Spring Security启动流程

用来配置SecurityBuilder的超类。
所有SecurityConfigurer首先调用其init(SecurityBuilder)方法。
再调用了所有init(SecurityBuilder)方法之后，调用每个configure(SecurityBuilder)方法。

public interface SecurityConfigurer> {
	
	void init(B builder) throws Exception;
	
	void configure(B builder) throws Exception;
}

对 WebSecurity进行配置。
在大多数情况下，用户将使用EnableWebSecurity和扩展WebSecurityConfigurerAdapter来进行 WebSecurity的配置，该配置将通过EnableWebSecurity注释自动应用于WebSecurity。

public interface WebSecurityConfigurer> extends
		SecurityConfigurer {
}

为创建WebSecurityConfigurer实例提供方便的基类。该实现允许通过重写方法进行自定义。

@Order(100)
public abstract class WebSecurityConfigurerAdapter implements
		WebSecurityConfigurer {

	public void init(final WebSecurity web) throws Exception {
		final HttpSecurity http = getHttp();
		web.addSecurityFilterChainBuilder(http).postBuildAction(new Runnable() {
			public void run() {
				FilterSecurityInterceptor securityInterceptor = http
						.getSharedObject(FilterSecurityInterceptor.class);
				web.securityInterceptor(securityInterceptor);
			}
		});
	}
	
	
	public void configure(WebSecurity web) throws Exception { }
	
	
	protected void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests()
				.anyRequest().authenticated()
				.and()
			.formLogin().and()
			.httpBasic();
	}
}

用于构建对象的超类

public interface SecurityBuilder {
	
	O build() throws Exception;
}

一个基本的SecurityBuilder，用于确保正在生成的对象只生成一次

public abstract class AbstractSecurityBuilder implements SecurityBuilder {
	private AtomicBoolean building = new AtomicBoolean();
	private O object;
	public final O build() throws Exception {
		if (this.building.compareAndSet(false, true)) {
			this.object = doBuild();
			return this.object;
		}
		throw new AlreadyBuiltException("This object has already been built");
	}
	public final O getObject() {
		if (!this.building.get()) {
			throw new IllegalStateException("This object has not been built");
		}
		return this.object;
	}
	protected abstract O doBuild() throws Exception;
}

对SecurityBuilder的基本扩展。
可以将多个SecurityConfigurer应用到SecurityBuilder，
这使得修改SecurityBuilder成为一种策略，可以对其进行定制并将其分解为多个SecurityConfigurer对象，这些对象具有比SecurityBuilder更具体的目标。
例如，SecurityBuilder可以构建DelegatingFilterProxy，但SecurityConfigurer可以使用会话管理、基于表单的登录、授权等所需的Filter填充SecurityBuilder。

public abstract class AbstractConfiguredSecurityBuilder>
		extends AbstractSecurityBuilder {
	
	public > C apply(C configurer)
			throws Exception {
		configurer.addObjectPostProcessor(objectPostProcessor);
		configurer.setBuilder((B) this);
		add(configurer);
		return configurer;
	}
	
	public > C apply(C configurer) throws Exception {
		add(configurer);
		return configurer;
	}
	
	public  void setSharedObject(Class sharedType, C object) {
		this.sharedObjects.put(sharedType, object);
	}
	
	public  C getSharedObject(Class sharedType) {
		return (C) this.sharedObjects.get(sharedType);
	}
	
	@Override
	protected final O doBuild() throws Exception {
		synchronized (configurers) {
			buildState = BuildState.INITIALIZING;
			beforeInit();
			init();
			buildState = BuildState.CONFIGURING;
			beforeConfigure();
			configure();
			buildState = BuildState.BUILDING;
			O result = performBuild();
			buildState = BuildState.BUILT;
			return result;
		}
	}
}

WebSecurity由WebSecurityConfiguration配置创建，以创建FilterChainProxy，称为Spring安全过滤器链（springSecurityFilterChain）。springSecurityFilterChain是DelegatingFilterProxy委托给的筛选器。 可以通过创建WebSecurityConfigurer或更可能通过重写WebSecurityConfigureAdapter来定制WebSecurity。

public final class WebSecurity extends
		AbstractConfiguredSecurityBuilder implements
		SecurityBuilder, ApplicationContextAware {
	@Override
	protected Filter performBuild() throws Exception {
		Assert.state(
				!securityFilterChainBuilders.isEmpty(),
				() -> "At least one SecurityBuilder needs to be specified. "
						+ "Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. "
						+ "More advanced users can invoke "
						+ WebSecurity.class.getSimpleName()
						+ ".addSecurityFilterChainBuilder directly");
		int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
		List securityFilterChains = new ArrayList<>(
				chainSize);
		for (RequestMatcher ignoredRequest : ignoredRequests) {
			securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
		}
		for (SecurityBuilder securityFilterChainBuilder : securityFilterChainBuilders) {
			securityFilterChains.add(securityFilterChainBuilder.build());
		}
		FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
		if (httpFirewall != null) {
			filterChainProxy.setFirewall(httpFirewall);
		}
		filterChainProxy.afterPropertiesSet();

		Filter result = filterChainProxy;
		if (debugEnabled) {
			logger.warn("nn"
					+ "********************************************************************n"
					+ "**********        Security debugging is enabled.       *************n"
					+ "**********    This may include sensitive information.  *************n"
					+ "**********      Do not use in a production system!     *************n"
					+ "********************************************************************nn");
			result = new DebugFilter(filterChainProxy);
		}
		postBuildAction.run();
		return result;
	}
}

HttpSecurity类似于名称空间配置中的Spring Security的XML元素。
它允许为特定的http请求配置基于Web的安全性。
默认情况下，它将应用于所有请求，但可以使用questMatcher(RequestMatcher)或其他类似方法进行限制。
这里HttpSecurity就是构建FilterChainProxy（springSecurityFilterChain）中的filterChains;

public final class HttpSecurity extends
		AbstractConfiguredSecurityBuilder<**DefaultSecurityFilterChain**, **HttpSecurity**>
		implements SecurityBuilder<**DefaultSecurityFilterChain**>,
		HttpSecurityBuilder {
	private final RequestMatcherConfigurer requestMatcherConfigurer;
	private List filters = new ArrayList<>();
	private RequestMatcher requestMatcher = AnyRequestMatcher.INSTANCE;
	private FilterComparator comparator = new FilterComparator();
	
	@Override
	protected DefaultSecurityFilterChain performBuild() throws Exception {
		Collections.sort(filters, comparator);
		return new DefaultSecurityFilterChain(requestMatcher, filters);
	}
}