterchain, pc, source); List<BeanMetadataElement> filterchain new ManagedList<BeanMetadataElement> 第10/117页 TYE

...展开详情
试读 117P spring security源码分析.pdf
img
zhong_jianyu
  • 分享王者

    成功上传51个资源即可获取

关注 私信 TA的资源

上传资源赚积分,得勋章
    最新推荐
    spring security源码分析.pdf 22积分/C币 立即下载
    1/117
    spring security源码分析.pdf第1页
    spring security源码分析.pdf第2页
    spring security源码分析.pdf第3页
    spring security源码分析.pdf第4页
    spring security源码分析.pdf第5页
    spring security源码分析.pdf第6页
    spring security源码分析.pdf第7页
    spring security源码分析.pdf第8页
    spring security源码分析.pdf第9页
    spring security源码分析.pdf第10页
    spring security源码分析.pdf第11页
    spring security源码分析.pdf第12页
    spring security源码分析.pdf第13页
    spring security源码分析.pdf第14页
    spring security源码分析.pdf第15页
    spring security源码分析.pdf第16页
    spring security源码分析.pdf第17页
    spring security源码分析.pdf第18页
    spring security源码分析.pdf第19页
    spring security源码分析.pdf第20页

    试读已结束,剩余97页未读...

    22积分/C币 立即下载 >