spring security通过一系列过滤器实现其功能,入口过滤器如下(web.xml):
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
其他过滤器调用顺序:
然后通过org.springframework.security.web.FilterChainProxy过滤器获取以下过滤器列表:
org.springframework.security.web.context.SecurityContextPersistenceFilter@4976abb4
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3ea61bd9
org.springframework.security.web.authentication.logout.LogoutFilter@469ddd58
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@443b70fc
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@386c58c4
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@361af4c3
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1ec59845
org.springframework.security.web.session.SessionManagementFilter@1e6a7f1
org.springframework.security.web.access.ExceptionTranslationFilter@5b167571
org.springframework.security.web.access.intercept.FilterSecurityInterceptor@3a4b2e3c
然后由内部类 VirtualFilterChain 依次调用这些过滤器实现其认证、授权等功能 (org.springframework.security.web.FilterChainProxy$VirtualFilterChain)
细节可参考某大牛的文章:
http://dead-knight.iteye.com/category/220917