1、SpringWebMvcImportSelector

  • • SpringSecurity支持在SpringMVC进行参数解析的时候填充参数,支持以下的对象
  • • 通过@AuthenticationPrincipal,获取UserDetails
  • • 通过@CurrentSecurityContext,获取SecurityContext
  • • 通过参数类型为CsrfToken获取CsrfToken
  • • 究其原因是因为SpringSecurity为这些参数类型注册了对应的参数解析器
  • • SpringWebMvcImportSelector源码如下:
class SpringWebMvcImportSelector implements ImportSelector {

   public String[] selectImports(AnnotationMetadata importingClassMetadata) {
      boolean webmvcPresent = ClassUtils.isPresent(
            "org.springframework.web.servlet.DispatcherServlet",
            getClass().getClassLoader());
      return webmvcPresent
            ? new String[] {
                  "org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration" }
            : new String[] {};
   }
}
  • • 分析可以看出当可以加载SpringMVC的DispatcherServlet的时候注册一个WebMvcSecurityConfiguration类

2、WebMvcSecurityConfiguration

  • • 此类作用如下:
  • • AuthenticationPrincipalArgumentResolver:针对@AuthenticationPrincipal,注意这里是两个名称相同并且支持的注解名称也一模一样的
  • • CurrentSecurityContextArgumentResolver:针对@CurrentSecurityContext
  • • CsrfTokenArgumentResolver:针对CsrfToken
  • • 注册四个参数解析器
  • • 注册CsrfRequestDataValueProcessor:当开启了Csrf的情况下,此类负责将Csrf添加到具有隐藏域的表单中
class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContextAware {

   private BeanResolver beanResolver;

   @Override
   @SuppressWarnings("deprecation")
   public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
      AuthenticationPrincipalArgumentResolver authenticationPrincipalResolver = new AuthenticationPrincipalArgumentResolver();
      authenticationPrincipalResolver.setBeanResolver(this.beanResolver);
      argumentResolvers.add(authenticationPrincipalResolver);
      argumentResolvers
            .add(new org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver());
      CurrentSecurityContextArgumentResolver currentSecurityContextArgumentResolver = new CurrentSecurityContextArgumentResolver();
      currentSecurityContextArgumentResolver.setBeanResolver(this.beanResolver);
      argumentResolvers.add(currentSecurityContextArgumentResolver);
      // 注册 CsrfToken 的参数解析器
      argumentResolvers.add(new CsrfTokenArgumentResolver());
   }

   @Bean
   RequestDataValueProcessor requestDataValueProcessor() {
      return new CsrfRequestDataValueProcessor();
   }

   @Override
   public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
      this.beanResolver = new BeanFactoryResolver(applicationContext.getAutowireCapableBeanFactory());
   }

}

2.1 AuthenticationPrincipalArgumentResolver

  • • 这里仅介绍org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver,另外一个多了SpEL的解析方式
  • • 可以看出当方法入参中有携带@AuthenticationPrincipal的时候,会从线程级别的安全上下文中获取认证对象
@Deprecated
public final class AuthenticationPrincipalArgumentResolver implements HandlerMethodArgumentResolver {

   @Override
   public boolean supportsParameter(MethodParameter parameter) {
      return findMethodAnnotation(AuthenticationPrincipal.class, parameter) != null;
   }

   @Override
   public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer,
         NativeWebRequest webRequest, WebDataBinderFactory binderFactory) {
      // 通过线程级别的安全上下文获得认证对象
      Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
      if (authentication == null) {
         return null;
      }
      // 获得用户对象
      Object principal = authentication.getPrincipal();
      // 如果两者类型不匹配是否抛出异常
      if (principal != null && !parameter.getParameterType().isAssignableFrom(principal.getClass())) {
         AuthenticationPrincipal authPrincipal = findMethodAnnotation(AuthenticationPrincipal.class, parameter);
         if (authPrincipal.errorOnInvalidType()) {
            throw new ClassCastException(principal + " is not assignable to " + parameter.getParameterType());
         }
         return null;
      }
      return principal;
   }

   /**
    * 获得指定注解
    */
   private <T extends Annotation> T findMethodAnnotation(Class<T> annotationClass, MethodParameter parameter) {
      T annotation = parameter.getParameterAnnotation(annotationClass);
      if (annotation != null) {
         return annotation;
      }
      Annotation[] annotationsToSearch = parameter.getParameterAnnotations();
      for (Annotation toSearch : annotationsToSearch) {
         annotation = AnnotationUtils.findAnnotation(toSearch.annotationType(), annotationClass);
         if (annotation != null) {
            return annotation;
         }
      }
      return null;
   }

}
  • • 这里的认证对象指的是Authentication,部分实现如下:
  • • UsernamePasswordAuthenticationToken:通过用户名和密码生成的认证对象
  • • RememberMeAuthenticationToken:通过记住我令牌生成的认证对象
  • • .......

2.2 CurrentSecurityContextArgumentResolver

  • • 支持解析标注了@CurrentSecurityContext注解的参数、
  • • eg:@CurrentSecurityContext(expression="authentication") Authentication authentication
  • • 支持Controller方法中的入参中有标注了@CurrentSecurityContext放在SecurityContext参数上
  • • 支持 Spring SpEl表达式从SecurityContext中获取值
public final class CurrentSecurityContextArgumentResolver implements HandlerMethodArgumentResolver {

   private ExpressionParser parser = new SpelExpressionParser();

   private BeanResolver beanResolver;

   /**
    * 此参数解析器只能支持带有 {@code CurrentSecurityContext} 注解的参数
    * @param parameter
    * @return
    */
   @Override
   public boolean supportsParameter(MethodParameter parameter) {
      return findMethodAnnotation(CurrentSecurityContext.class, parameter) != null;
   }

   @Override
   public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer,
         NativeWebRequest webRequest, WebDataBinderFactory binderFactory) {
      // 从线程级别的策略中拿到安全上下文
      SecurityContext securityContext = SecurityContextHolder.getContext();
      if (securityContext == null) {
         return null;
      }
      Object securityContextResult = securityContext;
      // 从参数上拿到指定的 CurrentSecurityContext 注解信息
      CurrentSecurityContext annotation = findMethodAnnotation(CurrentSecurityContext.class, parameter);
      String expressionToParse = annotation.expression();
      // 是否以 SpEL 进行解析
      // SpEL 不懂
      if (StringUtils.hasLength(expressionToParse)) {
         StandardEvaluationContext context = new StandardEvaluationContext();
         context.setRootObject(securityContext);
         context.setVariable("this", securityContext);
         context.setBeanResolver(this.beanResolver);
         Expression expression = this.parser.parseExpression(expressionToParse);
         securityContextResult = expression.getValue(context);
      }
      // 如果有安全上下文,但是参数类型不对
      if (securityContextResult != null
            && !parameter.getParameterType().isAssignableFrom(securityContextResult.getClass())) {
         // 是否抛出异常,还是返回空
         if (annotation.errorOnInvalidType()) {
            throw new ClassCastException(
                  securityContextResult + " is not assignable to " + parameter.getParameterType());
         }
         return null;
      }
      return securityContextResult;
   }

   /**
    * Set the {@link BeanResolver} to be used on the expressions
    * @param beanResolver the {@link BeanResolver} to use
    */
   public void setBeanResolver(BeanResolver beanResolver) {
      Assert.notNull(beanResolver, "beanResolver cannot be null");
      this.beanResolver = beanResolver;
   }

   /**
    * 在指定的方法参数上,获得指定的注解
    * @param annotationClass the class of the {@link Annotation} to find on the
    * {@link MethodParameter}
    * @param parameter the {@link MethodParameter} to search for an {@link Annotation}
    * @return the {@link Annotation} that was found or null.
    */
   private <T extends Annotation> T findMethodAnnotation(Class<T> annotationClass, MethodParameter parameter) {
      // 拿到参数上的指定注解
      T annotation = parameter.getParameterAnnotation(annotationClass);
      if (annotation != null) {
         return annotation;
      }
      Annotation[] annotationsToSearch = parameter.getParameterAnnotations();
      for (Annotation toSearch : annotationsToSearch) {
         annotation = AnnotationUtils.findAnnotation(toSearch.annotationType(), annotationClass);
         if (annotation != null) {
            return annotation;
         }
      }
      return null;
   }

}

2.3 CsrfTokenArgumentResolver

  • • 源码很简单就是直接从请求域中获得CsrfToken
public final class CsrfTokenArgumentResolver implements HandlerMethodArgumentResolver {

   /**
    * 此参数解析器仅支持 {@code CsrfToken}
    * @param parameter
    * @return
    */
   @Override
   public boolean supportsParameter(MethodParameter parameter) {
      return CsrfToken.class.equals(parameter.getParameterType());
   }

   @Override
   public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer,
         NativeWebRequest webRequest, WebDataBinderFactory binderFactory) {
      // 从请求域中获得CsrfToken, 此属性值是由CsrfFilter负责放入的
      CsrfToken token = (CsrfToken) webRequest.getAttribute(CsrfToken.class.getName(),
            RequestAttributes.SCOPE_REQUEST);
      return token;
   }

}
  • • 至于为什么在请求域中有CsrfToken,下面的代码能看出是在SpringSecurity的CsrfFilter中负责将CsrfToken放到请求域中的
public final class CsrfFilter extends OncePerRequestFilter {
  ......
  @Override
  protected void doFilterInternal(HttpServletRequest request,
        HttpServletResponse response, FilterChain filterChain)
              throws ServletException, IOException {
     .......
     request.setAttribute(CsrfToken.class.getName(), csrfToken);
     ......
  }
.......
}
  • • 又衍生出一个问题,到底是setAttribute还是getAttribute先执行呢
  • • 下图能够看出应用程序中一共有五个过滤器,前三个是SpringMVC提供的,第四个就是FilterChainProxy也就是SpringSecurity的过滤器链,CsrfFilter就是在这里面执行的,而参数解析器是在DispatcherServlet中负责执行的,而DispatcherServlet最终是这里的第五个过滤器中负责调用的
  • • 所以说一定是先是setAttribute还再getAttribute

    • [SpringSecurity5.6.2源码分析三]:SpringWebMvcImportSelector_java