1. 认证，授权，鉴权，权限控制

认证：你是谁
授权：你能做什么
鉴权：你能不能做（你可以用钱买房子，但是你的钱不够）
权限控制：同意/不同意做

2. Authorization，Authentication的记法

Authorization的or抽象成author，是人做的事，即授权，Authentication是认证

3. SpringSecurity和shiro

springsecurity

• .功能全面
• .专为web开发设计
• .旧版本不能脱离web使用
• .重量级框架
• .是构建oauth的基础

shiro

• 轻量级
• 通用性好
• 可脱离web使用

4. 核心组件Authentication

/**
一个这个接口的实现相当于包含用户密码的实体
**/
public interface Authentication extends Principal, Serializable {//获取用户的权限Collection<? extends GrantedAuthority> getAuthorities();//获取凭证，相当于获取密码Object getCredentials();//获取详细的用户信息，ip之类的Object getDetails();//获取用户信息，例如含有用户名的实体类Object getPrincipal();//是否已经认证了boolean isAuthenticated();//更改认证状态void setAuthenticated(boolean var1) throws IllegalArgumentException;
}

5. GrantedAuthority

public interface GrantedAuthority extends Serializable {/**返回的是字符串，说明用字符串表示权限*/String getAuthority();
}

6. SecurityContextHolder

/**
先看initialize()这个方法，判断strategyName是否为空，为空则设置为本地线程模式(MODE_THREADLOCAL),
然后创建SecurityContextHolderStrategy对象，ThreadLocalSecurityContextHolderStrategy是SecurityContextHolderStrategy的实现类，而ThreadLocalSecurityContextHolderStrategy用ThreadLocal<SecurityContext>保存SecurityContext，SecurityContext类的属性有Authentication，所以SecurityContextHolder存着Authentication
*/public class SecurityContextHolder {public static final String MODE_THREADLOCAL = "MODE_THREADLOCAL";public static final String MODE_INHERITABLETHREADLOCAL = "MODE_INHERITABLETHREADLOCAL";public static final String MODE_GLOBAL = "MODE_GLOBAL";public static final String SYSTEM_PROPERTY = "spring.security.strategy";//从系统属性中获取策略private static String strategyName = System.getProperty(SYSTEM_PROPERTY);private static SecurityContextHolderStrategy strategy;private static int initializeCount = 0;static {initialize();}private static void initialize() {//如果没有给定策略，设置默认策略if (!StringUtils.hasText(strategyName)) {// Set defaultstrategyName = MODE_THREADLOCAL;}//如果是本地策略，new一个ThreadLocalSecurityContextHolderStrategy对象if (strategyName.equals(MODE_THREADLOCAL)) {strategy = new ThreadLocalSecurityContextHolderStrategy();}else if (strategyName.equals(MODE_INHERITABLETHREADLOCAL)) {strategy = new InheritableThreadLocalSecurityContextHolderStrategy();}else if (strategyName.equals(MODE_GLOBAL)) {strategy = new GlobalSecurityContextHolderStrategy();}else {//尝试使用自定义策略// Try to load a custom strategytry {Class<?> clazz = Class.forName(strategyName);Constructor<?> customStrategy = clazz.getConstructor();strategy = (SecurityContextHolderStrategy) customStrategy.newInstance();}catch (Exception ex) {ReflectionUtils.handleReflectionException(ex);}}initializeCount++;}
}

public interface SecurityContextHolderStrategy {void clearContext();SecurityContext getContext();void setContext(SecurityContext context);SecurityContext createEmptyContext();
}

final class ThreadLocalSecurityContextHolderStrategy implements SecurityContextHolderStrategy {private static final ThreadLocal<SecurityContext> contextHolder = new ThreadLocal<>();public void clearContext() {contextHolder.remove();}public SecurityContext getContext() {SecurityContext ctx = contextHolder.get();if (ctx == null) {ctx = createEmptyContext();contextHolder.set(ctx);}return ctx;}public void setContext(SecurityContext context) {Assert.notNull(context, "Only non-null SecurityContext instances are permitted");contextHolder.set(context);}public SecurityContext createEmptyContext() {return new SecurityContextImpl();}
}

package org.springframework.security.core.context;
import org.springframework.security.core.Authentication;
import java.io.Serializable;
public interface SecurityContext extends Serializable {Authentication getAuthentication();void setAuthentication(Authentication authentication);
}

7. UserDetails和UserDetailsService

package org.springframework.security.core.userdetails;public interface UserDetailsService {UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}

package org.springframework.security.core.userdetails;import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import java.io.Serializable;
import java.util.Collection;public interface UserDetails extends Serializable {Collection<? extends GrantedAuthority> getAuthorities();String getPassword();String getUsername();/*** Indicates whether the user's account has expired. An expired account cannot be* authenticated.** @return <code>true</code> if the user's account is valid (ie non-expired),* <code>false</code> if no longer valid (ie expired)*/boolean isAccountNonExpired();/*** Indicates whether the user is locked or unlocked. A locked user cannot be* authenticated.** @return <code>true</code> if the user is not locked, <code>false</code> otherwise*/boolean isAccountNonLocked();/*** Indicates whether the user's credentials (password) has expired. Expired* credentials prevent authentication.** @return <code>true</code> if the user's credentials are valid (ie non-expired),* <code>false</code> if no longer valid (ie expired)*/boolean isCredentialsNonExpired();/*** Indicates whether the user is enabled or disabled. A disabled user cannot be* authenticated.** @return <code>true</code> if the user is enabled, <code>false</code> otherwise*/boolean isEnabled();
}

8. AuthenticationManager

public interface AuthenticationManager {Authentication authenticate(Authentication authentication)throws AuthenticationException;
}

9. ProviderManager

public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {private static final Log logger = LogFactory.getLog(ProviderManager.class);private AuthenticationEventPublisher eventPublisher = new NullEventPublisher();private List<AuthenticationProvider> providers = Collections.emptyList();protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();//认证管理可认证private AuthenticationManager parent;private boolean eraseCredentialsAfterAuthentication = true;/**这里使用了委托者模式AuthenticationProvider是一个接口，也有AuthenticationManager 接口的authenticate方法先遍历每个provider，用每个provider尝试认证，有一个成功即可；如果都失败了，则使用parent尝试认证，如果parent也认证失败，抛出异常*/public Authentication authenticate(Authentication authentication) throws AuthenticationException {Class<? extends Authentication> toTest = authentication.getClass();AuthenticationException lastException = null;AuthenticationException parentException = null;Authentication result = null;Authentication parentResult = null;boolean debug = logger.isDebugEnabled();for (AuthenticationProvider provider : getProviders()) {//如果当前provider不支持认证这种类型，跳过if (!provider.supports(toTest)) {continue;}if (debug) {logger.debug("Authentication attempt using "+ provider.getClass().getName());}try {//使用当前认证提供者尝试认证result = provider.authenticate(authentication);//如果结果不为空则跳出循坏if (result != null) {copyDetails(authentication, result);break;}}catch (AccountStatusException | InternalAuthenticationServiceException e) {prepareException(e, authentication);throw e;} catch (AuthenticationException e) {lastException = e;}}//如果认证结果为空且parent不为空if (result == null && parent != null) {// Allow the parent to try.try {//让父亲去认证result = parentResult = parent.authenticate(authentication);}catch (ProviderNotFoundException e) {}catch (AuthenticationException e) {lastException = parentException = e;}}//if (result != null) {if (eraseCredentialsAfterAuthentication&& (result instanceof CredentialsContainer)) {((CredentialsContainer) result).eraseCredentials();}if (parentResult == null) {eventPublisher.publishAuthenticationSuccess(result);}return result;}if (lastException == null) {lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound",new Object[] { toTest.getName() },"No AuthenticationProvider found for {0}"));}if (parentException == null) {prepareException(lastException, authentication);}throw lastException;}
}

10. 认证流程

思路
既然认证是通过AuthenticationProvider进行的，那么去找它的实现类；DaoAuthenticationProvider是AuthenticationProvider的实现类，AuthenticationProvider继承AbstractUserDetailsAuthenticationProvider抽象类，而AbstractUserDetailsAuthenticationProvider实现AuthenticationProvider，所以重点关注AbstractUserDetailsAuthenticationProvider这个抽象类

public abstract class AbstractUserDetailsAuthenticationProvider implementsAuthenticationProvider, InitializingBean, MessageSourceAware {protected final Log logger = LogFactory.getLog(getClass());protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();private UserCache userCache = new NullUserCache();private boolean forcePrincipalAsString = false;protected boolean hideUserNotFoundExceptions = true;private UserDetailsChecker preAuthenticationChecks = new DefaultPreAuthenticationChecks();private UserDetailsChecker postAuthenticationChecks = new DefaultPostAuthenticationChecks();private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();protected abstract void additionalAuthenticationChecks(UserDetails userDetails,UsernamePasswordAuthenticationToken authentication)throws AuthenticationException;public final void afterPropertiesSet() throws Exception {Assert.notNull(this.userCache, "A user cache must be set");Assert.notNull(this.messages, "A message source must be set");doAfterPropertiesSet();}//重点关注这个方法，因为AuthenticationProvider调用这个方法进行验证public Authentication authenticate(Authentication authentication) throws AuthenticationException {//判断authentication是否属于UsernamePasswordAuthenticationToken这种类型的Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,() -> messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports","Only UsernamePasswordAuthenticationToken is supported"));// Determine username//获取用户名String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED": authentication.getName();boolean cacheWasUsed = true;//从缓存获取用户信息UserDetails user = this.userCache.getUserFromCache(username);if (user == null) {cacheWasUsed = false;try {/**检索用户信息实现此方法的类DaoAuthenticationProvider里的关键代码UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);**/user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);}catch (UsernameNotFoundException notFound) {logger.debug("User '" + username + "' not found");if (hideUserNotFoundExceptions) {throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials","Bad credentials"));}else {throw notFound;}}Assert.notNull(user,"retrieveUser returned null - a violation of the interface contract");}try {/**前置认证检查账户是否上锁，是否可用，是否过期等*/preAuthenticationChecks.check(user);/**额外认证检查 判断密码是否匹配实现此方法的类DaoAuthenticationProvider里的关键代码if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {logger.debug("Authentication failed: password does not match stored value");throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials","Bad credentials"));}*/additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);}catch (AuthenticationException exception) {if (cacheWasUsed) {// There was a problem, so try again after checking// we're using latest data (i.e. not from the cache)cacheWasUsed = false;user = retrieveUser(username,(UsernamePasswordAuthenticationToken) authentication);preAuthenticationChecks.check(user);additionalAuthenticationChecks(user,(UsernamePasswordAuthenticationToken) authentication);}else {throw exception;}}/**后置检查检查凭证是否过期private class DefaultPostAuthenticationChecks implements UserDetailsChecker {public void check(UserDetails user) {if (!user.isCredentialsNonExpired()) {logger.debug("User account credentials have expired");throw new CredentialsExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.credentialsExpired","User credentials have expired"));}}}*/postAuthenticationChecks.check(user);if (!cacheWasUsed) {this.userCache.putUserInCache(user);}// 就是UserDetailsObject principalToReturn = user;if (forcePrincipalAsString) {principalToReturn = user.getUsername();}/**如果成功返回UsernamePasswordAuthenticationTokenprotected Authentication createSuccessAuthentication(Object principal, Authentication authentication, UserDetails user) {UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal, authentication.getCredentials(),authoritiesMapper.mapAuthorities(user.getAuthorities()));result.setDetails(authentication.getDetails());return result;}*/return createSuccessAuthentication(principalToReturn, authentication, user);}protected Authentication createSuccessAuthentication(Object principal,Authentication authentication, UserDetails user) {// Ensure we return the original credentials the user supplied,// so subsequent attempts are successful even with encoded passwords.// Also ensure we return the original getDetails(), so that future// authentication events after cache expiry contain the detailsUsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal, authentication.getCredentials(),authoritiesMapper.mapAuthorities(user.getAuthorities()));result.setDetails(authentication.getDetails());return result;}protected void doAfterPropertiesSet() throws Exception {}public UserCache getUserCache() {return userCache;}public boolean isForcePrincipalAsString() {return forcePrincipalAsString;}public boolean isHideUserNotFoundExceptions() {return hideUserNotFoundExceptions;}protected abstract UserDetails retrieveUser(String username,UsernamePasswordAuthenticationToken authentication)throws AuthenticationException;public void setForcePrincipalAsString(boolean forcePrincipalAsString) {this.forcePrincipalAsString = forcePrincipalAsString;}public void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions) {this.hideUserNotFoundExceptions = hideUserNotFoundExceptions;}public void setMessageSource(MessageSource messageSource) {this.messages = new MessageSourceAccessor(messageSource);}public void setUserCache(UserCache userCache) {this.userCache = userCache;}public boolean supports(Class<?> authentication) {return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));}private class DefaultPreAuthenticationChecks implements UserDetailsChecker {public void check(UserDetails user) {if (!user.isAccountNonLocked()) {logger.debug("User account is locked");throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked","User account is locked"));}if (!user.isEnabled()) {logger.debug("User account is disabled");throw new DisabledException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled","User is disabled"));}if (!user.isAccountNonExpired()) {logger.debug("User account is expired");throw new AccountExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired","User account has expired"));}}}private class DefaultPostAuthenticationChecks implements UserDetailsChecker {public void check(UserDetails user) {if (!user.isCredentialsNonExpired()) {logger.debug("User account credentials have expired");throw new CredentialsExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.credentialsExpired","User credentials have expired"));}}}
}

11. Filter回顾

过程
请求到达Servlet，然后依次执行过滤器，若过滤器的拦截的url相同，则默认按名称排序执行, 以栈的形式先进后出执行

12. 核心过滤器之 SecurityContextPersistenceFilter

  作用: 创建SecurityContext和销毁SecurityContext

13. 核心过滤器之UsernamePasswordAuthenticationFilter

  作用：生成UsernamePasswordAuthenticationFilter

UsernamePasswordAuthenticationFilter继承AbstractAuthenticationProcessingFilter抽象类

public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;private boolean postOnly = true;public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response) throws AuthenticationException {//检查是否是post登录if (postOnly && !request.getMethod().equals("POST")) {throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());}//从request获取usernameString username = obtainUsername(request);//从request获取passwordString password = obtainPassword(request);if (username == null) {username = "";}if (password == null) {password = "";}username = username.trim();//生成tokenUsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);// Allow subclasses to set the "details" propertysetDetails(request, authRequest);/**开始认证，会交给AuthenticationProvider去做*/return this.getAuthenticationManager().authenticate(authRequest);}@Nullableprotected String obtainPassword(HttpServletRequest request) {return request.getParameter(passwordParameter);}@Nullableprotected String obtainUsername(HttpServletRequest request) {return request.getParameter(usernameParameter);}
}

14. BasicAuthenticationFilter

public class BasicAuthenticationFilter extends OncePerRequestFilter {private AuthenticationEntryPoint authenticationEntryPoint;private AuthenticationManager authenticationManager;private RememberMeServices rememberMeServices = new NullRememberMeServices();private boolean ignoreFailure = false;private String credentialsCharset = "UTF-8";private BasicAuthenticationConverter authenticationConverter = new BasicAuthenticationConverter();@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {final boolean debug = this.logger.isDebugEnabled();try {/**BasicAuthenticationConverter的convert方法//    public static final String AUTHORIZATION = "Authorization";可以看到是从请求头中获取Authorization这个字段@Overridepublic UsernamePasswordAuthenticationToken convert(HttpServletRequest request) {//可以看到是从请求头中获取Authorization这个字段String header = request.getHeader(AUTHORIZATION);if (header == null) {return null;}header = header.trim();if (!StringUtils.startsWithIgnoreCase(header, AUTHENTICATION_SCHEME_BASIC)) {return null;}byte[] base64Token = header.substring(6).getBytes(StandardCharsets.UTF_8);byte[] decoded;try {//base64解码decoded = Base64.getDecoder().decode(base64Token);}catch (IllegalArgumentException e) {throw new BadCredentialsException("Failed to decode basic authentication token");}String token = new String(decoded, getCredentialsCharset(request));//以冒号分割所以token内容应该是username:password这种形式int delim = token.indexOf(":");if (delim == -1) {throw new BadCredentialsException("Invalid basic authentication token");}UsernamePasswordAuthenticationToken result  = new UsernamePasswordAuthenticationToken(token.substring(0, delim), token.substring(delim + 1));result.setDetails(this.authenticationDetailsSource.buildDetails(request));return result;}*/UsernamePasswordAuthenticationToken authRequest = authenticationConverter.convert(request);if (authRequest == null) {chain.doFilter(request, response);return;}String username = authRequest.getName();if (authenticationIsRequired(username)) {//开始认证Authentication authResult = this.authenticationManager.authenticate(authRequest);if (debug) {this.logger.debug("Authentication success: " + authResult);}SecurityContextHolder.getContext().setAuthentication(authResult);this.rememberMeServices.loginSuccess(request, response, authResult);onSuccessfulAuthentication(request, response, authResult);}}catch (AuthenticationException failed) {SecurityContextHolder.clearContext();if (debug) {this.logger.debug("Authentication request for failed: " + failed);}this.rememberMeServices.loginFail(request, response);onUnsuccessfulAuthentication(request, response, failed);if (this.ignoreFailure) {chain.doFilter(request, response);}else {this.authenticationEntryPoint.commence(request, response, failed);}return;}chain.doFilter(request, response);}}

15. AnonymousAuthenticationFilter

public class AnonymousAuthenticationFilter extends GenericFilterBean implements InitializingBean {private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();private String key;private Object principal;private List<GrantedAuthority> authorities;public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {if (SecurityContextHolder.getContext().getAuthentication() == null) {//获取不到认证信息，直接创建新的认证信息SecurityContextHolder.getContext().setAuthentication(createAuthentication((HttpServletRequest) req));if (logger.isDebugEnabled()) {logger.debug("Populated SecurityContextHolder with anonymous token: '"+ SecurityContextHolder.getContext().getAuthentication() + "'");}}else {if (logger.isDebugEnabled()) {logger.debug("SecurityContextHolder not populated with anonymous token, as it already contained: '"+ SecurityContextHolder.getContext().getAuthentication() + "'");}}chain.doFilter(req, res);}protected Authentication createAuthentication(HttpServletRequest request) {//匿名用户用AnonymousAuthenticationToken替代UsernamePasswordAuthenticationToken AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key,principal, authorities);auth.setDetails(authenticationDetailsSource.buildDetails(request));return auth;}
}

16. 完整流程

17. 权限认证

• WebAsyncManagerIntegrationFilter
  在 Callable 上填充 SecurityContext，提供 SecurityContext 和 Spring Web 的 WebAsyncManager 之 间的集成。
• (重要)SecurityContextPersistenceFilter
  在请求之前使用从配置的 SecurityContextRepository 获取的信息填充 SecurityContextHolder，并在请求完成并清除上下文持有者后将其存储回存储库
• org.springframework.security.web.header.HeaderWriterFilter
  过滤器实现以向当前响应添加标头。 添加某些启用浏览器保护的标头可能很有用。 像 X-Frame-Options、X-XSS-Protection 和 X-Content-Type-Options。
• (重要)UsernamePasswordAuthenticationFilter
  处理身份验证表单提交。 在 Spring Security 3.0 之前调用 AuthenticationProcessingFilter。
  登录表单必须向此过滤器提供两个参数：用户名和密码。 要使用的默认参数名称包含在静态字段 SPRING_SECURITY_FORM_USERNAME_KEY 和 SPRING_SECURITY_FORM_PASSWORD_KEY 中。 也可以通过设置 usernameParameter 和 passwordParameter 属性来更改参数名称。
  默认情况下，此过滤器响应 URL /login。
• DefaultLoginPageGeneratingFilter
  在用户未配置登录页面的情况下，用于名称空间配置的内部使用。 配置代码将在链中插入这个过滤器。 仅当重定向用于登录页面时才有效。
• DefaultLogoutPageGeneratingFilter
  生成默认的注销页面。
• RequestCacheAwareFilter
  如果缓存的请求与当前请求匹配，则负责重新构造已保存的请求
• SecurityContextHolderAwareRequestFilter
  一个过滤器，它用实现servlet API安全方法的请求包装器填充ServletRequest。
• AnonymousAuthenticationFilter
  检测SecurityContextHolder中是否没有Authentication对象，并在需要时使用一个对象填充它
• SessionManagementFilter
  检测用户从请求开始时就已经通过了身份验证，如果已经通过了身份验证，则调用配置的SessionAuthenticationStrategy来执行任何与会话相关的活动，例如激活会话固定保护机制或检查多个并发登录。
• ExceptionTranslationFilter
  处理过滤器链中抛出的任何AccessDeniedException和AuthenticationException
• (重要)FilterSecurityInterceptor
  通过过滤器实现执行HTTP资源的安全处理。

关键过滤器FilterSecurityInterceptor

思路：FilterSecurityInterceptor是filter，就一定有dofilter这个方法，所以先找dofilter

public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {private static final String FILTER_APPLIED = "__spring_security_filterSecurityInterceptor_filterApplied";private FilterInvocationSecurityMetadataSource securityMetadataSource;private boolean observeOncePerRequest = true;public void init(FilterConfig arg0) {}public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {//这里是把request和response做了类型转换/**FilterInvocation构造函数public FilterInvocation(ServletRequest request, ServletResponse response,FilterChain chain) {if ((request == null) || (response == null) || (chain == null)) {throw new IllegalArgumentException("Cannot pass null values to constructor");}this.request = (HttpServletRequest) request;this.response = (HttpServletResponse) response;this.chain = chain;}*/FilterInvocation fi = new FilterInvocation(request, response, chain);invoke(fi);}public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {return this.securityMetadataSource;}public SecurityMetadataSource obtainSecurityMetadataSource() {return this.securityMetadataSource;}public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource newSource) {this.securityMetadataSource = newSource;}public void invoke(FilterInvocation fi) throws IOException, ServletException {if ((fi.getRequest() != null)&& (fi.getRequest().getAttribute(FILTER_APPLIED) != null)&& observeOncePerRequest) {//只执行一次处理// filter already applied to this request and user wants us to observe// once-per-request handling, so don't re-do security checkingfi.getChain().doFilter(fi.getRequest(), fi.getResponse());}else {//第一次处理// first time this request being called, so perform security checkingif (fi.getRequest() != null && observeOncePerRequest) {//相当于做标记，有这个标记说明处理过了fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);}InterceptorStatusToken token = super.beforeInvocation(fi);try {fi.getChain().doFilter(fi.getRequest(), fi.getResponse());}finally {super.finallyInvocation(token);}super.afterInvocation(token, null);}}
}

public abstract class AbstractSecurityInterceptor implements InitializingBean,ApplicationEventPublisherAware, MessageSourceAware {//访问决策管理器private AccessDecisionManager accessDecisionManager;private AfterInvocationManager afterInvocationManager;private RunAsManager runAsManager = new NullRunAsManager();private boolean alwaysReauthenticate = false;private boolean rejectPublicInvocations = false;private boolean validateConfigAttributes = true;private boolean publishAuthorizationSuccess = false;protected InterceptorStatusToken beforeInvocation(Object object) {//这里的object是FilterInvocation的对象Assert.notNull(object, "Object was null");//从securityMetadataSource获取权限列表，securityMetadataSource在构造FilterSecurityInterceptor时传入Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);if (attributes == null || attributes.isEmpty()) {//最好把rejectPublicInvocations设置为true，因为该用户没有权限，不应该让用户访问下去if (rejectPublicInvocations) {throw new IllegalArgumentException("Secure object invocation "+ object+ " was denied as public invocations are not allowed via this interceptor. "+ "This indicates a configuration error because the "+ "rejectPublicInvocations property is set to 'true'");}publishEvent(new PublicInvocationEvent(object));return null; // no further work post-invocation}//获取登录用户的认证信息，不能为空if (SecurityContextHolder.getContext().getAuthentication() == null) {credentialsNotFound(messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound","An Authentication object was not found in the SecurityContext"),object, attributes);}//是否需要认证，是则去认证Authentication authenticated = authenticateIfRequired();// Attempt authorizationtry {//这里是重点，调用访问决策管理器去决定让该用户访问该url（权限）this.accessDecisionManager.decide(authenticated, object, attributes);}catch (AccessDeniedException accessDeniedException) {publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated,accessDeniedException));throw accessDeniedException;}//不抛AccessDeniedException就是允许访问if (debug) {logger.debug("Authorization successful");}}protected void finallyInvocation(InterceptorStatusToken token) {if (token != null && token.isContextHolderRefreshRequired()) {if (logger.isDebugEnabled()) {logger.debug("Reverting to original Authentication: "+ token.getSecurityContext().getAuthentication());}SecurityContextHolder.setContext(token.getSecurityContext());}}//这个方法与beforeInvocation同理，区别在于beforeInvocation在进入controller方法之前做决策，afterInvocation在controller方法返回之后做决策，根据filterchain的效果推出的protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {if (token == null) {// public objectreturn returnedObject;}finallyInvocation(token); // continue to clean in this method for passivityif (afterInvocationManager != null) {// Attempt after invocation handlingtry {returnedObject = afterInvocationManager.decide(token.getSecurityContext().getAuthentication(), token.getSecureObject(), token.getAttributes(), returnedObject);}catch (AccessDeniedException accessDeniedException) {AuthorizationFailureEvent event = new AuthorizationFailureEvent(token.getSecureObject(), token.getAttributes(), token.getSecurityContext().getAuthentication(),accessDeniedException);publishEvent(event);throw accessDeniedException;}}return returnedObject;}
}

/**
AccessDecisionManager有4个实现类，其中1个是抽象实现，另外3个分别是在抽象实现上再具体实现
抽象实现类是AbstractAccessDecisionManager；AffirmativeBased（一票同意），ConsensusBased（少数服从多数）和UnanimousBased（全部同意）继承AbstractAccessDecisionManager
这里我们只看AffirmativeBased
*/
public interface AccessDecisionManager {void decide(Authentication authentication, Object object,Collection<ConfigAttribute> configAttributes) throws AccessDeniedException,InsufficientAuthenticationException;boolean supports(ConfigAttribute attribute);boolean supports(Class<?> clazz);
}

public class AffirmativeBased extends AbstractAccessDecisionManager {//需要决策器列表public AffirmativeBased(List<AccessDecisionVoter<?>> decisionVoters) {super(decisionVoters);}public void decide(Authentication authentication, Object object,Collection<ConfigAttribute> configAttributes) throws AccessDeniedException {//拒绝的票数int deny = 0;//遍历所有访问决策器for (AccessDecisionVoter voter : getDecisionVoters()) {//决策结果int result = voter.vote(authentication, object, configAttributes);switch (result) {case AccessDecisionVoter.ACCESS_GRANTED://同意票return;case AccessDecisionVoter.ACCESS_DENIED://拒绝票deny++;break;default:break;}}//拒绝票大于0拒绝该用户访问if (deny > 0) {throw new AccessDeniedException(messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access is denied"));}}
}

//访问决策器接口，这里只看实现类RoleVoter
public interface AccessDecisionVoter<S> {//同意int ACCESS_GRANTED = 1;//弃权int ACCESS_ABSTAIN = 0;//拒绝int ACCESS_DENIED = -1;boolean supports(ConfigAttribute attribute);boolean supports(Class<?> clazz);int vote(Authentication authentication, S object,Collection<ConfigAttribute> attributes);
}

public class RoleVoter implements AccessDecisionVoter<Object> {private String rolePrefix = "ROLE_";public String getRolePrefix() {return rolePrefix;}//可以设置角色前缀public void setRolePrefix(String rolePrefix) {this.rolePrefix = rolePrefix;}//这就是为什么角色要以ROLE_开头public boolean supports(ConfigAttribute attribute) {if ((attribute.getAttribute() != null)&& attribute.getAttribute().startsWith(getRolePrefix())) {return true;}else {return false;}}public boolean supports(Class<?> clazz) {return true;}//关键代码public int vote(Authentication authentication, Object object,Collection<ConfigAttribute> attributes) {//如果认证信息为空，拒绝if (authentication == null) {return ACCESS_DENIED;}//先赋值弃权int result = ACCESS_ABSTAIN;//Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);//这里的attribute是角色 ，遍历当前用户的角色for (ConfigAttribute attribute : attributes) {if (this.supports(attribute)) {//如果支持当前类型，把弃权改为拒绝	result = ACCESS_DENIED;// Attempt to find a matching granted authority//遍历访问url需要的角色for (GrantedAuthority authority : authorities) {//判断角色是否相等if (attribute.getAttribute().equals(authority.getAuthority())) {return ACCESS_GRANTED;}}}}return result;}Collection<? extends GrantedAuthority> extractAuthorities(Authentication authentication) {return authentication.getAuthorities();}
}

18. 权限过滤的第二种方式

通过查看源码的方式可知，权限过滤有两种方法。一种是上面这种基于filter的，另一种是注解方式
这里说注解方式
看GlobalMethodSecurityConfiguration注释可知怎么自定义

思路
我们知道通过@PreAuthorize配置访问方法所需的权限，而启用该注解的方式是使用@EnableGlobalMethodSecurity。从@EnableGlobalMethodSecurity的文档说明可以找到配置类GlobalMethodSecurityConfiguration 。该配置类有一个bean返回的是MethodSecurityInterceptor的对象，
MethodSecurityInterceptor继承AbstractSecurityInterceptor，通过前面我们知道，AbstractSecurityInterceptor是FilterSecurityInterceptor的父类，FilterSecurityInterceptor是基于过滤器的而MethodSecurityInterceptor是基于注解的。MethodSecurityInterceptor有一个invoke方法，这个方法调用了AbstractSecurityInterceptor的beforeInvocation方法，beforeInvocation会先通过数据源获取attributes，然后用attributes作为访问决策管理器的decide的参数去做决策，没有抛AccessDeniedException异常就算通过，这就是权限过滤的大概流程

数据源（SecurityMetadataSource）

通过debug可知，MethodSecurityInterceptor使用数据源PrePostAnnotationSecurityMetadataSource，
PrePostAnnotationSecurityMetadataSource继承自AbstractMethodSecurityMetadataSource

访问决策管理器（AccessDecisionManager）

通过debug可知，MethodSecurityInterceptor使用AffirmativeBased（一票通过）

访问决策器（AccessDecisionVoter）

通过debug可知，MethodSecurityInterceptor的访问决策器有PreInvocationAuthorizationAdviceVoter，
PreInvocationAuthorizationAdviceVoter通过自身的属性PreInvocationAuthorizationAdvice的before方法活的投票结果

19. 自定义权限过滤

思路：一切都从AbstractSecurityInterceptor抽象类开始，若基于过滤器就参考FilterSecurityInterceptor，基于注解就参考MethodSecurityInterceptor，二选一即可。无论选哪种，有3个必要的组件，数据源、访问决策管理器和访问决策器

技巧

• 基于过滤器不想重写FilterSecurityInterceptor可以这样做

    @Overrideprotected void configure(HttpSecurity http) throws Exception {.setAccessDecisionManager(new AffirmativeBased(Arrays.asList(new AnnotationPermissionVoter())));//这个不是基于session一定要关了http.csrf().disable();http.authorizeRequests().antMatchers("/login").permitAll().antMatchers("/logout").permitAll()//需要认证.anyRequest().authenticated();//开启表单登录http.formLogin();http.authorizeRequests().withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {@Overridepublic <O extends FilterSecurityInterceptor> O postProcess(O o) {//配置数据源o.setSecurityMetadataSource(new MyFilterSecurityMetadataSource());//配置访问决策管理器o.setAccessDecisionManager(getAffirmativeBased());return o;}});}

• 基于注解可以这样写

    @ResourceMethodSecurityInterceptor methodSecurityInterceptor;@Overrideprotected void configure(HttpSecurity http) throws Exception {//配置数据源methodSecurityInterceptor.setAccessDecisionManager(getAccessDecisionManager());//配置访问决策管理器methodSecurityInterceptor.setSecurityMetadataSource(getSecurityMetadataSource());//这个不是基于session一定要关了http.csrf().disable();http.authorizeRequests().antMatchers("/login").permitAll().antMatchers("/logout").permitAll()//需要认证.anyRequest().authenticated();//开启表单登录http.formLogin();}

20. 自定义认证

思路：写过滤器解析放在请求头的token，禁用session，