关于springSecurity
2016-04-13 22:49
701 查看
保存请求与移除请求
//save request org.springframework.security.web.access.ExceptionTranslationFilter#doFilter{ handleSpringSecurityException(request, response, chain, ase); } org.springframework.security.web.access.ExceptionTranslationFilter#handleSpringSecurityException{ sendStartAuthentication(request,response,chain,new InsufficientAuthenticationException("Full authentication is required to access this resource")); } org.springframework.security.web.access.ExceptionTranslationFilter#sendStartAuthentication{ requestCache.saveRequest(request, response); } org.springframework.security.web.savedrequest.HttpSessionRequestCache#saveRequest{ request.getSession().setAttribute(SAVED_REQUEST, savedRequest); } //remove request //case 1 org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#doFilter{ successfulAuthentication(request, response, chain, authResult); } org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#successfulAuthentication{ successHandler.onAuthenticationSuccess(request, response, authResult); } org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler#onAuthenticationSuccess{ requestCache.removeRequest(request, response); } org.springframework.security.web.savedrequest.HttpSessionRequestCache#removeRequest{ session.removeAttribute(SAVED_REQUEST); } //case 2 org.springframework.security.web.savedrequest.RequestCacheAwareFilter#doFilter{ HttpServletRequest wrappedSavedRequest = requestCache.getMatchingRequest((HttpServletRequest) request, (HttpServletResponse) response); } org.springframework.security.web.savedrequest.HttpSessionRequestCache#getMatchingRequest{ removeRequest(request, response); } org.springframework.security.web.savedrequest.HttpSessionRequestCache#removeRequest{ session.removeAttribute(SAVED_REQUEST); }
保存Session(如果要持久化到redis就要看
org.springframework.security.web.context.SecurityContextPersistenceFilter#doFilter{ repo.saveContext(contextAfterChainExecution, holder.getRequest(),holder.getResponse()); } org.springframework.security.web.context.HttpSessionSecurityContextRepository#saveContext{ responseWrapper.saveContext(context); } org.springframework.security.web.context.HttpSessionSecurityContextRepository.SaveToSessionResponseWrapper#saveContext{ HttpSession httpSession = request.getSession(false); httpSession.setAttribute(springSecurityContextKey, context); }
这个repo在springSecurity有两种实现:org.springframework.security.web.context.HttpSessionSecurityContextRepository和org.springframework.security.web.context.NullSecurityContextRepository(这种实现为了不保存session,比如服务端保持无状态),如果想要注入自己的实现,比如保存到数据库之类的方法如下:重写org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity)
http.securityContext().securityContextRepository(securityContextRepository)
授权拦截处理:
.authorizeRequests().antMatchers("/me").access("#oauth2.hasScope('read')")
这一类:
org.springframework.security.web.access.intercept.FilterSecurityInterceptor#invoke{ InterceptorStatusToken token = super.beforeInvocation(fi); } org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation{ this.accessDecisionManager.decide(authenticated, object, attributes); }
启用全局方法安全这一类(详细看<十springSecurity启用全局方法使用aop的分析>):对拦截方法类生成代理,在调用方法前先调用前置通知
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor#invoke{ InterceptorStatusToken token = super.beforeInvocation(mi); } org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation{ this.accessDecisionManager.decide(authenticated, object, attributes); }
这两类最终都由decide方法作出决定是否授权
相关文章推荐
- JAVA与C当中基本数据类型和基本运算符的区别
- Java ClassLoader 原理分析
- 在安装eclipse的几个问题
- Java进阶05 多线程
- 对JAVA集合进行遍历删除时务必要用迭代器
- java 路径读取学习
- Java进阶04 RTTI
- eclipse新建文件模板默认charset=ISO-8859-1解决
- java编程思想第四版-嵌套类
- Java进程、线程
- SpringMVC详细示例实战教程
- SpringMVC注解映射
- java实例化的理解
- Java 面向对象的语言
- JAVA中的空指针异常(转载)
- Spring依赖注入的好处
- JAVA中的反射机制
- Two Sum(Java)
- JavaBean与Web开发模式
- (9)Java设计模式-外观模式(Facade)