默认SpringSecurity大致启动流程源码分析

先了解spring.factories

spring.factories

org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,
org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration,
org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration,
org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration,
org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration,

1. SecurityAutoConfiguration是主配置类，我们主要讲解该类
2. UserDetailsServiceAutoConfiguration是用于设置默认密码的，它这将会在SecurityAutoConfiguration配置HttpSecurity时配置，所以我们不细讲
3. SecurityFilterAutoConfiguration不讲
4. 后面两个为OAuth安全，不讲

我们主要分析SecurityAutoConfiguration，它是一个自动配置类，受EnableWebSecurit 的影响，会加载前会先导入HttpSecurityConfiguration和WebSecurityConfiguration

它们作用顺序分别为: HttpSecurityConfiguration配置HttpSecurityConfiguration、WebSecurityConfiguration配置WebSecurity

流程主要也是围绕: 配置HttpSecurity --> 配置默认的基本的SecurityFilterChain --> 配置WebSecurity --> 配置最终的SecurityFilterChain

也可以理解为：如何创建最终的SecurityFilterChain呢 ?

EnableWebSecurity和EnableGlobalAuthentication注解

@Import({ WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class,
      HttpSecurityConfiguration.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {}
@Import(AuthenticationConfiguration.class)
@Configuration
public @interface EnableGlobalAuthentication {}

从HttpSecurityConfiguration开始，该类是HttpSecurity的基本配置类，配置如下:

HttpSecurityConfiguration.java

@Autowired
void setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration) {
    this.authenticationConfiguration = authenticationConfiguration;
}//1
@Bean(HTTPSECURITY_BEAN_NAME)
@Scope("prototype")
HttpSecurity httpSecurity() throws Exception {
   WebSecurityConfigurerAdapter.LazyPasswordEncoder passwordEncoder = new WebSecurityConfigurerAdapter.LazyPasswordEncoder(
         this.context);//2
   AuthenticationManagerBuilder authenticationBuilder = new WebSecurityConfigurerAdapter.DefaultPasswordEncoderAuthenticationManagerBuilder(
         this.objectPostProcessor, passwordEncoder);//3
   authenticationBuilder.parentAuthenticationManager(authenticationManager());//4
   HttpSecurity http = new HttpSecurity(this.objectPostProcessor, authenticationBuilder, createSharedObjects());//5
   http
      .csrf(withDefaults())
      .addFilter(new WebAsyncManagerIntegrationFilter())
      .exceptionHandling(withDefaults())
      .headers(withDefaults())
      .sessionManagement(withDefaults())
      .securityContext(withDefaults())
      .requestCache(withDefaults())
      .anonymous(withDefaults())
      .servletApi(withDefaults())
      .apply(new DefaultLoginPageConfigurer<>());
   http.logout(withDefaults());//6
   return http;
}

1. 依赖注入一个AuthenticationConfiguration，提前加载前面需要自动配置的AuthenticationConfiguration，

   该类创建了三个重要的Bean对象AuthenticationManagerBuild、InitializeUserDetailsBeanManagerConfigurer也就是和InitializeAuthenticationProviderBeanManagerConfigurer

   分别用来

   • 构建AuthenticationManager
   • 用来初始化spring.factories中的UserDetailsServiceAutoConfiguration，它的功能是提供默认的用户名和密码、
   • 初始化用户认证管理器(ProviderManager)

2. 创建一个懒密码加载器

3. 创建一个认证管理器构建器

4. 构建一个认证管理器

   AuthenticationConfiguration.java

   public AuthenticationManager getAuthenticationManager() throws Exception {
      //...
      for (GlobalAuthenticationConfigurerAdapter config : this.globalAuthConfigurers) {
         authBuilder.apply(config);
      }//1
      this.authenticationManager = authBuilder.build();//2
      //...
      return this.authenticationManager;
   }
   

   1. 构建器使用全局认证配置，也就是前面创建AuthencationConfiguration时提及的

   2. 构建认证管理器

      直接看最后的doBuild()

      AbstractConfiguredSecurityBuilder

      protected final O doBuild() throws Exception {
         synchronized (this.configurers) {
            this.buildState = BuildState.INITIALIZING;
            beforeInit();//1
            init();//2
            this.buildState = BuildState.CONFIGURING;
            beforeConfigure();//3
            configure();//4
            this.buildState = BuildState.BUILDING;
            O result = performBuild();//5
            this.buildState = BuildState.BUILT;
            return result;
         }
      }
      

      1. 初始化前操作

      2. 初始化配置器

      3. 配置前操作

      4. 配置配置器，配置器有很多就不多讲了，配置过程如下:

         AbstractConfiguredSecurityBuilder

         private void configure() throws Exception {
            Collection> configurers = getConfigurers();
            for (SecurityConfigurer configurer : configurers) {
               configurer.configure((B) this);
            }
         }
         

      5. 开始构建

         该方法创建并返回PrivideManager

         AuthenticationManagerBuilder.java

         protected ProviderManager performBuild() throws Exception {
            ProviderManager providerManager = new ProviderManager(this.authenticationProviders,
                  this.parentAuthenticationManager);
            return providerManager;
         }
         

5. 创建HttpSecurity，将之前的Privider注入HttpSecurity中

6. HttpSecurity配置基本的配置器

默认的HttpSecurity配置完之后，将会开始配置默认的SecurityFilterChain，

我们看SecurityAutoConfiguration导入的SpringBootWebSecurityConfiguration类

SpringBootWebSecurityConfiguration.java

@Configuration(proxyBeanMethods = false)
@ConditionalOnDefaultWebSecurity//1
@ConditionalOnWebApplication(type = Type.SERVLET)
class SpringBootWebSecurityConfiguration {
   @Bean
   @Order(SecurityProperties.BASIC_AUTH_ORDER)
   SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
      http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
      return http.build();//2
   }

}

1. 该类在满足默认WebSecurity时才会配置，如下:

   @Conditional(DefaultWebSecurityCondition.class)//1
   public @interface ConditionalOnDefaultWebSecurity {}
   class DefaultWebSecurityCondition extends AllNestedConditions {
   	DefaultWebSecurityCondition() {super(ConfigurationPhase.REGISTER_BEAN);}
   	@ConditionalOnClass({ SecurityFilterChain.class, HttpSecurity.class })
   	static class Classes {}//2
   	@ConditionalOnMissingBean({ WebSecurityConfigurerAdapter.class, SecurityFilterChain.class })
   	static class Beans {}//3
   }
   
   

   1. 满足DefaultWebSecurityCondition条件
   2. 满足具有SecurityFilterChain.class, HttpSecurity.class两个类
   3. 满足缺少WebSecurityConfigurerAdapter.class, SecurityFilterChain.class两个Bean,，而默认的Security配置是缺少这两个类的

2. 创建默认基本的SecurityFilterChain，这里创建完成SecurityFilterChain具有十五个基本的Filter:

配置完默认基本的SecurityFilterChain后，将会配置WebSecurity

我们看到WebSecurityConfiguration类

先看它是如何配置WebSecurity的，如下：

WebrSecurityConfiguration.java

@Autowired(required = false)
public void setFilterChainProxySecurityConfigurer(ObjectPostProcessor