Spring Security 是基于web的安全组件，所以一些相关类会分散在 spring-security包和web包中。Spring Security通过自定义Servlet的Filter的方式实现，具体架构可参考官网Spring Security: Architecture

这里使用Spring Boot 2.7.4版本，对应Spring Security 5.7.3版本

基本架构

首先左侧是Servlet中的Filter组成的FilterChain，Spring Security通过注册一个DelegatingFilterProxy的Filter，然后在该Proxy中内置多条Spring Security组织的Security Filter Chain（chain中套娃一个chain），一个Security Filter Chain又有多个Filter，通过不同的规则将Request匹配到第一个满足条件的Security Filter Chain。

Web源码

既然Spring Security涉及到Filter，而Filter是Servlet中的组件，这里就存在一个将Spring Security的顶级Filter注册到Servlet Context的过程。

首先关注javax.servlet.ServletContainerInitializer，该类是tomcat-embed-core包中的类：

// 通过SPI方式导入实现类：
// META-INF/services/javax.servlet.ServletContainerInitializer 
public interface ServletContainerInitializer {/** * Receives notification during startup of a web application of the classes within the web application * that matched the criteria defined via the annotation:* javax.servlet.annotation.HandlesTypes * * 处理javax.servlet.annotation.HandlesTypes注解标注类型的实现类**/void onStartup(Set<Class<?>> c, ServletContext ctx) throws ServletException;
}

该接口实现类由SPI方式导入，我们来到spring-web包中：

可以看到spring对 该接口的实现类为：org.springframework.web.SpringServletContainerInitializer

@HandlesTypes(WebApplicationInitializer.class)
public class SpringServletContainerInitializer implements ServletContainerInitializer {@Overridepublic void onStartup(@Nullable Set<Class<?>> webAppInitializerClasses, ServletContext servletContext)throws ServletException {List<WebApplicationInitializer> initializers = Collections.emptyList();...// 添加if (webAppInitializerClasses != null) {initializers = new ArrayList<>(webAppInitializerClasses.size());for (Class<?> waiClass : webAppInitializerClasses) {initializers.add((WebApplicationInitializer)ReflectionUtils.accessibleConstructor(waiClass).newInstance());}}...// 排序AnnotationAwareOrderComparator.sort(initializers);// 执行for (WebApplicationInitializer initializer : initializers) {initializer.onStartup(servletContext);}}}

SpringServletContainerInitializer中调用了一系列org.springframework.web.WebApplicationInitializer#onStartup

可以看到WebApplicationInitializer 有一系列实现类：

其中就有Security相关的。到此，以上均为 Spring Web中的内容，Spring Security就是基于以上扩展而来。
接上文，来看看org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer:

public abstract class AbstractSecurityWebApplicationInitializer implements WebApplicationInitializer {public static final String DEFAULT_FILTER_NAME = "springSecurityFilterChain";...@Overridepublic final void onStartup(ServletContext servletContext) {beforeSpringSecurityFilterChain(servletContext);...insertSpringSecurityFilterChain(servletContext);afterSpringSecurityFilterChain(servletContext);}...}

但是，经过调试发现，Spring Security的Filter注册过程并不是上面的步骤。

重要：
Spring Security 注册Filter 不是通过上文的 javax.servlet.ServletContainerInitializer和org.springframework.web.WebApplicationInitializer#onStartup 而是org.springframework.boot.web.servlet.ServletContextInitializer，来看看ServletContextInitializer的说明：

/*** 不同于WebApplicationInitializer，实现该接口的类（且没有实现WebApplicationInitializer）* 不会被SpringServletContainerInitializer检测到，所以不会由servlet容器自动启动。* 该类的目的和ServletContainerInitializer一样，但是 其中的Servlet的生命周期由Spring控制而不是Servlet容器。*/
@FunctionalInterface
public interface ServletContextInitializer {void onStartup(ServletContext servletContext) throws ServletException;
}

DelegatingFilterProxy

首先来看自动配置类：org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration

@AutoConfiguration(after = SecurityAutoConfiguration.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
@EnableConfigurationProperties(SecurityProperties.class)
@ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class })
public class SecurityFilterAutoConfiguration {// DEFAULT_FILETER_NAME = "springSecurityFilterChain"private static final String DEFAULT_FILTER_NAME = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME;// 必须存在名称为springSecurityFilterChain的bean// 名称为springSecurityFilterChain的bean实际上类型即是 org.springframework.security.web.FilterChainProxy@Bean@ConditionalOnBean(name = DEFAULT_FILTER_NAME)public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(SecurityProperties securityProperties) {DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(DEFAULT_FILTER_NAME);registration.setOrder(securityProperties.getFilter().getOrder());registration.setDispatcherTypes(getDispatcherTypes(securityProperties));return registration;}...
}

可以看到DelegatingFilterProxyRegistrationBean被注入Bean容器，且名称为"springSecurityFilterChain"的Bean必须存在，而DelegatingFilterProxyRegistrationBean中#getFilter用来获取真正的Security Filter代理类DelegatingFilterProxy，需要注意的是，DelegatingFilterProxy实现了Filter接口。

先来看看DelegatingFilterProxyRegistrationBean的类图结构：

DelegatingFilterProxyRegistrationBean负责整合Servlet Filter注册(主要就是代理类注册)和Spring生命周期，而真正的代理类DelegatingFilterProxy通过
DelegatingFilterProxyRegistrationBean#getFilter获取。这体现了职责单一的设计原则。

public class DelegatingFilterProxyRegistrationBean ... {...@Overridepublic DelegatingFilterProxy getFilter() {// 创建真正的代理(匿名子类)，并具有延迟加载的能力return new DelegatingFilterProxy(this.targetBeanName, getWebApplicationContext()) {@Overrideprotected void initFilterBean() throws ServletException {// Don't initialize filter bean on init()}};}...
}

接下来，DelegatingFilterProxyRegistrationBean中的DelegatingFilterProxy需要完成对多个SecurityFilterChain的代理。而这个代理过程Security又通过一个代理类org.springframework.security.web.FilterChainProxy完成 。意思是，DelegatingFilterProxy是整个Security的代理，而FilterChainProxy是SecurityFilterChain的代理，且DelegatingFilterProxy是通过FilterChainProxy来完成代理的(代理一个代理)。

来看看DelegatingFilterProxy：

public class DelegatingFilterProxy extends GenericFilterBean {// 就是 springSecurityFilterChain，代表FilterChainProxy的beanName@Nullableprivate String targetBeanName;// 代理的FilterChainProxy@Nullableprivate volatile Filter delegate;...@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)throws ServletException, IOException {// Lazily initialize the delegate if necessary.Filter delegateToUse = this.delegate;if (delegateToUse == null) {synchronized (this.delegateMonitor) {delegateToUse = this.delegate;if (delegateToUse == null) {...// 初始化代理类delegateToUse = initDelegate(wac);}this.delegate = delegateToUse;}}// Let the delegate perform the actual doFilter operation.invokeDelegate(delegateToUse, request, response, filterChain);}...protected Filter initDelegate(WebApplicationContext wac) throws ServletException {String targetBeanName = getTargetBeanName();// 容器中获取名称为springSecurityFilterChain 类型为Filter的bean// 即 FilterChainProxy// 所以 注册 DelegatingFilterProxyRegistrationBean 时必须有 @ConditionalOnBean(name="springSecurityFilterChain")Filter delegate = wac.getBean(targetBeanName, Filter.class);...return delegate;}
}

上文说到，在注册DelegatingFilterProxyRegistrationBean的自动配置类中 必须要有springSecurityFilterChain名称的bean存在，而这个名称为springSecurityFilterChain的bean实际上类型即是 org.springframework.security.web.FilterChainProxy。

整个流程如下：

有点像 道生一，一生二，二生三，三生万物 的思想，我将它命名为 道德经设计模式，嘿嘿 。
那么FilterChainProxy又是在哪儿注入的呢？

FilterChainProxy

在配置类org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration中我们可以发现，这里注入了FilterChainProxy：

@Configuration(proxyBeanMethods = false)
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {...private WebSecurity webSecurity;// 多个SecurityFilterChainprivate List<SecurityFilterChain> securityFilterChains = Collections.emptyList();// 多个WebSecurityCustomizerprivate List<WebSecurityCustomizer> webSecurityCustomizers = Collections.emptyList();...// 注入一个Filter,指定名称为springSecurityFilterChain@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)public Filter springSecurityFilterChain() throws Exception {...for (SecurityFilterChain securityFilterChain : this.securityFilterChains) {this.webSecurity.addSecurityFilterChainBuilder(() -> securityFilterChain);// 为每个SecurityFilterChain中的每个Filter添加拦截方法for (Filter filter : securityFilterChain.getFilters()) {if (filter instanceof FilterSecurityInterceptor) {this.webSecurity.securityInterceptor((FilterSecurityInterceptor) filter);break;}}}// 自定义器对每个SecurityFilterChain均生效for (WebSecurityCustomizer customizer : this.webSecurityCustomizers) {customizer.customize(this.webSecurity);}// 这里build()方法返回  org.springframework.security.web.FilterChainProxyreturn this.webSecurity.build();}...// 自动注入, 通常我们需要自定义的就是这个SecurityFilterChain类型// 只需要在业务配置类中注册一个SecurityFilterChain类型的bean就能被注入到这里@Autowired(required = false)void setFilterChains(List<SecurityFilterChain> securityFilterChains) {this.securityFilterChains = securityFilterChains;}// 自动注入@Autowired(required = false)void setWebSecurityCustomizers(List<WebSecurityCustomizer> webSecurityCustomizers) {this.webSecurityCustomizers = webSecurityCustomizers;}}

在业务配置类中，我们可以自定义SecurityFilterChain和WebSecurityCustomizer的bean，配置如下：

@Configuration
public class SecurityConfig {@Beanpublic SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.csrf().disable();// 必须显式注明，配合CorsConfigurationSource的Bean，不然即使在web里面配置了跨域，security这里依然会cors errorhttp.cors();http.authorizeRequests().antMatchers(AUTH_WHITELIST).permitAll().anyRequest().authenticated();http.formLogin().successHandler(loginSuccessHandler);http.oauth2Login().successHandler(giteeSuccessHandler);http.exceptionHandling().accessDeniedHandler(restAccessDeniedHandler);http.addFilterBefore(bearAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);return http.build();}@Beanpublic WebSecurityCustomizer webSecurityCustomizer() {return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");}
}

OK，我们再来看看 org.springframework.security.web.FilterChainProxy:

public class FilterChainProxy extends GenericFilterBean {private List<SecurityFilterChain> filterChains;private HttpFirewall firewall = new StrictHttpFirewall();@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {...doFilterInternal(request, response, chain);...}private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {// 转化为org.springframework.security.web.firewall.FirewalledRequest// reject potentially dangerous requests and/or wrap them to control their behaviour.FirewalledRequest firewallRequest = this.firewall.getFirewalledRequest((HttpServletRequest) request);HttpServletResponse firewallResponse = this.firewall.getFirewalledResponse((HttpServletResponse) response);// #getFilters会在所有SecurityFilterChain中进行匹配List<Filter> filters = getFilters(firewallRequest);...// 转化为 VirtualFilterChain// VirtualFilterChain是FilterChainProxy内部静态类VirtualFilterChain virtualFilterChain = new VirtualFilterChain(firewallRequest, chain, filters);// 开启 SecurityFilterChain中所有filter过程virtualFilterChain.doFilter(firewallRequest, firewallResponse);}private List<Filter> getFilters(HttpServletRequest request) {for (SecurityFilterChain chain : this.filterChains) {// 返回第一个符合规则的SecurityFilterChainif (chain.matches(request)) {return chain.getFilters();}}return null;}/*** 执行额外的 filters，控制filters执行过程* Internal {@code FilterChain} implementation that is used to pass a request through* the additional internal list of filters which match the request.*/private static final class VirtualFilterChain implements FilterChain {...private final FilterChain originalChain;private final List<Filter> additionalFilters;private final FirewalledRequest firewalledRequest;// 该SecurityFilterChain中所有filter的数量private final int size;// 当前filter的位置private int currentPosition = 0;...@Overridepublic void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {if (this.currentPosition == this.size) {// 执行完毕// Deactivate path stripping as we exit the security filter chainthis.firewalledRequest.reset();this.originalChain.doFilter(request, response);return;}// 继续执行filterChain中下一个filterthis.currentPosition++;Filter nextFilter = this.additionalFilters.get(this.currentPosition - 1);nextFilter.doFilter(request, response, this);}...}...
}

Filters

按顺序排序，Spring Security内置了以下Filter：

• ForceEagerSessionCreationFilter
• ChannelProcessingFilter
• WebAsyncManagerIntegrationFilter
• SecurityContextPersistenceFilter
• HeaderWriterFilter
• CorsFilter
• CsrfFilter
• LogoutFilter
• OAuth2AuthorizationRequestRedirectFilter
• Saml2WebSsoAuthenticationRequestFilter
• X509AuthenticationFilter
• AbstractPreAuthenticatedProcessingFilter
• CasAuthenticationFilter
• OAuth2LoginAuthenticationFilter
• Saml2WebSsoAuthenticationFilter
• UsernamePasswordAuthenticationFilter
• DefaultLoginPageGeneratingFilter
• DefaultLogoutPageGeneratingFilter
• ConcurrentSessionFilter
• DigestAuthenticationFilter
• BearerTokenAuthenticationFilter
• BasicAuthenticationFilter
• RequestCacheAwareFilter
• SecurityContextHolderAwareRequestFilter
• JaasApiIntegrationFilter
• RememberMeAuthenticationFilter
• AnonymousAuthenticationFilter
• OAuth2AuthorizationCodeGrantFilter
• SessionManagementFilter
• ExceptionTranslationFilter : allows translation of AccessDeniedException and AuthenticationException into HTTP responses
• FilterSecurityInterceptor (新版本由 AuthorizationFilter 取代，该Interceptor即是做鉴权的)
• SwitchUserFilter