FilterSecurityInterceptor过滤器对应的类路径为
org.springframework.security.web.access.intercept.FilterSecurityInterceptor
这个filter是filterchain中比较复杂,也是比较核心的过滤器,主要负责授权的工作
在看这个filter源码之前,先来看看spring是如何构造filter这个bean的
具体的构造过程的代码片段为
- //这个方法源自HttpConfigurationBuilder类
- void createFilterSecurityInterceptor(BeanReference authManager) {
- //判断是否配置了use-expressions属性
- boolean useExpressions = FilterInvocationSecurityMetadataSourceParser.isUseExpressions(httpElt);
- //根据intercept-url标签列表创建授权需要的元数据信息。后面仔细分析
- BeanDefinition securityMds = FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource(interceptUrls, httpElt, pc);
- RootBeanDefinition accessDecisionMgr;
- //创建voter列表
- ManagedList<BeanDefinition> voters = new ManagedList<BeanDefinition>(2);
- //如果是使用了表达式,使用WebExpressionVoter
- //没使用表达式,就使用RoleVoter、AuthenticatedVoter
- if (useExpressions) {
- voters.add(new RootBeanDefinition(WebExpressionVoter.class));
- } else {
- voters.add(new RootBeanDefinition(RoleVoter.class));
- voters.add(new RootBeanDefinition(AuthenticatedVoter.class));
- }
- //定义授权的决策管理类AffirmativeBased
- accessDecisionMgr = new RootBeanDefinition(AffirmativeBased.class);
- //添加依赖的voter列表
- accessDecisionMgr.getPropertyValues().addPropertyValue(“decisionVoters”, voters);
- accessDecisionMgr.setSource(pc.extractSource(httpElt));
- // Set up the access manager reference for http
- String accessManagerId = httpElt.getAttribute(ATT_ACCESS_MGR);
- //如果未定义access-decision-manager-ref属性,就使用默认的
- //AffirmativeBased
- if (!StringUtils.hasText(accessManagerId)) {
- accessManagerId = pc.getReaderContext().generateBeanName(accessDecisionMgr);
- pc.registerBeanComponent(new BeanComponentDefinition(accessDecisionMgr, accessManagerId));
- }
- //创建FilterSecurityInterceptor过滤器
- BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(FilterSecurityInterceptor.class);
- //添加决策管理器
- builder.addPropertyReference(“accessDecisionManager”, accessManagerId);
- //添加认证管理类
- builder.addPropertyValue(“authenticationManager”, authManager);
- if (“false”.equals(httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
- builder.addPropertyValue(“observeOncePerRequest”, Boolean.FALSE);
- }
- //添加授权需要的安全元数据资源
- builder.addPropertyValue(“securityMetadataSource”, securityMds);
- BeanDefinition fsiBean = builder.getBeanDefinition();
- //向ioc容器注册bean
- String fsiId = pc.getReaderContext().generateBeanName(fsiBean);
- pc.registerBeanComponent(new BeanComponentDefinition(fsiBean,fsiId));
- // Create and register a DefaultWebInvocationPrivilegeEvaluator for use with taglibs etc.
- BeanDefinition wipe = new RootBeanDefinition(DefaultWebInvocationPrivilegeEvaluator.class);
- wipe.getConstructorArgumentValues().addGenericArgumentValue(new RuntimeBeanReference(fsiId));
- pc.registerBeanComponent(new BeanComponentDefinition(wipe, pc.getReaderContext().generateBeanName(wipe)));
- this.fsi = new RuntimeBeanReference(fsiId);
- }
现在再仔细分析创建元数据资源的bean过程
- static BeanDefinition createSecurityMetadataSource(List<Element> interceptUrls, Element elt, ParserContext pc) {
- //创建Url处理类,有两个实现:AntUrlPathMatcher、RegexUrlPathMatcher
- UrlMatcher matcher = HttpSecurityBeanDefinitionParser.createUrlMatcher(elt);
- boolean useExpressions = isUseExpressions(elt);
- //解析intercept-url标签,构造所有需要拦截url的map信息
- //map中的key:RequestKey的bean定义,value:SecurityConfig的bean定义
- ManagedMap<BeanDefinition, BeanDefinition> requestToAttributesMap = parseInterceptUrlsForFilterInvocationRequestMap(
- interceptUrls, useExpressions, pc);
- BeanDefinitionBuilder fidsBuilder;
- if (useExpressions) {
- //定义表达式处理类的bean
- Element expressionHandlerElt = DomUtils.getChildElementByTagName(elt, Elements.EXPRESSION_HANDLER);
- String expressionHandlerRef = expressionHandlerElt == null ? null : expressionHandlerElt.getAttribute(“ref”);
- if (StringUtils.hasText(expressionHandlerRef)) {
- logger.info(“Using bean ‘” + expressionHandlerRef + “‘ as web SecurityExpressionHandler implementation”);
- } else {
- BeanDefinition expressionHandler = BeanDefinitionBuilder.rootBeanDefinition(DefaultWebSecurityExpressionHandler.class).getBeanDefinition();
- expressionHandlerRef = pc.getReaderContext().generateBeanName(expressionHandler);
- pc.registerBeanComponent(new BeanComponentDefinition(expressionHandler, expressionHandlerRef));
- }
- //定义表达式类型的FilterInvocationSecurityMetadataSource
- fidsBuilder = BeanDefinitionBuilder.rootBeanDefinition(ExpressionBasedFilterInvocationSecurityMetadataSource.class);
- //通过构造函数注入依赖
- fidsBuilder.addConstructorArgValue(matcher);
- fidsBuilder.addConstructorArgValue(requestToAttributesMap);
- fidsBuilder.addConstructorArgReference(expressionHandlerRef);
- } else {
- //定义非表达式类型的FilterInvocationSecurityMetadataSource
- fidsBuilder = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class);
- //通过构造函数注入依赖
- fidsBuilder.addConstructorArgValue(matcher);
- fidsBuilder.addConstructorArgValue(requestToAttributesMap);
- }
- fidsBuilder.addPropertyValue(“stripQueryStringFromUrls”, matcher instanceof AntUrlPathMatcher);
- fidsBuilder.getRawBeanDefinition().setSource(pc.extractSource(elt));
- return fidsBuilder.getBeanDefinition();
- }
通过以上的bean构造过程,FilterSecurityInterceptor所依赖的决策管理器、认证管理器、安全元数据资源都具备了,该让FilterSecurityInterceptor干活了,其源码为
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
- //封装request, response, chain,方便参数传递、增加代码阅读性
- FilterInvocation fi = new FilterInvocation(request, response, chain);
- invoke(fi);
- }
- public void invoke(FilterInvocation fi) throws IOException, ServletException {
- if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
- && observeOncePerRequest) {
- if (fi.getRequest() != null) {
- fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
- }
- //执行父类beforeInvocation,类似于aop中的before
- InterceptorStatusToken token = super.beforeInvocation(fi);
- try {
- //filter传递
- fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
- } finally {
- //执行父类的afterInvocation,类似于aop中的after
- super.afterInvocation(token, null);
- }
- }
- }
继续看父类的beforeInvocation方法,其中省略了一些不重要的代码片段
- protected InterceptorStatusToken beforeInvocation(Object object) {
- //根据SecurityMetadataSource获取配置的权限属性
- Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);
- //省略……
- //判断是否需要对认证实体重新认证,默认为否
- Authentication authenticated = authenticateIfRequired();
- // Attempt authorization
- try {
- //决策管理器开始决定是否授权,如果授权失败,直接抛出AccessDeniedException
- this.accessDecisionManager.decide(authenticated, object, attributes);
- }
- catch (AccessDeniedException accessDeniedException) {
- publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated,
- accessDeniedException));
- throw accessDeniedException;
- }
- }
增加说明
- Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);
这里获取的是权限列表信息,比如说有这个配置
<security:intercept-url pattern=”/index.jsp*” access=”ROLE_USER,ROLE_ADMIN”/>
如果现在发起一个请求时index.jsp,那么根据这个请求返回的attributes集合就是分别包含ROLE_USER,ROLE_ADMIN属性的两个SecurityConfig对象
至于请求url如何匹配的,大家可以通过阅读DefaultFilterInvocationSecurityMetadataSource类的源码,实际上,这里用到了spring的路径匹配工具类org.springframework.util.AntPathMatcher
AntPathMatcher匹配方式的通配符有三种:
?(匹配任何单字符),*(匹配0或者任意数量的字符),**(匹配0或者更多的目录)
由于之前在bean的定义过程已经知道决策管理器是AffirmativeBased,接着看AffirmativeBased的决策过程
- public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
- throws AccessDeniedException {
- int deny = 0;
- //循环voters,实际上是RoleVoter、AuthenticatedVoter
- for (AccessDecisionVoter voter : getDecisionVoters()) {
- //把具体的决策任务交给voter处理
- //voter只返回-1、0、1,只有为1才算授权成功
- int result = voter.vote(authentication, object, configAttributes);
- if (logger.isDebugEnabled()) {
- logger.debug(“Voter: “ + voter + “, returned: “ + result);
- }
- switch (result) {
- case AccessDecisionVoter.ACCESS_GRANTED:
- return;
- case AccessDecisionVoter.ACCESS_DENIED:
- deny++;
- break;
- default:
- break;
- }
- }
- //只要有一个voter拒绝了,则直接抛出访问拒绝异常
- if (deny > 0) {
- throw new AccessDeniedException(messages.getMessage(“AbstractAccessDecisionManager.accessDenied”,
- “Access is denied”));
- }
- // To get this far, every AccessDecisionVoter abstained
- checkAllowIfAllAbstainDecisions();
- }
实际上,有三种决策管理器,分别为AffirmativeBased、ConsensusBased、UnanimousBased,各自决策的区别是:
AffirmativeBased:只要有一个voter投同意票,就授权成功
ConsensusBased:只要投同意票的大于投反对票的,就授权成功
UnanimousBased:需要一致通过才授权成功
具体决策规则很简单,只是根据voter返回的结果做处理
接下来,分别看RoleVoter、AuthenticatedVoter的源码
RoleVoter:
- public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
- int result = ACCESS_ABSTAIN;
- //从认证实体中获取所有的权限列表
- Collection<GrantedAuthority> authorities = extractAuthorities(authentication);
- //循环intercept-url配置的access权限列表
- for (ConfigAttribute attribute : attributes) {
- if (this.supports(attribute)) {
- result = ACCESS_DENIED;
- // Attempt to find a matching granted authority
- //循环认证实体所拥有的权限列表
- for (GrantedAuthority authority : authorities) {
- if (attribute.getAttribute().equals(authority.getAuthority())) {
- //只要有相同的权限,直接返回成功1
- return ACCESS_GRANTED;
- }
- }
- }
- }
- return result;
- }
AuthenticatedVoter:
- public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
- int result = ACCESS_ABSTAIN;
- for (ConfigAttribute attribute : attributes) {
- if (this.supports(attribute)) {
- result = ACCESS_DENIED;
- if (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())) {
- if (isFullyAuthenticated(authentication)) {
- return ACCESS_GRANTED;
- }
- }
- if (IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())) {
- if (authenticationTrustResolver.isRememberMe(authentication)
- || isFullyAuthenticated(authentication)) {
- return ACCESS_GRANTED;
- }
- }
- if (IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute())) {
- if (authenticationTrustResolver.isAnonymous(authentication) || isFullyAuthenticated(authentication)
- || authenticationTrustResolver.isRememberMe(authentication)) {
- return ACCESS_GRANTED;
- }
- }
- }
- }
- return result;
- }
由于RoleVoter在list列表中的位置处于AuthenticatedVoter前面,只要RoleVoter通过,就不会再执行AuthenticatedVoter了。实际上AuthenticatedVoter只会对IS_AUTHENTICATED_FULLY、IS_AUTHENTICATED_REMEMBERED、IS_AUTHENTICATED_ANONYMOUSLY三种权限做vote处理。