security是什么意思？security详解

spring security + Oauth2.0

一.spring security

问:

(相关资料图)

spring security是如何注入spring容器?filter是如何加入tomcat?spring security是如何起作用?

1.自动注入

springboot在启动时会扫描所有jar包下的spring.factories,并且利用工具类转换成Map对象，其中org.springframework.boot.autoconfigure.EnableAutoConfiguration就是自动注入的关键。

# Auto Configureorg.springframework.boot.autoconfigure.EnableAutoConfiguration=\org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,\org.springframework.boot.autoconfigure.security.servlet.SecurityRequestMatcherProviderAutoConfiguration,\org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration,\org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration

首先我们来看看这个类SecurityAutoConfiguration.java

@Configuration//条件，如果有这个类则注入@ConditionalOnClass({DefaultAuthenticationEventPublisher.class})//自动注入参数@EnableConfigurationProperties({SecurityProperties.class})//导入三个配置类@Import({SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class})public class SecurityAutoConfiguration {public SecurityAutoConfiguration() {}    @Bean    //容器中不存在这个类    @ConditionalOnMissingBean({AuthenticationEventPublisher.class})    public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {return new DefaultAuthenticationEventPublisher(publisher);    }}

然后我们再看看三个配置类干了些什么

/** *SpringBootWebSecurityConfiguration */@Configuration//存在这个class@ConditionalOnClass({WebSecurityConfigurerAdapter.class})//容器中没有这个类及其子类@ConditionalOnMissingBean({WebSecurityConfigurerAdapter.class})//条件是web环境@ConditionalOnWebApplication(    type = Type.SERVLET)public class SpringBootWebSecurityConfiguration {public SpringBootWebSecurityConfiguration() {}    @Configuration    @Order(2147483642)    //如果以上条件成立生成默认WebSecurityConfigurerAdapter,这也是我们不做任何配置security能生效的原因    static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {DefaultConfigurerAdapter() {}    }}----------------------------------------------------------------------------------------/** *WebSecurityEnablerConfiguration */@Configuration@ConditionalOnBean({WebSecurityConfigurerAdapter.class})@ConditionalOnMissingBean(    name = {"springSecurityFilterChain"})@ConditionalOnWebApplication(    type = Type.SERVLET)//1.引入三个类(WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class)//2.@EnableGlobalAuthentication注解(引入AuthenticationConfiguration.class)@EnableWebSecuritypublic class WebSecurityEnablerConfiguration {public WebSecurityEnablerConfiguration() {}}引入的类的作用:一.==WebSecurityConfiguration.class==    1.注入springSecurityFilterChain，并把WebSecurityConfigurerAdapter添加到webSecurity    2.注入SecurityExpressionHandler    3.注入DelegatingApplicationListener二.==SpringWebMvcImportSelector.class==    如果有dispatcherservlet.class返回WebMvcSecurityConfiguration全类名三.==OAuth2ImportSelector.class==    如果存在OAuth2ClientConfiguration.class返回OAuth2ClientConfiguration全类名四.注解@EnableGlobalAuthentication导入AuthenticationConfiguration.class1.导入ObjectPostProcessorConfiguration.class            注入ObjectPostProcessor