- spring security 官网链接, 本次示例使用的版本为5.6.3:https://docs.spring.io/spring-security/reference/index.html
- spring boot 项目中引入 spring security, maven坐标如下:
1. Spring Boot 项目引入Spring Security依赖后,为我们做了什么?org.springframework.boot spring-boot-starter-security
自动配置类 SpringBootWebSecurityConfiguration:
从源码中可以看到,在引入对应依赖不做任何配置的情况下会支持表单登录(formLogin)以及 basic登录(httpBasic);
从上面自动配置类中可以知道:自动配置的过程中只是创建了一个SecurityFilterChain对象。这也是Spring Security 认证授权的核心机制,过滤器链机制。将用户认证信息经过一系列过滤器链之后,如果认证成功便授权。反之则进行认证失败的处理逻辑。默认情况下SecurityFilterChain中包含有哪些 filter 呢?其中重点的 filter 被标记位蓝色。
2.1 一些常见过滤器在过滤器链中的顺序-
ChannelProcessingFilter
-
WebAsyncManagerIntegrationFilter
-
SecurityContextPersistenceFilter
-
HeaderWriterFilter
-
CorsFilter
-
CsrfFilter
-
LogoutFilter: 退出登录过滤器
-
OAuth2AuthorizationRequestRedirectFilter
-
Saml2WebSsoAuthenticationRequestFilter
-
X509AuthenticationFilter
-
AbstractPreAuthenticatedProcessingFilter
-
CasAuthenticationFilter
-
OAuth2LoginAuthenticationFilter
-
Saml2WebSsoAuthenticationFilter
-
UsernamePasswordAuthenticationFilter:认证用户名密码登录方式
-
OpenIDAuthenticationFilter
-
DefaultLoginPageGeneratingFilter
-
DefaultLogoutPageGeneratingFilter
-
ConcurrentSessionFilter
-
DigestAuthenticationFilter
-
BearerTokenAuthenticationFilter
-
BasicAuthenticationFilter
-
RequestCacheAwareFilter
-
SecurityContextHolderAwareRequestFilter
-
JaasApiIntegrationFilter
-
RememberMeAuthenticationFilter: 实现记住我
-
AnonymousAuthenticationFilter
-
OAuth2AuthorizationCodeGrantFilter
-
SessionManagementFilter:session的管理
-
ExceptionTranslationFilter
-
FilterSecurityInterceptor
-
SwitchUserFilter
