前言
本文是对 Spring Security Core 4.0.4 Release 进行源码分析的系列文章之一;
本文主要通过描述一个 Spring Security MVC 的例子,作为入口,窥探一下 Spring Security 的内部运行机制;
本文为作者的原创作品,转载需注明出处;
Demo
Spring Security 源码包里面有一个非常好的有关 Spring MVC 的例子,spring-security-samples-servletapi-xml-4.0.x;备注:查看 Spring Security 源码分析一:源代码环境搭建下载 Spring Security 源码;
该 demo 描述了一个非常简单的认证场景,用户通过 Form 登录,然后使用 Spring Security 进行验证;
核心配置
DelegatingFilterProxy
该部分主要通过 web.xml 进行配置,关键部分摘录如下
1 | <filter> |
相关部分解释参考官网解释 http://docs.spring.io/spring-security/site/docs/4.0.4.RELEASE/reference/htmlsingle/#ns-web-xml 将其最重要的部分摘录如下,
DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context. In this case, the bean is named “springSecurityFilterChain”, which is an internal infrastructure bean created by the namespace to handle web security.
DelegatingFilterProxy 的主要工作就是将请求 /* 重定向到由 Spring 容器所定义的一个 filter bean 上;当前例子中,该 filter 被命名为 springSecurityFilterChain,该 filter bean 是通过 Spring Security Namespace 创建的,用来处理 web security;
Spring Security XML
1 |
|
该配置包含两个核心部分,
Spring Security Namespace
有关 namespace 的描述,主要参考官方文档 http://docs.spring.io/spring-security/site/docs/4.0.4.RELEASE/reference/htmlsingle/#ns-config 同样,将作者认为最重要的内容摘录如下,
The namespace is designed to capture the most common uses of the framework and provide a simplified and concise syntax for enabling them within an application. The design is based around the large-scale dependencies within the framework, and can be divided up into the following areas:
- Web/HTTP Security - the most complex part. Sets up the filters and related service beans used to apply the framework authentication mechanisms, to secure URLs, render login and error pages and much more.
- Business Object (Method) Security - options for securing the service layer.
- AuthenticationManager - handles authentication requests from other parts of the framework.
- AccessDecisionManager - provides access decisions for web and method security. A default one will be registered, but you can also choose to use a custom one, declared using normal Spring bean syntax.
- AuthenticationProviders - mechanisms against which the authentication manager authenticates users. The namespace provides supports for several standard options and also a means of adding custom beans declared using a traditional syntax.
- UserDetailsService - closely related to authentication providers, but often also required by other beans.
可见,Spring Security Namespace 主要是被设计用来处理大多数的认证逻辑;主要是从五个方面实施了简化,
- Web/HTTP Security - 最复杂的部分;此步骤主要是用来设置 filters 和相关的 service beans,
这些 service beans 主要提供相关的认证机制,保护 URLs,渲染 login 和 error 页面等等; - Business Object (Method) Security - 对 service 层进行安全控制
- AuthenticationManager - 提供验证的入口
- AuthenticationProviders - 提供更多的验证提供方和验证的方式
- UserDetailsService
Spring Security 规则
有关此部分的描述,参考官方文档 http://docs.spring.io/spring-security/site/docs/4.0.4.RELEASE/reference/htmlsingle/#ns-minimal 其实这一步,归根结底是为 AccessDecisionManager 定义 decision 的相关规则;
运行
直接将该 demo 作为 Tomcat Web Server 启动,然后在浏览器中输入 http://localhost:8080/servletapi/login 输入默认的用户名密码 user / password,就可以登录了;
登录成功以后,
看到这里,大家或许会有疑问,没有看到 login page 的配置信息,也没有看到登录成功以后跳转页面的配置,Spring Security 是怎么知道 login page 和登录成功以后的跳转页面的?这部分内容将会在后续的源码分析中进行描述;