spring security + Oauth2.0
一.spring security
问:
(相关资料图)
spring security是如何注入spring容器?filter是如何加入tomcat?spring security是如何起作用?
1.自动注入
springboot在启动时会扫描所有jar包下的spring.factories,并且利用工具类转换成Map对象,其中org.springframework.boot.autoconfigure.EnableAutoConfiguration就是自动注入的关键。
# Auto Configureorg.springframework.boot.autoconfigure.EnableAutoConfiguration=\org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,\org.springframework.boot.autoconfigure.security.servlet.SecurityRequestMatcherProviderAutoConfiguration,\org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration,\org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration
首先我们来看看这个类SecurityAutoConfiguration.java
@Configuration//条件,如果有这个类则注入@ConditionalOnClass({DefaultAuthenticationEventPublisher.class})//自动注入参数@EnableConfigurationProperties({SecurityProperties.class})//导入三个配置类@Import({SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class})public class SecurityAutoConfiguration {public SecurityAutoConfiguration() {} @Bean //容器中不存在这个类 @ConditionalOnMissingBean({AuthenticationEventPublisher.class}) public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {return new DefaultAuthenticationEventPublisher(publisher); }}
然后我们再看看三个配置类干了些什么
/** *SpringBootWebSecurityConfiguration */@Configuration//存在这个class@ConditionalOnClass({WebSecurityConfigurerAdapter.class})//容器中没有这个类及其子类@ConditionalOnMissingBean({WebSecurityConfigurerAdapter.class})//条件是web环境@ConditionalOnWebApplication( type = Type.SERVLET)public class SpringBootWebSecurityConfiguration {public SpringBootWebSecurityConfiguration() {} @Configuration @Order(2147483642) //如果以上条件成立生成默认WebSecurityConfigurerAdapter,这也是我们不做任何配置security能生效的原因 static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {DefaultConfigurerAdapter() {} }}----------------------------------------------------------------------------------------/** *WebSecurityEnablerConfiguration */@Configuration@ConditionalOnBean({WebSecurityConfigurerAdapter.class})@ConditionalOnMissingBean( name = {"springSecurityFilterChain"})@ConditionalOnWebApplication( type = Type.SERVLET)//1.引入三个类(WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class)//2.@EnableGlobalAuthentication注解(引入AuthenticationConfiguration.class)@EnableWebSecuritypublic class WebSecurityEnablerConfiguration {public WebSecurityEnablerConfiguration() {}}引入的类的作用:一.==WebSecurityConfiguration.class== 1.注入springSecurityFilterChain,并把WebSecurityConfigurerAdapter添加到webSecurity 2.注入SecurityExpressionHandler 3.注入DelegatingApplicationListener二.==SpringWebMvcImportSelector.class== 如果有dispatcherservlet.class返回WebMvcSecurityConfiguration全类名三.==OAuth2ImportSelector.class== 如果存在OAuth2ClientConfiguration.class返回OAuth2ClientConfiguration全类名四.注解@EnableGlobalAuthentication导入AuthenticationConfiguration.class1.导入ObjectPostProcessorConfiguration.class 注入ObjectPostProcessor