Spring Security（三十七）：Part IV. Web Application Security

Posted 2021-01-28 帅S俊

Most Spring Security users will be using the framework in applications which make user of HTTP and the Servlet API. In this part, we’ll take a look at how Spring Security provides authentication and access-control features for the web layer of an application. We’ll look behind the facade of the namespace and see which classes and interfaces are actually assembled to provide web-layer security. In some situations it is necessary to use traditional bean configuration to provide full control over the configuration, so we’ll also see how to configure these classes directly without the namespace.

大多数Spring Security用户将在使用HTTP和Servlet API的应用程序中使用该框架。在本部分中，我们将了解Spring Security如何为应用程序的Web层提供身份验证和访问控制功能。我们将查看命名空间的外观，并查看实际组装的类和接口，以提供Web层安全性。在某些情况下，有必要使用传统的bean配置来提供对配置的完全控制，因此我们还将看到如何在没有命名空间的情况下直接配置这些类。 

13. The Security Filter Chain

Spring Security’s web infrastructure is based entirely on standard servlet filters. It doesn’t use servlets or any other servlet-based frameworks (such as Spring MVC) internally, so it has no strong links to any particular web technology. It deals in HttpServletRequest s and HttpServletResponse s and doesn’t care whether the requests come from a browser, a web service client, an HttpInvoker or an AJAX application.

Spring Security的Web基础结构完全基于标准的servlet过滤器。它不在内部使用servlet或任何其他基于servlet的框架（例如Spring MVC），因此它没有与任何特定Web技术的强大链接。它处理HttpServletRequest和HttpServletResponse，并不关心请求是来自浏览器，Web服务客户端，HttpInvoker还是AJAX应用程序。

 

 Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them. If you have been using namespace configuration, then the filters are automatically configured for you and you don’t have to define any Spring beans explicitly but here may be times when you want full control over the security filter chain, either because you are using features which aren’t supported in the namespace, or you are using your own customized versions of classes.

Spring Security在内部维护一个过滤器链，每个过滤器都有特定的责任，并根据所需的服务在配置中添加或删除过滤器。过滤器的顺序很重要，因为它们之间存在依赖关系。如果您一直在使用命名空间配置，那么将自动为您配置过滤器，您不必明确定义任何Spring bean，但这可能是您希望完全控制安全过滤器链的时候，因为您正在使用功能命名空间中不支持，或者您使用自己的自定义版本的类。

 

13.1 DelegatingFilterProxy

When using servlet filters, you obviously need to declare them in your web.xml, or they will be ignored by the servlet container. In Spring Security, the filter classes are also Spring beans defined in the application context and thus able to take advantage of Spring’s rich dependency-injection facilities and lifecycle interfaces. Spring’s DelegatingFilterProxy provides the link between web.xml and the application context.

使用servlet过滤器时，显然需要在web.xml中声明它们，否则servlet容器将忽略它们。在Spring Security中，过滤器类也是在应用程序上下文中定义的Spring bean，因此能够利用Spring丰富的依赖注入工具和生命周期接口。 Spring的DelegatingFilterProxy提供了web.xml和应用程序上下文之间的链接。

 

When using DelegatingFilterProxy, you will see something like this in the web.xml file:

使用DelegatingFilterProxy时，您将在web.xml文件中看到类似的内容：

<filter>
<filter-name>myFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>myFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Notice that the filter is actually a DelegatingFilterProxy, and not the class that will actually implement the logic of the filter. What DelegatingFilterProxy does is delegate the Filter ‘s methods through to a bean which is obtained from the Spring application context. This enables the bean to benefit from the Spring web application context lifecycle support and configuration flexibility. The bean must implement javax.servlet.Filter and it must have the same name as that in the filter-name element. Read the Javadoc for DelegatingFilterProxy for more information

请注意，过滤器实际上是DelegatingFilterProxy，而不是实际实现过滤器逻辑的类。 DelegatingFilterProxy所做的是将Filter的方法委托给从Spring应用程序上下文中获取的bean。这使bean能够受益于Spring Web应用程序上下文生命周期支持和配置灵活性。 bean必须实现javax.servlet.Filter，它必须与filter-name元素中的名称相同。有关更多信息，请阅读Javadoc for DelegatingFilterProxy

13.2 FilterChainProxy

Spring Security’s web infrastructure should only be used by delegating to an instance of FilterChainProxy. The security filters should not be used by themselves. In theory you could declare each Spring Security filter bean that you require in your application context file and add a corresponding DelegatingFilterProxy entry to web.xml for each filter, making sure that they are ordered correctly, but this would be cumbersome and would clutter up the web.xml file quickly if you have a lot of filters. FilterChainProxy lets us add a single entry to web.xml and deal entirely with the application context file for managing our web security beans. It is wired using a DelegatingFilterProxy, just like in the example above, but with the filter-name set to the bean name "filterChainProxy". The filter chain is then declared in the application context with the same bean name. Here’s an example:

Spring Security的Web基础结构只能通过委托FilterChainProxy实例来使用。安全过滤器本身不应使用。从理论上讲，您可以在应用程序上下文文件中声明所需的每个Spring Security过滤器bean，并为每个过滤器添加相应的DelegatingFilterProxy条目到web.xml，确保它们正确排序，但这会很麻烦并且会使如果您有很多过滤器，请快速使用web.xml文件。 FilterChainProxy允许我们向web.xml添加一个条目，并完全处理应用程序上下文文件以管理我们的Web安全bean。它使用DelegatingFilterProxy连接，就像上面的例子一样，但是filter-name设置为bean名称“filterChainProxy”。然后，在应用程序上下文中使用相同的bean名称声明过滤器链。这是一个例子：

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
	<list>
	<sec:filter-chain pattern="/restful/**" filters="
		securityContextPersistenceFilterWithASCFalse,
		basicAuthenticationFilter,
		exceptionTranslationFilter,
		filterSecurityInterceptor" />
	<sec:filter-chain pattern="/**" filters="
		securityContextPersistenceFilterWithASCTrue,
		formLoginFilter,
		exceptionTranslationFilter,
		filterSecurityInterceptor" />
	</list>
</constructor-arg>
</bean>

The namespace element filter-chain is used for convenience to set up the security filter chain(s) which are required within the application. ^[6]. It maps a particular URL pattern to a list of filters built up from the bean names specified in the filters element, and combines them in a bean of type SecurityFilterChain. The pattern attribute takes an Ant Paths and the most specific URIs should appear first ^[7]. At runtime the FilterChainProxy will locate the first URI pattern that matches the current web request and the list of filter beans specified by the filters attribute will be applied to that request. The filters will be invoked in the order they are defined, so you have complete control over the filter chain which is applied to a particular URL.

命名空间元素过滤器链用于方便设置应用程序中所需的安全过滤器链。 [6]。它将特定的URL模式映射到根据filters元素中指定的bean名称构建的过滤器列表，并将它们组合在SecurityFilterChain类型的bean中。 pattern属性采用Ant路径，最具体的URI应首先出现[7]。在运行时，FilterChainProxy将找到与当前Web请求匹配的第一个URI模式，并且filters属性指定的过滤器bean列表将应用于该请求。过滤器将按照定义的顺序调用，因此您可以完全控制应用于特定URL的过滤器链。

 

You may have noticed we have declared two SecurityContextPersistenceFilter s in the filter chain (ASC is short for allowSessionCreation, a property of SecurityContextPersistenceFilter). As web services will never present a jsessionid on future requests, creating HttpSession s for such user agents would be wasteful. If you had a high-volume application which required maximum scalability, we recommend you use the approach shown above. For smaller applications, using a single SecurityContextPersistenceFilter (with its default allowSessionCreation as true) would likely be sufficient.

您可能已经注意到我们在过滤器链中声明了两个SecurityContextPersistenceFilter（ASC是allowSessionCreation的缩写，是SecurityContextPersistenceFilter的一个属性）。由于Web服务永远不会出现未来请求的jsessionid，因此为这样的用户代理创建HttpSession将是浪费。如果您的大批量应用程序需要最大的可扩展性，我们建议您使用上面显示的方法。对于较小的应用程序，使用单个SecurityContextPersistenceFilter（默认的allowSessionCreation为true）可能就足够了。

 

Note that FilterChainProxy does not invoke standard filter lifecycle methods on the filters it is configured with. We recommend you use Spring’s application context lifecycle interfaces as an alternative, just as you would for any other Spring bean.

请注意，FilterChainProxy不会在配置的过滤器上调用标准过滤器生命周期方法。我们建议您使用Spring的应用程序上下文生命周期接口作为替代方法，就像使用任何其他Spring bean一样。

 

When we looked at how to set up web security using namespace configuration, we used a DelegatingFilterProxy with the name "springSecurityFilterChain". You should now be able to see that this is the name of the FilterChainProxy which is created by the namespace.

当我们查看如何使用命名空间配置设置Web安全性时，我们使用了名为“springSecurityFilterChain”的DelegatingFilterProxy。您现在应该能够看到这是由命名空间创建的FilterChainProxy的名称。

13.2.1 Bypassing the Filter Chain

You can use the attribute filters = "none" as an alternative to supplying a filter bean list. This will omit the request pattern from the security filter chain entirely. Note that anything matching this path will then have no authentication or authorization services applied and will be freely accessible. If you want to make use of the contents of the SecurityContext contents during a request, then it must have passed through the security filter chain. Otherwise the SecurityContextHolder will not have been populated and the contents will be null.

您可以使用属性filters =“none”作为提供过滤器bean列表的替代方法。这将完全省略安全过滤器链中的请求模式。请注意，与此路径匹配的任何内容都将不会应用任何身份验证或授权服务，并且可以自由访问。如果要在请求期间使用SecurityContext内容的内容，则它必须已通过安全筛选器链。否则，将不会填充SecurityContextHolder，并且内容将为null。

13.3 Filter Ordering

The order that filters are defined in the chain is very important. Irrespective of which filters you are actually using, the order should be as follows:

过滤器在链中定义的顺序非常重要。无论您实际使用哪种过滤器，订单应如下：

• ChannelProcessingFilter, because it might need to redirect to a different protocol
• ChannelProcessingFilter，因为它可能需要重定向到不同的协议
• SecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request, and any changes to the SecurityContext can be copied to the HttpSession when the web request ends (ready for use with the next web request)
• SecurityContextPersistenceFilter，因此可以在Web请求开始时在SecurityContextHolder中设置SecurityContext，并且当Web请求结束时（可以使用下一个Web请求准备好），可以将对SecurityContext的任何更改复制到HttpSession。
• ConcurrentSessionFilter, because it uses the SecurityContextHolder functionality and needs to update the SessionRegistry to reflect ongoing requests from the principal
• ConcurrentSessionFilter，因为它使用SecurityContextHolder功能并需要更新SessionRegistry以反映来自主体的持续请求
• Authentication processing mechanisms - UsernamePasswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter etc - so that the SecurityContextHolder can be modified to contain a valid Authentication request token
• 身份验证处理机制 - UsernamePasswordAuthenticationFilter，CasAuthenticationFilter，BasicAuthenticationFilter等 - 以便可以修改SecurityContextHolder以包含有效的身份验证请求令牌
• The SecurityContextHolderAwareRequestFilter, if you are using it to install a Spring Security aware HttpServletRequestWrapper into your servlet container
• SecurityContextHolderAwareRequestFilter，如果您使用它将Spring安全感知HttpServletRequestWrapper安装到您的servlet容器中
• The JaasApiIntegrationFilter, if a JaasAuthenticationToken is in the SecurityContextHolder this will process the FilterChain as the Subject in the JaasAuthenticationToken
• JaasApiIntegrationFilter，如果JaasAuthenticationToken位于SecurityContextHolder中，则会将FilterChain作为JaasAuthenticationToken中的Subject进行处理
• RememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a suitable remembered Authentication object will be put there
• RememberMeAuthenticationFilter，这样如果没有更早的身份验证处理机制更新SecurityContextHolder，并且请求提供了一个启用记住我服务的cookie，那么一个合适的记忆身份验证对象将放在那里
• AnonymousAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, an anonymous Authentication object will be put there
• AnonymousAuthenticationFilter，这样如果没有更早的身份验证处理机制更新SecurityContextHolder，那么匿名身份验证对象将被放在那里
• ExceptionTranslationFilter, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriate AuthenticationEntryPoint can be launched
• ExceptionTranslationFilter，用于捕获任何Spring Security异常，以便可以返回HTTP错误响应或启动相应的AuthenticationEntryPoint
• FilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied
• FilterSecurityInterceptor，用于保护Web URI并在访问被拒绝时引发异常