Java Spring WebSecurity HttpSecurity
Spring Security 5.4版本带来的新玩法
1. 前言
在以往Spring Security的中自定义配置都是声明一个配置类WebSecurityConfigurerAdapter,然后覆写(@Override)对应的几个方法就行了。然而这一切在Spring Security 5.4开始就得到了改变,从Spring Security 5.4 起不需要继承WebSecurityConfigurerAdapter就可以配置HttpSecurity了。相关的说明原文:
- Remove need for WebSecurityConfigurerAdapter #8805
Configure HTTP Security without extending WebSecurityConfigurerAdapter #8804
2. 新的配置方式
旧的配置方式目前依然有效:
@Configurationstatic class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.antMatcher("/**").authorizeRequests(authorize -> authorize.anyRequest().authenticated());}}
5.4.x版本有新的选择:
@BeanSecurityFilterChain filterChain(HttpSecurity http) throws Exception {return http.antMatcher("/**").authorizeRequests(authorize -> authorize.anyRequest().authenticated()).build();}
这种JavaConfig的方式看起来更加清爽舒服,而且和适配器解耦了。上面
filterChain方法的参数是HttpSecurity类型。熟悉@Bean注解的同学应该会意识到一定有一个HttpSecurity类型的Spring Bean。在HttpSecurityConfiguration中有一个这样的Bean:@Bean({"org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.httpSecurity"})@Scope("prototype")HttpSecurity httpSecurity() throws Exception {// 省略掉return http;}
初始化的内容已经忽略掉,注意到
HttpSecurity被@Scope("prototype")标记。也就是这个HttpSecurityBean不是单例的,每一次请求都会构造一个新的实例。这个设定非常方便构建多个互相没有太多关联的SecurityFilterChain,进而能在一个安全体系中构建相互隔离的安全策略。比如后端管理平台用Session模式,前台应用端用Token模式。
多个SecurityFilterChain3. 原理
Spring Security 有一个名为
springSecurityFilterChain默认的过滤器链类(实际位置就是上图的Bean Filter位置),其类型为FilterChainProxy, 它代理了所有的SecurityFilterChain,关键的代理注入代码:for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);for (Filter filter : securityFilterChain.getFilters()) {if (filter instanceof FilterSecurityInterceptor) {this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);break;}}}
那么
this.securityFilterChains来自哪里呢?@Autowired(required = false)void setFilterChains(List<SecurityFilterChain> securityFilterChains) {securityFilterChains.sort(AnnotationAwareOrderComparator.INSTANCE);this.securityFilterChains = securityFilterChains;}
到这里就一目了然了吧,
SecurityFilterChain类型的Bean会被加载到this.securityFilterChains中。HttpSecurity的本质
在Spring Security 5.4的新玩法中介绍了一种新的配置
HttpSecurity的方式:@BeanSecurityFilterChain filterChain(HttpSecurity http) throws Exception {return http.antMatcher("/**").authorizeRequests(authorize -> authorize.anyRequest().authenticated()).build();}
其实就能够知道
HttpSecurity是用来构建包含了一系列过滤器链的过滤器SecurityFilterChain,平常的配置就是围绕构建SecurityFilterChain进行。继续看这张图:
安全过滤链
从上面这个图中可以看出构建好的还要交给FilterChainProxy来代理,是不是有点多此一举?WebSecurity的本质
在有些情况下这种确实多此一举, 不过更多时候可能需要配置多个
SecurityFilterChain来实现对多种访问控制策略。
多个SecurityFilterChain
为了精细化的管理多个SecurityFilterChain的生命周期,搞一个统一管理这些SecurityFilterChain的代理就十分必要了,这就是WebSecurity的意义。下面是WebSecurity的build方法的底层逻辑:@Overrideprotected Filter performBuild() throws Exception {Assert.state(!this.securityFilterChainBuilders.isEmpty(),() -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. "+ "Typically this is done by exposing a SecurityFilterChain bean "+ "or by adding a @Configuration that extends WebSecurityConfigurerAdapter. "+ "More advanced users can invoke " + WebSecurity.class.getSimpleName()+ ".addSecurityFilterChainBuilder directly");// 被忽略请求的个数 和 httpscurity的个数 构成了过滤器链集合的大小int chainSize = this.ignoredRequests.size() + this.securityFilterChainBuilders.size();List<SecurityFilterChain> securityFilterChains = new ArrayList<>(chainSize);// 初始化过滤器链集合中的 忽略请求过滤器链for (RequestMatcher ignoredRequest : this.ignoredRequests) {securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));}// 初始化过滤器链集合中的 httpsecurity定义的过滤器链for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : this.securityFilterChainBuilders) {securityFilterChains.add(securityFilterChainBuilder.build());}FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);if (this.httpFirewall != null) {// 请求防火墙filterChainProxy.setFirewall(this.httpFirewall);}if (this.requestRejectedHandler != null) {// 请求拒绝处理器filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);}filterChainProxy.afterPropertiesSet();Filter result = filterChainProxy;if (this.debugEnabled) {this.logger.warn("\n\n" + "********************************************************************\n"+ "********** Security debugging is enabled. *************\n"+ "********** This may include sensitive information. *************\n"+ "********** Do not use in a production system! *************\n"+ "********************************************************************\n\n");result = new DebugFilter(filterChainProxy);}this.postBuildAction.run();return result;}
从上面中的源码可以看出,
WebSecurity用来构建一个名为springSecurityFilterChain的Spring BeanFilterChainProxy。它的作用是来定义哪些请求忽略安全控制,哪些请求必须安全控制,在合适的时候清除SecurityContext以避免内存泄漏,同时也可以用来定义请求防火墙和请求拒绝处理器,另外开启Spring Seuciry Debug模式也是这里配置的。
同时还有一个作用可能是其它文章没有提及的,FilterChainProxy是Spring Security对Spring framework应用的唯一出口,然后通过它与一个Servlet在Spring的桥接代理DelegatingFilterProxy结合构成Spring对Servlet体系的唯一出口。这样就将Spring Security、Spring framework、Servlet API三者隔离了起来。总结
事实上可以认为,
WebSecurity是Spring Security对外的唯一出口,而HttpSecurity只是内部安全策略的定义方式;WebSecurity对标FilterChainProxy,而HttpSecurity则对标SecurityFilterChain,另外它们的父类都是AbstractConfiguredSecurityBuilder。掌握了这些基本上就能知道它们之间的区别是什么了。
若有收获,就点个赞吧
0 人点赞
