In the Spring Boot project, we introduce the Spring Security dependency and do nothing. When the project Spring Security is started, it will take effect. The access request is intercepted.
Spring Boot provides an automated configuration solution for Spring Security, which allows you to use Spring Security with less configuration.
So how does this filter chain load and implement interception?
When the Spring Boot project is started, the SecurityFilterAutoConfiguration class The DelegatingFilterProxyRegistrationBean registration filter will be loaded, with the name springSecurityFilterChain.
Note: The name of springSecurityFilterChain is fixed.
DelegatingFilterProxyRegistrationBean After successful registration, the filter is loaded into the register. Then call the getFilter() method to generate the DelegatingFilterProxy proxy object and register it in IOC.
When we access the project, we will enter the doFilter method of the DelegatingFilterProxy class .
The DelegatingFilterProxy class is essentially a Filter, which indirectly implements the Filter interface, but in doFilter, it actually calls the implementation class of the proxy Filter obtained from the Spring container.
The returned FilterChainProxy object.
It can be seen that the DelegatingFilterProxy class gets a FilterChainProxy filter through the name springSecurityFilterChain, and this filter is ultimately executed. doFilter method.
Verify that the springSecurityFilterChain noun cannot be modified
View the initDelegate method.
FilterChainProxy class is essentially a Filter, so view the doFilter method. Pay attention to the properties in this class.
public class FilterChainProxy extends GenericFilterBean {
private static final Log logger = LogFactory.getLog(FilterChainProxy.class);
private static final String FILTER_APPLIED =
FilterChainProxy.class.getName().concat(".APPLIED");
// 过滤器链
private List filterChains;
private FilterChainProxy.FilterChainValidator filterChainValidator;
private HttpFirewall firewall; Are you surprised? All 15 filters are here!
It turns out that these filters are encapsulated into SecurityFilterChain objects.
SecurityFilterChain class is an interface, and there is only one implementation class DefaultSecurityFilterChain class.
DefaultSecurityFilterChainThe constructor method of the class initializes the List filters, which are put in by passing parameters.
Spring Security The filter chain is handed over to Spring boot for automatic configuration by SpringBootWebSecurityConfigurationClass creation injection.
WebSecurityConfigurerAdapter class.
Use OrderedFilter for proxy and set the order attribute.
After the addition is completed, encapsulate these filters into DefaultSecurityFilterChain objects.
Finally load springSecurityFilterChain through WebSecurityConfiguration configuration. The securityFilterChains attribute is maintained in WebSecurityConfiguration and will store all filters in the filter chain.
The above is the detailed content of What is the execution process of SpringBoot integrating Spring Security filter chain loading?. For more information, please follow other related articles on the PHP Chinese website!