Spring security uses various filters for authentication and security control in web applications. Due to the dependencies between filters, the order of filters in the filter chain is also extremely important. No matter what we choose in the actual project which filters.
1. filter order
- ChannelProcessingFilter, access protocol control filter, may redirect us to another protocol, such as converting from http to https
- SecurityContextPersistenceFilter is used to create a SecurityContext and store it in the SecurityContextHolder. Because the subsequent filter needs to use the authentication-related information stored in the SecurityContext, it is necessary to set this information at the beginning of the request. Any modifications can be saved and stored in the HttpSession after the request ends (to be used on the next request)
- ConcurrentSessionFilter, concurrent access control filter, mainly does two things
- UsernamePasswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter and other authentication corresponding filters, after these filters, SecurityContextHolder will contain a fully assembled Authentication object, so that subsequent authentication can be performed normally
- SecurityContextHolderAwareRequestFilter, used to encapsulate ServletRequest into SecurityContextHolderAwareRequestWrapper (servlet 2.5 version) or Servlet3SecurityContextHolderAwareRequestWrapper (servlet 3.0+ version) that can be associated with SecurityContextHolder, so as to provide integration functions with servlet, such as calling HttpServletRequest.getUserPrincipal(), HttpServletRequest.authenticate() , HttpServletRequest.login(), HttpServletRequest.logout() and other methods
- JaasApiIntegrationFilter, when using the Java Authentication and Authorization Service (JAAS) authentication method, this filter is used to convert the JaasAuthenticationToken in the SecurityContextHolder into a Subject for subsequent filter use
- RememberMeAuthenticationFilter, a memory authentication processing filter, if the filter corresponding to the previous authentication does not process the current request, and the cookie of the current request has an identifier that enables the RememberMe function (by default, there is a parameter named remember-me in the cookie, corresponding to The value is 1, true, OK), this filter will process the request, parse the user from the cookie, perform authentication processing, and then store an Authentication object in the SecurityContextHolder.
- AnonymousAuthenticationFilter, an anonymous authentication processing filter, if all the previous authentication processing does not authenticate the request, this filter will store an anonymous Authentication object in the SecurityContextHolder and give the ROLE_ANONYMOUS authority, the purpose is for the subsequent authentication operations You can always get an Authentication for processing, regardless of the null case.
- ExceptionTranslationFilter, exception processing filter, this filter mainly intercepts the exception thrown in the subsequent filter (FilterSecurityInterceptor) operation, adopts different strategies according to the type of exception such as AuthenticationException, AccessDeniedException, etc., redirects to the authentication login page or redirects to the error page or directly return to the front end with a 403 code
- FilterSecurityInterceptor Security interception filter class, obtain the ConfigAttribute corresponding to the current request url, and call accessDecisionManager for authentication processing, if the user has the right to execute the current request, call the real processing logic, otherwise throw the corresponding exception AuthenticationException, AccessDeniedException.
| 1. Obtain the SessionInformation from the SessionRegistry to determine whether the session has expired. If it expires, call the configured logout handlers to invalidate the session, and call the onExpiredSessionDetected method of the SessionInformationExpiredStrategy to redirect or notify the user that the session has expired. | |
| 2. If it has not expired, refresh the LastRequest time of the current session. If the maximum number of concurrent accesses is configured when multiple users access at the same time, the session with the earliest LastRequest time will be set to expire, thereby realizing concurrent access control. |
2. How to ensure the order of filters in spring security?
2.1 In short, spring guarantees the order through the FilterComparator class
FilterComparator() {
int order = 100;
put(ChannelProcessingFilter.class, order);
order += STEP;
put(ConcurrentSessionFilter.class, order);
order += STEP;
put(WebAsyncManagerIntegrationFilter.class, order);
order += STEP;
put(SecurityContextPersistenceFilter.class, order);
order += STEP;
put(HeaderWriterFilter.class, order);
order += STEP;
put(CorsFilter.class, order);
order += STEP;
put(CsrfFilter.class, order);
order += STEP;
put(LogoutFilter.class, order);
order += STEP;
put(X509AuthenticationFilter.class, order);
order += STEP;
put(AbstractPreAuthenticatedProcessingFilter.class, order);
order += STEP;
filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter",
order);
order += STEP;
put(UsernamePasswordAuthenticationFilter.class, order);
order += STEP;
put(ConcurrentSessionFilter.class, order);
order += STEP;
filterToOrder.put(
"org.springframework.security.openid.OpenIDAuthenticationFilter", order);
order += STEP;
put(DefaultLoginPageGeneratingFilter.class, order);
order += STEP;
put(ConcurrentSessionFilter.class, order);
order += STEP;
put(DigestAuthenticationFilter.class, order);
order += STEP;
put(BasicAuthenticationFilter.class, order);
order += STEP;
put(RequestCacheAwareFilter.class, order);
order += STEP;
put(SecurityContextHolderAwareRequestFilter.class, order);
order += STEP;
put(JaasApiIntegrationFilter.class, order);
order += STEP;
put(RememberMeAuthenticationFilter.class, order);
order += STEP;
put(AnonymousAuthenticationFilter.class, order);
order += STEP;
put(SessionManagementFilter.class, order);
order += STEP;
put(ExceptionTranslationFilter.class, order);
order += STEP;
put(FilterSecurityInterceptor.class, order);
order += STEP;
put(SwitchUserFilter.class, order);
}
In this class, the order of filters that may be used in security is defined in advance, so how is this class called?
In the previous section ( spring-security (16) Filter configuration principle ), we know that the spring security-related Filter is to call the build of HttpSecurity in the build method of WebSecurity to build the filter added to HttpSecurity into a SecurityFilterChain, and then put all the SecurityFilterChain is appended to FilterChainProxy, and finally registered to ServletContext through DelegatingFilterProxy, let's take a look at the build method of HttpSecurity
@Override
protected DefaultSecurityFilterChain performBuild() throws Exception {
Collections.sort(filters, comparator);
return new DefaultSecurityFilterChain(requestMatcher, filters);
}
It can be seen that the filters will be sorted before building the SecurityFilterChain in this class, and this sorting class is FilterComparator, so no matter what the filter order we add to HttpSecurity is, spring security will eventually ensure that our Filter is strictly in accordance with in the order described above. Specifically, how the Filter we use is added to HttpSecurity, and we will analyze it later when we talk about the specific Filter.