Springsecurity之FilterChainProxy
Springsecurity之FilterChainProxy
最近在使用Springsecurity,然后debug代码时,经常看到FilterChainProxy,所以就在这里记录下吧。
Springsecurity版本是4.3.x.RELEASE.
List-1
public class FilterChainProxy extends GenericFilterBean {
private final static String FILTER_APPLIED = FilterChainProxy.class.getName().concat(".APPLIED");
private List<SecurityFilterChain> filterChains;
private FilterChainValidator filterChainValidator = new NullFilterChainValidator();
private HttpFirewall firewall = new StrictHttpFirewall();
...如List-1所示,后面我们会重点看下filterChains。
FilterChainProxy继承了GenericFilterBean,这个类来自于Springframework框架而非Springsecurity。
FilterChainProxy重写了GenericFilterBean的doFilter方法,如下List-2所示。
List-2
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;
if (clearContext) {
try {
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
doFilterInternal(request, response, chain);
}
finally {
SecurityContextHolder.clearContext();
request.removeAttribute(FILTER_APPLIED);
}
}
else {
doFilterInternal(request, response, chain);
}
}在List-2中的doFilterInternal,通过getFilters(HttpServletRequest)方法,根据request的url来获取对应的Filter,如下List-3所示,SecurityFilterChain是个接口,如List-4所示。
List-3
private List<Filter> getFilters(HttpServletRequest request) {
for (SecurityFilterChain chain : filterChains) {
if (chain.matches(request)) {
return chain.getFilters();
}
}
return null;
}List-4 SecurityFilterChain是个接口
public interface SecurityFilterChain {
boolean matches(HttpServletRequest request);
List<Filter> getFilters();
}如果List-3返回的getFilters不为空,那么会构造一个VirtualFilterChain,并调用它的doFilter,下面来看下VirtualFilterChain,如List-5,additionalFilters是根据request的url得到的Filter集合,originalChain是FilterChainProxy的doFilter中传入的FilterChain。
List-5 VirtualFilterChain的属性及构造方法
private static class VirtualFilterChain implements FilterChain {
private final FilterChain originalChain;
private final List<Filter> additionalFilters;
private final FirewalledRequest firewalledRequest;
private final int size;
private int currentPosition = 0;
private VirtualFilterChain(FirewalledRequest firewalledRequest,
FilterChain chain, List<Filter> additionalFilters) {
this.originalChain = chain;
this.additionalFilters = additionalFilters;
this.size = additionalFilters.size();
this.firewalledRequest = firewalledRequest;
}
...下面来看下VirtualFilterChain的doFilter,如List-6所示。
List-6 VirtualFilterChain的doFilter
public void doFilter(ServletRequest request, ServletResponse response)
throws IOException, ServletException {
if (currentPosition == size) {
// Deactivate path stripping as we exit the security filter chain
this.firewalledRequest.reset();
originalChain.doFilter(request, response);
}
else {
currentPosition++;
Filter nextFilter = additionalFilters.get(currentPosition - 1);
nextFilter.doFilter(request, response, this);
}
}
图1
如List-6所示,会先调用additionalFilters中的Filer,之后才会调用originalChain这个Filter,如图1所示,这个过程有点递归的感觉。而重点是这个additionalFilters中的Filter,正是Springsecurity根据配置加上request的url得到的Filter集合,所以Springsecurity通过这样的方式将需要处理的逻辑添加到originalChain之前。
看FilterChainProxy的时候,看到一个内部类,如下List-7,然后有个实现类NullFilterChainValidator,但是这个里面没有做什么,得到的一个启示就是,在命名上,如果以后要定义一个默认什么都没有做的实现类,那么命名上也可以参考这个,在类名称前加上Null。最后这点纯属个人意见。
List-7 FilterChainValidator
public interface FilterChainValidator {
void validate(FilterChainProxy filterChainProxy);
}
private static class NullFilterChainValidator implements FilterChainValidator {
public void validate(FilterChainProxy filterChainProxy) {
}
}思考:
- 这个FilterChainProxy是在哪被初始化的?这个问题的答案,目前还没有找到。
- SecurityFilterChain的实现还没有分析
(adsbygoogle = window.adsbygoogle || []).push({});