- • SecurityAutoConfiguration是SpringSecurity最重要的一个自动配置类
- • 像以前版本的教程说要在启动类上配@EnableWebSecurity,现在也是由这个自动配置类负责引入
- • 分析一 已经介绍了DefaultAuthenticationEventPublisher,所以说重点就只有使用@Import导入的三个类 , SpringBootWebSecurityConfiguration, WebSecurityEnablerConfiguration, SecurityDataConfiguration
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
@EnableConfigurationProperties(SecurityProperties.class)
@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
SecurityDataConfiguration.class })
public class SecurityAutoConfiguration {
/**
* 注册一个 {@link DefaultAuthenticationEventPublisher}
* <li>是为了在认证成功或者失败的时候能够发布对于的事件</li>
* @param publisher
* @return
*/
@Bean
@ConditionalOnMissingBean(AuthenticationEventPublisher.class)
public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {
return new DefaultAuthenticationEventPublisher(publisher);
}
}
1、SpringBootWebSecurityConfiguration
- • 从源码能看出当容器中没有类型为WebSecurityConfigurerAdapter的Bean的时候并且当前环境为Serviet的情况下,会往容器中注册一个DefaultConfigurerAdapter
- • 这个类就是对于SpringSecurity的过滤器链做一个默认配置,比如说开启CSRF、Session管理、默认登录登出页等等
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration {
@Configuration(proxyBeanMethods = false)
@Order(SecurityProperties.BASIC_AUTH_ORDER)
static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {
}
}
2、WebSecurityEnablerConfiguration
- • 此类的核心就是导入了@EnableWebSecurity
@Configuration(proxyBeanMethods = false)
@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@EnableWebSecurity
public class WebSecurityEnablerConfiguration {
}
- • @EnableWebSecurity先是导入了三个类
- • WebSecurityConfiguration:使用WebSecurity创建FilterChainProxy,这是注册到Tomcat容器中的过滤器链
- • SpringWebMvcImportSelector:有关于一些SpringSecurity的参数可以借助SrpingMVC的参数解析功能进行获取的,正是因为这里注册了某些参数解析器
- • OAuth2ImportSelector:注册一些OAuth2的类
@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import({ WebSecurityConfiguration.class,
SpringWebMvcImportSelector.class,
OAuth2ImportSelector.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
/**
* Controls debugging support for Spring Security. Default is false.
* @return if true, enables debug support with Spring Security
*/
boolean debug() default false;
}
- • 后又标记了一个@EnableGlobalAuthentication,紧接着导入了AuthenticationConfiguration
- • 而这个AuthenticationConfiguration是全局认证管理器的配置类,而认证管理器也就是整个认证的入口
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
@Documented
@Import(AuthenticationConfiguration.class)
@Configuration
public @interface EnableGlobalAuthentication {
}
3、SecurityDataConfiguration
- • 自动添加Spring Security与Spring Data的集成
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(SecurityEvaluationContextExtension.class)
public class SecurityDataConfiguration {
@Bean
@ConditionalOnMissingBean
public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
return new SecurityEvaluationContextExtension();
}
}