在这里需要理解4个filter的概念:AuthenticationProcessingFilter, HttpSessionContextIntegrationFilter, ExceptonTranslationFilter, FilterSecurityInterceptor.
这四个Filter被FilterChainProxy过滤器链管理,就像一个串把四个过滤器链接在一起,他实现了Filter接口,通过调用WebapplicationContextUtils类的getWebApplicationContext(ServletContext)来获取Spring上下文句柄,并通过getBean(beanName)方法获取Spring受管Bean的对象,即这里的target参数配置的Bean,并通过调用FilterChainProxy的init()方法来启动Spring Security过滤器链来进行各种身份认证和授权服务
web.xml可以用如下配置:
<filter> <filter-name>filterChainProxy</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>filterChainProxy<filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
如下为Spring-security.xml的示例代码:
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy"> <security:filter-chain-map path-type="ant"> <security:filter-chain pattern="/logout.jsp" filters="logoutFilter" /> <security:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter,authenticationProcessingFilter,FilterSecurityInterceptor" /> </security:filter-chain-map> </bean>
下面逐个介绍每个过滤器:
AuthenticationProcessingFilter是认证过程过滤器,我们使用它来处理表单认证,当接受到与filterProcessesUrl所定义相同的请求时它开始工作:
<bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"> <property name="authenticationManager" ref="authenticationManager"></property> <property name="filterProcessesUrl" value="/login"></property> <property name="defaultTargetUrl" value="/error.jsp?error=1"></property> <property name="authenticationFailureUrl" value="/index.jsp?error_code=1"></property> </bean>
AuthenticationProcessingFilter调用authenticationManager来完成用户身份的认证,主要是Authenticate方法来认证,它使用Authentication(只包含用户名密码)作为参数,认证成功返回一个完整的Authentication对象(包含用户权限信息GrantedAuthority数组对象),最后会将Authentication对象存入SecurityContext中。
httpSessionContextIntegrationFilter是集成过滤器,在产生的HTTP会话中保持SecurityContext。这意味着这种认证机制只需要认证一次,接下来将通过HTTP request传递至filter chain中的下一个filter。
示例如下:
<bean id="sif" class="org.springframework.security.context.HttpSessionContextIntegrationFilter"> <property name="allowSessionCreation" value="false"/> </bean>
FilterSecurityInterceptor管理限制存取权限检查,并授权检查。它知道哪些资源是安全的,哪些角色访问它们。 FilterSecurityInterceptor使用AuthenticationManager和做工作的AccessDecisionManager
<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <property name="accessDecisionManager" ref="accessDecisionManager"></property> <property name="authenticationManager" ref="authenticationManager"></property> <property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /login=ROLE_connect /success.jsp=ROLE_connect </value> </property> </bean>
ExceptionTranslationFilter依赖FilterSecurityInterceptor,用来捕获FilterSecurityInterceptor抛出的例外
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/> <property name="accessDeniedHandler" ref="accessDeniedHandler"/> </bean> <bean id="authenticationEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint"> </bean> <bean id="accessDeniedHandler" class="org.springframework.security.ui.AccessDeniedHandlerImpl"> <property name="errorPage" value="/logout.html"/> </bean>