Refer to the up master of station b: Portal
cutting edge:
Review the previous chapter : the top level is a filter
Spring Security process: FilterChainProxy->determine a SecurityFilterChain according to the request (call its matches method one by one to match whether the request can be processed)->execute a series of filters in the SecurityFilterChain
FilterChainProxy related stuff.
The SecurityFilterChain interface is used to configure a FilterChainProxy
//Used to configure a FilterChainProxy.
public interface SecurityFilterChain {
boolean matches(HttpServletRequest request);
List<Filter> getFilters();
}
SecurityConfigurer, AbstractConfiguredSecurityBuilder
AbstractConfiguredSecurityBuilder mentioned in the previous chapter, indirectly implements SecurityBuilder.
SecurityConfigurer
SecurityConfigurer is used to configure a SecurityBuilder
/**
Allows for configuring a SecurityBuilder. All SecurityConfigurer first have their init(SecurityBuilder) method invoked. After all init(SecurityBuilder) methods have been invoked, each configure(SecurityBuilder) method is invoked.
*/
//所有的SecurityConfigurer都首先调用它的init(SecurityBuilder) 方法
public interface SecurityConfigurer<O, B extends SecurityBuilder<O>>{
// 初始化方法 初始化一个SecurityBuilder
void init(B builder) throws Exception;
// 配置方法
void configure(B builder) throws Exception;
}
1. SecurityConfigurer is to configure a SecurityBuilder.
2. SecurityBuilder is
the last to build objects: it has quite a lot of subclasses
AbstractConfiguredSecurityBuilder
It is an indirect implementation of SecurityBuilder
1. Shared object setting
2. Control initialization (before, during, and after initialization, before, during, and after configuration)
AbstractSecurityBuilder
What it does is allow only one build
public abstract class AbstractSecurityBuilder<O> implements SecurityBuilder<O>{
private AtomicBoolean building = new AtomicBoolean();
public final O build() throws Exception {
if (this.building.compareAndSet(false, true)) {
this.object = doBuild();
return this.object;
}
throw new AlreadyBuiltException("This object has already been built");
}
}
聊回AbstractConfiguredSecurityBuilder
(Because it is a class that will participate in building security objects)
We know that SecurityBuilder is used to build objects. This object may be a SecurityFilterChain security filter chain, or it may be an AuthenticationManager (authentication manager).
Attributes
//AbstractConfiguredSecurityBuilder需要被一堆的SecurityConfigurer去配置,所以需要维护一个configurers
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = new LinkedHashMap<>();
//
private final List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<>();
// 共享对象
private final Map<Class<?>, Object> sharedObjects = new HashMap<>();
//同一个configure是否允许出现两个
private final boolean allowConfigurersOfSameType;
//后置处理
private ObjectPostProcessor<Object> objectPostProcessor;
most frequently used method
When using spring-security, we often use .XXX to call this method
and add a SecurityConfigurer to it
private <C extends SecurityConfigurer<O, B>> void add(C configurer) {
Assert.notNull(configurer, "configurer cannot be null");
Class<? extends SecurityConfigurer<O, B>> clazz = (Class<? extends SecurityConfigurer<O, B>>) configurer
.getClass();
// 同步 只允许一个线程工作。configurers 一个LinkedHashMap
synchronized (configurers) {
//BuildState是一个枚举类 状态:未构建、初始化、配置、构建中、构建完成
if (buildState.isConfigured()) {
//是否已经配置
//已经构建过了 不需要再应用
throw new IllegalStateException("Cannot apply " + configurer
+ " to already built object");
}
List<SecurityConfigurer<O, B>> configs = allowConfigurersOfSameType ? this.configurers
.get(clazz) : null;
if (configs == null) {
configs = new ArrayList<>(1);
}
// 添加
configs.add(configurer);
this.configurers.put(clazz, configs);
// 是否正在初始化
if (buildState.isInitializing()) {
//
this.configurersAddedInInitializing.add(configurer);
}
}
}