接上一篇。我们已经完成了配置类HttpSecurityConfiguration的源码分析和通过配置类构建HttpSecurity的安全创建(当然是我们关注的主要部分,但不是全部),我们知道创建DefaultSecurityFilterChain的过程通过HttpSecurity的安全构建。我们简单回顾一下,DefaultSecurityFilterChain持有SpringSecurity的安全过滤器,最终会组装成filterChainProxy,而filterChainProxy又会组装成DelegatingFilterProxy,最终在Servlet过滤器链中生效。那么,接下来我们就得看看DefaultSecurityFilterChain是如何组装成filterChainProxy的。我们从WebSecurityConfiguration入手,从spring.factories文件中,我们可以找到SpringBoot的自动组装机制的入口来调用它。WebSecurityConfiguration#setFilterChains先看它的setFilterChains方法:@Autowired(required=false)voidsetFilterChains(ListsecurityFilterChains){this.securityFilterChains=securityFilterChains;}方法注解为@AutoFiilsFilterChains,方法参数为ListsecurityFilterChain);for(Filterfilter:securityFilterChain.getFilters()){if(filterinstanceofFilterSecurityInterceptor){this.webSecurity.securityInterceptor((FilterSecurityInterceptor}bilter}re}filter)当前对象的securityFilterChains,上面我们已经分析过了,securityFilterChains存储了DefaultSecurityFilterChain对象,然后调用this.webSecurity.addSecurityFilterChainBuilder(()->securityFilterChain);方法,以此对象为参数。WebSecurity#addSecurityFilterChainBuilder注意该方法的参数类型为SecurityBuilder,我们先看看它的定义:publicinterfaceSecurityBuilder{/***构建对象并返回它或null。*@return要构建的对象,如果实现允许,则返回null。*@throwsExceptionifbuildingtheObjecterroroccurred*/Obuild()throwsException;}这个接口只有一个build方法,build方法返回的是泛型O,一定要注意this的调用方法方法:this.webSecurity.addSecurityFilterChainBuilder(()->securityFilterChain);使用lamda方法调用,实现接口SecurityBuilder的build()方法,返回DefaultSecurityFilterChain对象。最后我们看一下addSecurityFilterChainBuilder方法,其实很简单。将通过lamda实现的传入对象添加到WebSecurity对象的securityFilterChainBuilders中。publicWebSecurityaddSecurityFilterChainBuilder(SecurityBuildersecurityFilterChainBuilder){this.securityFilterChainBuilders.add(securityFilterChainBuilder);归还这个;}WebSecurityConfiguration#springSecurityFilterChain然后再继续返回来看springSecurityFilterChain()方法的删余部分:调用webSecurity的build()方法:for(WebSecurityCustomizercustomizer:this.webSecurityCustomizers){this.webSecurityCustomizers);}返回this.webSecurity.build();AbstractSecurityBuilder#buildBuild方法在AbstractSecurityBuilder类中实现,熟悉的:@OverridepublicfinalthObuild()Exception{if(this.building.compareAndSet(false,true)){this.object=doBuild();返回这个对象;}thrownewAlreadyBuiltException("Thisobjecthasalreadybeenbuilt");和我们上一篇分析的HttpSecurityConfig的build方法完全一样。他们调用AbstractConfigedSecurityBuilder的dobuild方法。上一篇我们分析了他的configure和performBuild方法。是因为HttpSecurity中包含了一堆安全过滤配置器,所以configure方法比较重要,但是WebSecurity中没有。包含过滤器的配置器,所以配置方法不是很重要。我们还不如直奔黄龙。WebSecurity#performBuild的代码虽然不多,但是很重要,所以分段分析:@OverrideprotectedFilterperformBuild()throwsException{//这里省略一堆不重要的代码for(SecurityBuildersecurityFilterChainBuilder:this.securityFilterChainBuilders){SecurityFilterChainsecurityFilterChain=securityFilterChainBuilder.build();securityFilterChains.add(securityFilterChain);requestMatcherPrivilegeEvaluatorsEntries.add(getRequestMatcherPrivilegeEvaluatorsEntry(securityFilterChain));}首先从securityFilterChainBuilders中取出securityFilterChainBuilder,调用build方法。这个地方需要呼应我们上面说的通过lamda创建securityFilterChainBuilder的过程,它的build方法最终会返回DefaultSecurityFilterChain对象!!!然后将其添加到securityFilterChains列表中。看下一段代码:FilterChainProxyfilterChainProxy=newFilterChainProxy(securityFilterChains);if(this.httpFirewall!=null){filterChainProxy.setFirewall(this.httpFirewall);}if(this.requestRejectedHandler!=null){filterChainProxy.setRequestlerRejectedHandler.requestRejectedHandler);}filterChainProxy.afterPropertiesSet();有个期待已久的对象FilterChainProxy:创建一个FilterChainProxy对象,将DefaultSecurityFilterChain作为参数传递给FilterChainProxy,让FilterChainProxy持有DefaultSecurityFilterChain对象!然后是一些后处理,最后返回FilterChainProxy:Filterresult=filterChainProxy;...this.postBuildAction.run();返回结果;FilterChainProxy加入SpringIoc容器,最后看一下springSecurityFilterChain方法的定义。FilterChainProxy创建后,通过@Bean注解添加到SpringIoc容器中进行管理,命名为AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME:@Bean(name=AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)publicFilterspringSecurityFilterChain()throwsException{andAbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME定义为:publicstaticfinalStringDEFAULT_FILTER_NAME="springSecurityFilterChain";所以我们要加深印象,SpringIoc容器中名为springSecurityFilterChain的bean对应的对象是FilterChainProxy图中右半部分的DefaultSecurityFilterChain已经组装好了,左边的FilterChainProxy也已经组装好了,filter的DefaultSecurityFilterChain已准备就绪。万事俱备,只差东风了:FilterChainProxy组装成DeletatingFilterProxy,再研究DeletatingFilterProxy是如何配置到Servlet过滤器链(FilterChain)中的,你应该充分了解SpringSecurity的初始化过程。接下来分析。上一篇SpringSecurity初始化流程(一)下一篇SpringSecurity初始化流程(三)
