Spring Security filter chain system

The following is an excerpt from the 2022 start-up welfare tutorial shared by Fat Brother.

When learning Spring Security , did you have the following two questions:

• How is the login of Spring Security configured?
• What is the access control mechanism of Spring Security ?

SpringBootWebSecurityConfiguration

The answer to the above two questions is in the configuration class SpringBootWebSecurityConfiguration . You can follow this mind map to understand this automatic configuration:

SpringBootWebSecurityConfiguration provides a default Spring Security configuration for Spring Boot applications.

    @Bean
    @Order(SecurityProperties.BASIC_AUTH_ORDER)
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
        return http.build();
    }

The configuration here is: all requests must be initiated by authenticated users, and the form login function and the Http Basic Authentication authentication function are enabled at the same time. When we access /foo/bar , we need login authentication and can perform form login. This is the configuration that works. This is something that we need to customize in our daily development. Brother Fat also explained it in the article related to HttpSecurity . What the hell is this SecurityFilterChain ?

SecurityFilterChain

It can be seen from the above that HttpSecurity is a build class, and its mission is to build a SecurityFilterChain :

public interface SecurityFilterChain {
   //  当前请求是否匹配
    boolean matches(HttpServletRequest request);
    // 一揽子过滤器组成的有序过滤器链
    List<Filter> getFilters();
}

When a request HttpServletRequest enters SecurityFilterChain , the matches method is used to determine whether the conditions are met to enter the filter chain. It is like if you are a VIP and go through the VIP channel and enjoy a series of VIP treatment; if you are an ordinary user, just go through the channel of ordinary users and enjoy the treatment of ordinary users.

No matter what role the user is, they go through a filter chain, and there are 1-n and SecurityFilterChain in an application. So who will manage multiple SecurityFilterChain ?

Remember this formula HttpSecurity ->SecurityFilterChain .

FilterChainProxy

FilterChainProxy is a GenericFilterBean (even though the Servlet Filter is a Spring Bean again) which manages all SecurityFilterChain injected into the Spring IoC container. When I first came into contact Spring Security , I configured FilterChainProxy like this:

    <bean id="myfilterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <constructor-arg>
            <util:list>
                <security:filter-chain pattern="/do/not/filter*" filters="none"/>
                <security:filter-chain pattern="/**" filters="filter1,filter2,filter3"/>
            </util:list>
        </constructor-arg>
    </bean>

Match different SecurityFilterChain according to different request paths. Below is the schematic:

This class will be contacted later, but now you only need to understand the above picture.

Please note: It is not recommended to have multiple instances of FilterChainProxy in the same filter chain and should not be used as a pure filter, it should only be responsible for the management of SecurityFilterChain .

DelegatingFilterProxy

Servlet container and Spring IoC container Filter lifecycle mismatch. In order to allow the Spring IoC container to manage the life cycle of the Filter , FilterChainProxy is handed over to DelegatingFilterProxy under Spring Web . Also FilterChainProxy does not call the standard Servlet filter lifecycle methods on any filter beans added to the application context, the FilterChainProxy lifecycle methods delegate to DelegatingFilterProxy for execution. And DelegatingFilterProxy as a connector for Spring IoC and Servlet .

simple summary

The above three concepts are very important and involve the entire filter chain system of Spring Security . But as a beginner, you can understand as much as you can, and don't worry about which ones you don't understand, because it is very normal that the level of the current learning stage cannot be reached. But after you finish Spring Security , you must understand these concepts.

Follow the official account: Felordcn for more information

Personal blog: https://felord.cn