Spring Security Webflux学习笔记
2019-11-24 本文已影响0人
无知者云
知识点
- 请求先进入DefaultWebFilterChain,DefaultWebFilterChain中包含了DispatcherHandler,请求先经过DefaultWebFilterChain中的各个Filter(包含Spring Security的各种Filter),然后才进入DispatcherHandler(包含了Controller的处理以及Spring Cloud Gateway的处理路程)。
- 在同时有Controller和Spring Cloud Gateway的route配置时,Contoller对应的RequestMappingHandlerMapping将先于Gateway的RoutePredicateHandlerMapping而执行,因此Spring将先查找controller中对应的路劲匹配,然后才执行Gateway的路劲匹配。底层原理为:在DispatcherHandler中的handlerMappings列表中,RequestMappingHandlerMapping排在RoutePredicateHandlerMapping前面:
DispatcherHandler中的handlerMappings
- 默认情况下,Spring Webflux Security + Spring Cloud Gateway的对象图:
Spring Webflux Security + Spring Cloud Gateway
Spring Security Webflux中的请求处理流程
- 请求 ->
- NettyWebServer(持有ReactorHttpHandlerAdapter) ->
- ReactorHttpHandlerAdapter(持有HttpHandler) ->
- HttpWebHandlerAdapter(继承自HttpHandler,持有WebHandler) ->
- ExceptionHandlingWebHandler(持有FilteringWebHandler) ->
- FilteringWebHandler(继承自WebHandler,持有DefaultWebFilterChain) ->
- DefaultWebFilterChain(持有WebFilterChainProxy以及DispatcherHandler(用于Controller处理和Spring Cloud Gateway处理)) ->
- WebFilterChainProxy(持有SecurityWebFilterChain) ->
- SecurityWebFilterChain(由ServerHttpSecurity所build出来,唯一实现类为MatcherSecurityWebFilterChain,持有Spring Security配置的各种filter)。
各个Spring Security Filter依次为:
| Filter | 作用 | 相关配置 |
|---|---|---|
| HttpHeaderWriterWebFilter | 向response中加入各种header,比如与安全相关的X-Frame-Options
|
http.headers() |
| CorsWebFilter | CORS相关 | http.cors() |
| CsrfWebFilter | CSRF安全配置 | http.csrf() |
| ReactorContextWebFilter | 用于根据session等创建SecurityContext | http..securityContextRepository() |
| AuthenticationWebFilter | 用于完成认证过程 |
http.formLogin(),http.httpBasic(),http.authenticationManager(),http.securityContextRepository()
|
| LoginPageGeneratingWebFilter | 生成登录页面 | |
| LogoutPageGeneratingWebFilter | 生成登出之后的页面 | |
| SecurityContextServerWebExchangeWebFilter | 使ServerWebExchange.getPincipal()返回Authentication对象 | |
| ServerRequestCacheWebFilter | 缓存request | http.requestCache() |
| LogoutWebFilter | 处理登出 | http.logout() |
| ExceptionTranslationWebFilter | 用于处理认证或授权失败的情况(主要决定于AuthorizationWebFilter),如果认证失败(即SecurityConext中没有Authentication对象,更确切的说是ServerWebExchange.getPrincipal()返回空),那么将执行ServerAuthenticationEntryPoint,如果授权失败将执行ServerAccessDeniedHandler |
http.exceptionHandling().authenticationEntryPoint(),http.exceptionHandling().accessDeniedHandler()
|
| AuthorizationWebFilter | 处理授权 |
http.authorizeExchange().pathMatchers(),http.authorizeExchange().anyExchange()
|
