Location>code7788 >text

Spring Boot integration Spring Security security securityFilterChain filter chain details

Popularity:479 ℃/2024-10-12 11:41:19

II. Default filter chain

1. Configure the system startup log by default

image-20241011164955035

2. The default configured filters and their order are as follows

3, this article only introduces and login related filters

  1. SecurityContextPersistenceFilter
  2. LogoutFilter
  3. UsernamePasswordAuthenticationFilter
  4. DefaultLoginPageGeneratingFilter
  5. DefaultLogoutPageGeneratingFilter
  6. AnonymousAuthenticationFilter
  7. ExceptionTranslationFilter
  8. FilterSecurityInterceptor

III. Introduction to important concepts of logging

  1. Security context repository (SecurityContextRepository): used to store the security context, the default session-based implementation (HttpSessionSecurityContextRepository)
  2. SecurityContextHolder: Used to store the security context of the request, based on the ThreadLocal implementation by default.
  3. Security context (SecurityContext): used to store authentication information
  4. Authentication information (Authentication): used to store the user and authentication results of information, the main implementation classes are
  • UsernamePasswordAuthenticationToken: UsernamePasswordAuthenticationToken
  • Anonymous Authentication Token: AnonymousAuthenticationToken
  1. Login page request: a request to jump to the login page
  2. Login request: a request submitted after entering a username and password on the login page
  3. Logout page request: request to jump to the logout page
  4. Logout request: Confirmation of logout submission on the logout page
  5. Filter Introduction
    1. The entry point for the filter is the doFilter(ServletRequest request, ServletResponse response, FilterChain chain) method
    2. The filter is divided into three main sections: before code,, after code
    3. The previous code executes in filter chain order
    4. The subsequent code follows the filter chain in reverse order
    5. call means the execution of subsequent filters; do not call means not to execute the subsequent filters, will be in reverse order according to the chain of filters after the execution of the filter has been called after the code, this point is very important, the following in the introduction of each filter will not be repeated.

IV. SecurityContextPersistenceFilter

1. Realization of functions

  1. Authentication after successful login

2. Processing request types

  • All requests

3. Whether the filter chain will be terminated

  • will not (act, happen etc)

4. Realization steps

  1. Get the security context from the security context repository, or create a security context without authentication information if it is empty
  2. Setting the security context into the security context holder for subsequent business use
  3. Calling the subsequent filter chain
  4. Get the latest authentication information from the security context holder
  5. Clearing Authentication Information in Security Context Holders
  6. Add the authentication information from step 4 to the security context repository

5. Key source code

image-20241011170847714

V. LogoutFilter

1. Realization of functions

  1. Clear authentication information
  2. Redirection of login page

2. Processing request types

  • Logout requests (default: POST, /logout requests)

3. Whether the filter chain will be terminated

  • Logout request will be terminated

4. Realization steps

  1. Match request address
  2. Clear authentication information (LogoutHandler implementation class registered in CompositeLogoutHandler)
  3. Call the logout success handler, the default SimpleUrlLogoutSuccessHandler to achieve the redirection of the login page function, recommended custom configuration, followed by the introduction of the

5. Key source code

image-20241011171703708

VI. UsernamePasswordAuthenticationFilter

1. Realization of functions

  1. Generate a username-password authentication token with the submitted username-password
  2. Handled differently depending on the outcome of the certification

2. Processing request types

  • Login requests (default: POST, /login requests)

3. Whether the filter chain will be terminated

  • Authentication failure terminates the filter chain and redirects to the default login address.
  • Successful authentication terminates the filter chain and redirects to the target URL address.

4. Realization steps

  1. Match request address
  2. Default Configuration: Match the submitted username and password with the in-memory username and password, and verify the validity of the user and password.
  3. Redirect to login page when authentication fails
  4. Set authenticated security context to security context holder on successful authentication
  5. Redirect to the target URL address (unauthenticated access to the target address will first redirect to the login page and then to the target URL address after successful login)

5. Key source code

image-20241011173506923

VII. DefaultLoginPageGeneratingFilter

1. Realization of functions

  1. Generate default login page

2. Processing request types

  • Login page requests (default GET, /login requests)
  • Login Failure
  • Logout Successful

3. Whether the filter chain will be terminated

  • Filter chain terminated on login page request, login failure, logout success

4. Key source code

image-20241011174012391

VIII. DefaultLogoutPageGeneratingFilter

1. Realization of functions

  1. Generate default logout page

2. Processing request types

  • Logout page requests (default: GET, /logout requests)

3. Whether the filter chain will be terminated

  • Terminates the filter chain when logging out of a page request

4. Key source code

image-20241011175625114

IX. AnonymousAuthenticationFilter

1. Realization of functions

  1. Generate anonymous authentication information when the current authentication information is empty

2. Processing request types

  • All requests

3. Whether the filter chain will be terminated

  • will not (act, happen etc)

4. Key source code

image-20241011180011843

X. ExceptionTranslationFilter

1. Realization of functions

  1. Handle exceptions thrown by FilterSecurityInterceptor, according to the exception to do the appropriate processing

2. Processing request types

  • All requests

3. Whether the filter chain will be terminated

  • Redirects to login page when authentication fails
  • An error message is returned when authorization fails

4. Key source code

image-20241011180451374

XI. FilterSecurityInterceptor

1. Realization of functions

  1. Certification and authorization

2. Processing request types

  • All requests

3. Whether the filter chain will be terminated

  • Authentication or authorization failures throw an exception that is handled by the ExceptionTranslationFilter.

4. Key source code

image-20241011180950735

<Previous Next>