关于springSecurity

保存请求与移除请求

//save request
org.springframework.security.web.access.ExceptionTranslationFilter#doFilter{
handleSpringSecurityException(request, response, chain, ase);
}
org.springframework.security.web.access.ExceptionTranslationFilter#handleSpringSecurityException{
sendStartAuthentication(request,response,chain,new InsufficientAuthenticationException("Full authentication is required to access this resource"));
}
org.springframework.security.web.access.ExceptionTranslationFilter#sendStartAuthentication{
requestCache.saveRequest(request, response);
}
org.springframework.security.web.savedrequest.HttpSessionRequestCache#saveRequest{
request.getSession().setAttribute(SAVED_REQUEST, savedRequest);
}

//remove request
//case 1
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#doFilter{
successfulAuthentication(request, response, chain, authResult);
}
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#successfulAuthentication{
successHandler.onAuthenticationSuccess(request, response, authResult);
}
org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler#onAuthenticationSuccess{
requestCache.removeRequest(request, response);
}
org.springframework.security.web.savedrequest.HttpSessionRequestCache#removeRequest{
session.removeAttribute(SAVED_REQUEST);
}

//case 2
org.springframework.security.web.savedrequest.RequestCacheAwareFilter#doFilter{
HttpServletRequest wrappedSavedRequest = requestCache.getMatchingRequest((HttpServletRequest) request, (HttpServletResponse) response);
}
org.springframework.security.web.savedrequest.HttpSessionRequestCache#getMatchingRequest{
removeRequest(request, response);
}
org.springframework.security.web.savedrequest.HttpSessionRequestCache#removeRequest{
session.removeAttribute(SAVED_REQUEST);
}

保存Session(如果要持久化到redis就要看

org.springframework.security.web.context.SecurityContextPersistenceFilter#doFilter{
repo.saveContext(contextAfterChainExecution, holder.getRequest(),holder.getResponse());
}

org.springframework.security.web.context.HttpSessionSecurityContextRepository#saveContext{
responseWrapper.saveContext(context);
}
org.springframework.security.web.context.HttpSessionSecurityContextRepository.SaveToSessionResponseWrapper#saveContext{
HttpSession httpSession = request.getSession(false);
httpSession.setAttribute(springSecurityContextKey, context);
}

这个repo在springSecurity有两种实现:org.springframework.security.web.context.HttpSessionSecurityContextRepository和org.springframework.security.web.context.NullSecurityContextRepository(这种实现为了不保存session,比如服务端保持无状态),如果想要注入自己的实现,比如保存到数据库之类的方法如下:重写org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity)

http.securityContext().securityContextRepository(securityContextRepository)

授权拦截处理:

.authorizeRequests().antMatchers("/me").access("#oauth2.hasScope('read')")

这一类:

org.springframework.security.web.access.intercept.FilterSecurityInterceptor#invoke{
InterceptorStatusToken token = super.beforeInvocation(fi);
}
org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation{
this.accessDecisionManager.decide(authenticated, object, attributes);
}

启用全局方法安全这一类(详细看<十springSecurity启用全局方法使用aop的分析>):对拦截方法类生成代理,在调用方法前先调用前置通知

org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor#invoke{
InterceptorStatusToken token = super.beforeInvocation(mi);
}
org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation{
this.accessDecisionManager.decide(authenticated, object, attributes);
}

这两类最终都由decide方法作出决定是否授权