SpringSecurity源码剖析

过滤器链加载源码

1. spring boot启动中会加载spring.factories文件，在文件中有对应Spring Security的过滤器链的配置信息。

# 安全过滤器自动配置 org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoCo nfiguration

1. SecurityFilterAutoConfiguration类

@EnableConfigurationProperties({SecurityProperties.class}) @ConditionalOnClass({AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class}) @AutoConfigureAfter({SecurityAutoConfiguration.class}) public class SecurityFilterAutoConfiguration { }

1. SecurityAutoConfiguration类

@ConditionalOnClass({DefaultAuthenticationEventPublisher.class}) @EnableConfigurationProperties({SecurityProperties.class}) @Import({SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class, SecurityDataConfiguration.class}) public class SecurityAutoConfiguration { }

1. WebScurityEnableConfiguration类

@Configuration( proxyBeanMethods = false ) @ConditionalOnBean({WebSecurityConfigurerAdapter.class}) @ConditionalOnMissingBean( name = {"springSecurityFilterChain"} ) @ConditionalOnWebApplication( type = Type.SERVLET ) @EnableWebSecurity public class WebSecurityEnablerConfiguration { public WebSecurityEnablerConfiguration() { } }

1. WebSecurityConfiguration类

/** * 声明 Spring Security 核心过滤器链（默认名称：springSecurityFilterChain） * 对应 AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME */ @Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME) public Filter springSecurityFilterChain() throws Exception { // 检查是否有自定义的 WebSecurityConfigurer 配置 boolean hasConfigurers = webSecurityConfigurers != null && !webSecurityConfigurers.isEmpty(); // 如果没有自定义配置，创建默认空适配器（避免构建失败） if (!hasConfigurers) { WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor.postProcess( new WebSecurityConfigurerAdapter() { // 空适配器：仅保证过滤器链能构建，无实际安全规则 @Override protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception { // 6.x 需替换为 http.csrf(AbstractHttpConfigurer::disable) http.csrf().disable(); // 示例：禁用 CSRF（根据业务调整） } } ); webSecurity.apply(adapter); // 将默认适配器应用到 WebSecurity } else { // 如果有自定义配置，遍历应用所有 WebSecurityConfigurer for (WebSecurityConfigurerAdapter configurer : webSecurityConfigurers) { webSecurity.apply(configurer); } } // 构建过滤器链（返回 FilterChainProxy，实现 Filter 接口） Filter filterChain = webSecurity.build(); return filterChain; }

认真流程源码

UsernamePasswordAuthenticationFilter：

UsernamePasswordAuthenticationToken

AuthenticationManager-->ProviderManager-->AbstractUserDetailsAuthenticationProvider

retrieveUser方法

additionalAuthenticationChecks方法

AbstractAuthenticationProcessingFilter--doFilter方法

successfulAuthentication方法

记住我流程源码

AbstractAuthenticationProcessingFilter--successfulAuthentication方法

loginSuccess方法-->onLoginSuccess

RememberMeAuthenticationFilter

autoLogin方法

processAutoLoginCookie方法

CSRF流程源码

授权流程源码

AffirmativeBased（基于肯定）的逻辑是:一票通过权

ConsensusBased（基于共识）的逻辑是:赞成票多于反对票则表示通过,反对票多于赞成票则将抛出

AccessDeniedException

UnanimousBased（基于一致）的逻辑:一票否决权

FilterSecurityInterceptor

ExceptionTranslationFilter