Spring源代码解析(十):Spring Acegi框架授权的实现 博客分类: Spring框架 spring
我们从FilterSecurityInterceptor我们从入手看看怎样进行授权的:
-
//这里是拦截器拦截HTTP请求的入口
-
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-
throws IOException, ServletException {
-
FilterInvocation fi = new FilterInvocation(request, response, chain);
-
invoke(fi);
-
}
-
//这是具体的拦截调用
-
public void invoke(FilterInvocation fi) throws IOException, ServletException {
-
if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
-
&& observeOncePerRequest) {
-
//在第一次进行过安全检查之后就不会再做了
-
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
-
} else {
-
//这是第一次收到相应的请求,需要做安全检测,同时把标志为设置好 - FILTER_APPLIED,下次就再有请求就不会作相同的安全检查了
-
if (fi.getRequest() != null) {
-
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
-
}
-
//这里是做安全检查的地方
-
InterceptorStatusToken token = super.beforeInvocation(fi);
-
//接着向拦截器链执行
-
try {
-
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
-
} finally {
-
super.afterInvocation(token, null);
-
}
-
}
-
}
我们看看在AbstractSecurityInterceptor是怎样对HTTP请求作安全检测的:
-
protected InterceptorStatusToken beforeInvocation(Object object) {
-
Assert.notNull(object, "Object was null");
-
-
if (!getSecureObjectClass().isAssignableFrom(object.getClass())) {
-
throw new IllegalArgumentException("Security invocation attempted for object "
-
+ object.getClass().getName()
-
+ " but AbstractSecurityInterceptor only configured to support secure objects of type: "
-
+ getSecureObjectClass());
-
}
-
//这里读取配置FilterSecurityInterceptor的ObjectDefinitionSource属性,这些属性配置了资源的安全设置
-
ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource().getAttributes(object);
-
-
if (attr == null) {
-
if(rejectPublicInvocations) {
-
throw new IllegalArgumentException(
-
"No public invocations are allowed via this AbstractSecurityInterceptor. "
-
+ "This indicates a configuration error because the "
-
+ "AbstractSecurityInterceptor.rejectPublicInvocations property is set to 'true'");
-
}
-
-
if (logger.isDebugEnabled()) {
-
logger.debug("Public object - authentication not attempted");
-
}
-
-
publishEvent(new PublicInvocationEvent(object));
-
-
return null; // no further work post-invocation
-
}
-
-
-
if (logger.isDebugEnabled()) {
-
logger.debug("Secure object: " + object.toString() + "; ConfigAttributes: " + attr.toString());
-
}
-
//这里从SecurityContextHolder中去取Authentication对象,一般在登录时会放到SecurityContextHolder中去
-
if (SecurityContextHolder.getContext().getAuthentication() == null) {
-
credentialsNotFound(messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound",
-
"An Authentication object was not found in the SecurityContext"), object, attr);
-
}
-
-
// 如果前面没有处理鉴权,这里需要对鉴权进行处理
-
Authentication authenticated;
-
-
if (!SecurityContextHolder.getContext().getAuthentication().isAuthenticated() || alwaysReauthenticate) {
-
try {//调用配置好的AuthenticationManager处理鉴权,如果鉴权不成功,抛出异常结束处理
-
authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext()
-
.getAuthentication());
-
} catch (AuthenticationException authenticationException) {
-
throw authenticationException;
-
}
-
-
// We don't authenticated.setAuthentication(true), because each provider should do that
-
if (logger.isDebugEnabled()) {
-
logger.debug("Successfully Authenticated: " + authenticated.toString());
-
}
-
//这里把鉴权成功后得到的Authentication保存到SecurityContextHolder*下次使用
-
SecurityContextHolder.getContext().setAuthentication(authenticated);
-
} else {//这里处理前面已经通过鉴权的请求,先从SecurityContextHolder中去取得Authentication
-
authenticated = SecurityContextHolder.getContext().getAuthentication();
-
-
if (logger.isDebugEnabled()) {
-
logger.debug("Previously Authenticated: " + authenticated.toString());
-
}
-
}
-
-
// 这是处理授权的过程
-
try {
-
//调用配置好的AccessDecisionManager来进行授权
-
this.accessDecisionManager.decide(authenticated, object, attr);
-
} catch (AccessDeniedException accessDeniedException) {
-
//授权不成功向外发布事件
-
AuthorizationFailureEvent event = new AuthorizationFailureEvent(object, attr, authenticated,
-
accessDeniedException);
-
publishEvent(event);
-
-
throw accessDeniedException;
-
}
-
-
if (logger.isDebugEnabled()) {
-
logger.debug("Authorization successful");
-
}
-
-
AuthorizedEvent event = new AuthorizedEvent(object, attr, authenticated);
-
publishEvent(event);
-
-
// 这里构建一个RunAsManager来替代当前的Authentication对象,默认情况下使用的是NullRunAsManager会把SecurityContextHolder中的Authentication对象清空
-
Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attr);
-
-
if (runAs == null) {
-
if (logger.isDebugEnabled()) {
-
logger.debug("RunAsManager did not change Authentication object");
-
}
-
-
// no further work post-invocation
-
return new InterceptorStatusToken(authenticated, false, attr, object);
-
} else {
-
if (logger.isDebugEnabled()) {
-
logger.debug("Switching to RunAs Authentication: " + runAs.toString());
-
}
-
-
SecurityContextHolder.getContext().setAuthentication(runAs);
-
-
// revert to token.Authenticated post-invocation
-
return new InterceptorStatusToken(authenticated, true, attr, object);
-
}
-
}
到这里我们假设配置AffirmativeBased作为AccessDecisionManager:
-
//这里定义了决策机制,需要全票才能通过
-
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
-
throws AccessDeniedException {
-
//这里取得配置好的迭代器集合
-
Iterator iter = this.getDecisionVoters().iterator();
-
int deny = 0;
-
//依次使用各个投票器进行投票,并对投票结果进行计票
-
while (iter.hasNext()) {
-
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
-
int result = voter.vote(authentication, object, config);
-
//这是对投票结果进行处理,如果遇到其中一票通过,那就授权通过,如果是弃权或者反对,那就继续投票
-
switch (result) {
-
case AccessDecisionVoter.ACCESS_GRANTED:
-
return;
-
-
case AccessDecisionVoter.ACCESS_DENIED:
-
//这里对反对票进行计数
-
deny++;
-
-
break;
-
-
default:
-
break;
-
}
-
}
-
//如果有反对票,抛出异常,整个授权不通过
-
if (deny > 0) {
-
throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied",
-
"Access is denied"));
-
}
-
-
// 这里对弃权票进行处理,看看是全是弃权票的决定情况,默认是不通过,由allowIfAllAbstainDecisions变量控制
-
checkAllowIfAllAbstainDecisions();
-
}
-
具体的投票由投票器进行,我们这里配置了RoleVoter来进行投票:
-
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
-
int result = ACCESS_ABSTAIN;
-
//这里取得资源的安全配置
-
Iterator iter = config.getConfigAttributes();
-
-
while (iter.hasNext()) {
-
ConfigAttribute attribute = (ConfigAttribute) iter.next();
-
-
if (this.supports(attribute)) {
-
result = ACCESS_DENIED;
-
-
// 这里对资源配置的安全授权级别进行判断,也就是匹配ROLE为前缀的角色配置
-
// 遍历每个配置属性,如果其中一个匹配该主体持有的GrantedAuthority,则访问被允许。
-
for (int i = 0; i < authentication.getAuthorities().length; i++) {
-
if (attribute.getAttribute().equals(authentication.getAuthorities()[i].getAuthority())) {
-
return ACCESS_GRANTED;
-
}
-
}
-
}
-
}
-
-
return result;
-
}
上面就是对整个授权过程的一个分析,从FilterSecurityInterceptor拦截Http请求入手,然后读取对资源的安全配置以后,把这些信息交由AccessDecisionManager来进行决策,Spring为我们提供了若干决策器来使用,在决策器中我们可以配置投票器来完成投票,我们在上面具体分析了角色投票器的使用过程。
推荐阅读
-
Spring源代码解析(十):Spring Acegi框架授权的实现 博客分类: Spring框架 spring
-
Spring源代码解析(十):Spring Acegi框架授权的实现 博客分类: Spring框架 spring
-
Spring源代码解析(九):Spring Acegi框架鉴权的实现 博客分类: Spring框架 spring
-
webwork2和spring的集成 博客分类: Java技术 SpringEXTWeb框架Servlet
-
解决Spring定时计划任务重复执行两次(实例被构造两次)问题的方法 博客分类: JavaSpring spring框架
-
spring-mvc.xml的配置 博客分类: SSH框架 springmvcxml
-
spring的三种注入方式详解 博客分类: Spring,注入 Spring注入开源框架
-
spring框架的七个包 博客分类: spring 框架SpringMVCAOP编程
-
spring框架的七个包 博客分类: spring 框架SpringMVCAOP编程
-
基于注解实现spring AOP 博客分类: spring框架 springaop