Spring Security Web Application 之 Security Filter Chain
2017-06-12 14:11
549 查看
Security Filter Chain
Spring Security的Web模块为Web开发提供了非常全面的支持。整个spring security web模块就是以Servlet Filter为基础构建的。此模块会处理HttpServletRequest和HttpServletResponse对象,不管请求是从浏览器发出的还是从一个web客户端或者是ajax应用发出的。Spring Security内部维护着一个过滤器链,根据配置信息,自动的管理过滤器链中的过滤器;过滤器链中的过滤器的调用顺序非常重要,因为他们之间有一定的依赖关系;
FilterChainProxy
FilterChainProxy是配置Filter Chain的工具类,举个例子;<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> <constructor-arg> <list> <sec:filter-chain pattern="/restful/**" filters=" securityContextPersistenceFilterWithASCFalse, basicAuthenticationFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> <sec:filter-chain pattern="/**" filters=" securityContextPersistenceFilterWithASCTrue, formLoginFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </list> </constructor-arg> </bean>
Filter Ordering
不管你用哪一些过滤器,过滤器链中的顺序应该如下:ChannelProcessingFilter:重定向到不同的协议通道,http或者https
SecurityContextPersistenceFilter:请求一开始,创建一个SecurityContext对象放到SecurityContextHolder中,请求结束时,将SecurityContext拷贝到HttpSession 中,在给下次请求中直接取HttpSession 中的SecurityContext放到SecurityContextHolder中,供开发者使用
ConcurrentSessionFilter:他要使用SecurityContextHolder中的函数获取SecurityContextHolder,所以放在SecurityContextPersistenceFilter后边;
UsernamePasswordAuthenticationFilter、CasAuthenticationFilter、BasicAuthenticationFilter:具体的认证机制过滤器;用SecurityContextHolder中的信息从认证服务器换取认证过的Authentication
SecurityContextHolderAwareRequestFilter:给容器的HttpServletRequestWrapper 对象填充Spring Security的相关信息;
JaasApiIntegrationFilter:
RememberMeAuthenticationFilter:如果之前没有认证处理机制更新SecurityContextHolder,并且request对象提供了remember-me服务生效的cookie标识的话,将会根据认证的机制在SecurityContextHolder中放置一个相关的Authentication,比如CasAuthenticationToken或者UsernamePasswordAuthenticationToken等。
AnonymousAuthenticationFilter:如果之前没有认证处理机制更新SecurityContextHolder,将会在SecurityContextHolder中放置一个Authentication对象
ExceptionTranslationFilter:处理spring security认证过程中抛出的错误;AuthenticationException或者AccessDeniedException的各个子类;
FilterSecurityInterceptor:保护web url地址,收集AccessDeniedException错误,然后publishEvent出去;
Request Matching and HttpFirewall
坑,代填,可以看下官网的文档,这部分详细讲解了url匹配功能的设计思路。HttpFirewall 用来拒绝潜在的危险请求,spring security会对其进行包装,开发者可以选择是否进一步处理这个包装后的请求;
HttpFirewall在Request进入过滤器链之前处理。
相关文章推荐
- Spring Security Filter Chain Registration Using WebApplicationInitializer for Servlet 3.x
- Spring Web DelegatingFilterProxy和Spring Security Web Filter Chain
- SPRING IN ACTION 第4版笔记-第九章Securing web applications-001-SpringSecurity简介(DelegatingFilterProxy、AbstractSecurityWebApplicationInitializer、WebSecurityConfigurerAdapter、@EnableWebSecurity、@EnableWebMvcS)
- spring security设置(springSecurityFilterChain与DelegatingFilterProxy)
- SecurityMetadataSourc does not support secure object class: org.springframework.security.web.Filter
- No bean named 'springSecurityFilterChain' is defined
- No bean named 'springSecurityFilterChain' is defined
- No bean named 'springSecurityFilterChain' is defined
- 乱码解决、CharacterEncodingFilter与Spring Web Security
- 严重 Exception starting filter springSecurityFilterChain org.springframework.beans.factory.NoSuchBeanD
- spring security源码分析之一springSecurityFilterChain
- No bean named 'springSecurityFilterChain' is defined
- No bean named 'springSecurityFilterChain' is defined 问题解决
- spring security的springSecurityFilterChain怎么初始化的
- Spring 过滤器DelegatingFilterProxy No WebApplicationContext found: no ContextLoaderListener registered?
- java.lang.SecurityException: Filter of class org.apache.catalina.ssi.SSIFilter is privileged and cannot be loaded by this web application
- NoSuchMethodException org.springframework.security.web.session.ConcurrentSessionFilter.<init>()?
- No bean named 'springSecurityFilterChain' is defined 解决
- spring security filter chain
- 异常:The absolute uri: http://www.springframework.org/security/tags cannot be resolved in either web.xml or the jar files deployed with this application