关于springSecurity

保存请求与移除请求

//save requestorg.springframework.security.web.access.ExceptionTranslationFilter#doFilter{handleSpringSecurityException(request, response, chain, ase);}org.springframework.security.web.access.ExceptionTranslationFilter#handleSpringSecurityException{sendStartAuthentication(request,response,chain,new InsufficientAuthenticationException("Full authentication is required to access this resource"));}org.springframework.security.web.access.ExceptionTranslationFilter#sendStartAuthentication{requestCache.saveRequest(request, response);}org.springframework.security.web.savedrequest.HttpSessionRequestCache#saveRequest{request.getSession().setAttribute(SAVED_REQUEST, savedRequest);}//remove request//case 1org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#doFilter{successfulAuthentication(request, response, chain, authResult);}org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#successfulAuthentication{successHandler.onAuthenticationSuccess(request, response, authResult);}org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler#onAuthenticationSuccess{requestCache.removeRequest(request, response);}org.springframework.security.web.savedrequest.HttpSessionRequestCache#removeRequest{session.removeAttribute(SAVED_REQUEST);}//case 2org.springframework.security.web.savedrequest.RequestCacheAwareFilter#doFilter{HttpServletRequest wrappedSavedRequest = requestCache.getMatchingRequest((HttpServletRequest) request, (HttpServletResponse) response);}org.springframework.security.web.savedrequest.HttpSessionRequestCache#getMatchingRequest{removeRequest(request, response);}org.springframework.security.web.savedrequest.HttpSessionRequestCache#removeRequest{session.removeAttribute(SAVED_REQUEST);}

保存Session(如果要持久化到redis就要看

org.springframework.security.web.context.SecurityContextPersistenceFilter#doFilter{repo.saveContext(contextAfterChainExecution, holder.getRequest(),holder.getResponse());}org.springframework.security.web.context.HttpSessionSecurityContextRepository#saveContext{responseWrapper.saveContext(context);}org.springframework.security.web.context.HttpSessionSecurityContextRepository.SaveToSessionResponseWrapper#saveContext{HttpSession httpSession = request.getSession(false);httpSession.setAttribute(springSecurityContextKey, context);}

这个repo在springSecurity有两种实现:org.springframework.security.web.context.HttpSessionSecurityContextRepository和org.springframework.security.web.context.NullSecurityContextRepository(这种实现为了不保存session,比如服务端保持无状态),如果想要注入自己的实现,比如保存到数据库之类的方法如下:重写org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity)

http.securityContext().securityContextRepository(securityContextRepository)

授权拦截处理:

.authorizeRequests().antMatchers("/me").access("#oauth2.hasScope('read')")这一类:

org.springframework.security.web.access.intercept.FilterSecurityInterceptor#invoke{InterceptorStatusToken token = super.beforeInvocation(fi);}org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation{this.accessDecisionManager.decide(authenticated, object, attributes);}

启用全局方法安全这一类(详细看<十springSecurity启用全局方法使用aop的分析>):对拦截方法类生成代理,在调用方法前先调用前置通知

org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor#invoke{InterceptorStatusToken token = super.beforeInvocation(mi);}org.springframework.security.access.intercept.AbstractSecurityInterceptor#beforeInvocation{this.accessDecisionManager.decide(authenticated, object, attributes);}

这两类最终都由decide方法作出决定是否授权