spring-security 默认登录页面
Spring Security是一个强大且高度可定制的身份验证和访问控制框架。天然与Spring整合,易扩展,引入jar包就可以用了,在boot自动装载下,不需要任何配置就可以控制资源访问。那么默认登录页是如何产生的呢?
spring-security 默认登录页面
- 版本信息
- 项目搭建步骤
- 源码解析
- 过滤器处理具体分析
-
- 开启 Trace 级别日志
- 重定向到 /login 流程图
- 流程图说明
版本信息
| 内容 | 版本 |
|---|---|
| JDK | 17 |
| spring-boot-starter-web | 3.2.2 |
| spring-boot-starter-security | 3.2.2 |
| spring-security | 6.2.1 |
项目搭建步骤
-
访问 https://start.spring.io/ 自动生成项目
-
添加依赖 Spring Web、Spring Security
-
生成项目, 点击 GENERATE,会下载一个压缩包
-
添加 controller 代码
package com.example.security.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloController {
@GetMapping(value = "/hello")
public String hello() {
return "Hello Security";
}
}
- 启动项目, 访问 http://localhost:8080/hello,会重定向到登录页面
为啥为重定向到登录页面?登录页面如何生成的?
源码解析
- 先找一下 spring-boot-test-autoconfigure jar 包,找到文件org.springframework.boot.autoconfigure.AutoConfiguration.imports,检索 security, 发现有如下类
过滤器链是通过 SecurityAutoConfiguration 导入的类SpringBootWebSecurityConfiguration 配置的 org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration.WebSecurityEnablerConfiguration
打印出默认过滤器链
2024-02-01T23:19:18.288+08:00 INFO 15696 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@748ac6f3, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@68f6e55d, org.springframework.security.web.context.SecurityContextHolderFilter@3238e2aa, org.springframework.security.web.header.HeaderWriterFilter@71adfedd, org.springframework.web.filter.CorsFilter@6fff46bf, org.springframework.security.web.csrf.CsrfFilter@5f36c8e3, org.springframework.security.web.authentication.logout.LogoutFilter@217bf99e, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@67022ea, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@38b3f208, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@1835dc92, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7ec95456, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2577a95d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1668919e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@3aaa3c39, org.springframework.security.web.access.ExceptionTranslationFilter@17e9bc9e, org.springframework.security.web.access.intercept.AuthorizationFilter@7327a447]
/**
* Adds the {@link EnableWebSecurity @EnableWebSecurity} annotation if Spring Security
* is on the classpath. This will make sure that the annotation is present with
* default security auto-configuration and also if the user adds custom security and
* forgets to add the annotation. If {@link EnableWebSecurity @EnableWebSecurity} has
* already been added or if a bean with name
* {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has been configured by the user, this
* will back-off.
*/
@Configuration(proxyBeanMethods = false)
@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
@ConditionalOnClass(EnableWebSecurity.class)
@EnableWebSecurity
static class WebSecurityEnablerConfiguration {
}
核心的注解类 org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
org.springframework.security.config.annotation.web.builders.WebSecurity#performBuild
在类org.springframework.security.web.FilterChainProxy.VirtualFilterChain#doFilter 加一个断点, 看每个过滤器做了啥
经过调试,发现默认页面在 org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter 这个类生成的,方法 generateLoginPageHtml
过滤器处理具体分析
spring-boot-starter-security 默认会加载以下过滤器
[DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[
org.springframework.security.web.session.DisableEncodeUrlFilter@65a9ea3c,
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@70f68288,
org.springframework.security.web.context.SecurityContextHolderFilter@22c53d82,
org.springframework.security.web.header.HeaderWriterFilter@2577a95d,
org.springframework.web.filter.CorsFilter@46911148,
org.springframework.security.web.csrf.CsrfFilter@6d0be7ab,
org.springframework.security.web.authentication.logout.LogoutFilter@58af5076,
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@1fbf088b,
org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@3b4a1a75,
org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@2db1b657,
org.springframework.security.web.authentication.www.BasicAuthenticationFilter@650c405c,
org.springframework.security.web.savedrequest.RequestCacheAwareFilter@68d6d775,
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@b67cc70,
org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7e351d7,
org.springframework.security.web.access.ExceptionTranslationFilter@9301672,
org.springframework.security.web.access.intercept.AuthorizationFilter@11d045b4]]]
开启 Trace 级别日志
修改 application.properties 文件,增加日志配置
logging.level.org.springframework.security=TRACE
访问地址 http://localhost:8080/hello, 可以看到有详细的日志输出
2024-02-03T09:24:07.863+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@4eaa375c, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2404b5a, org.springframework.security.web.context.SecurityContextHolderFilter@6088451e, org.springframework.security.web.header.HeaderWriterFilter@3ba3d4b6, org.springframework.web.filter.CorsFilter@3af58f76, org.springframework.security.web.csrf.CsrfFilter@6bcb12e6, org.springframework.security.web.authentication.logout.LogoutFilter@3a7e365, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@5f05c8d6, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@5416f8db, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@2ead6ba4, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7885776b, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2f10f633, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1642eeae, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@31a2a9fa, org.springframework.security.web.access.ExceptionTranslationFilter@40de8f93, org.springframework.security.web.access.intercept.AuthorizationFilter@78422efb]] (1/1)
2024-02-03T09:24:07.864+08:00 DEBUG 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Securing GET /hello
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/16)
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/16)
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/16)
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/16)
2024-02-03T09:24:07.864+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking CorsFilter (5/16)
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (6/16)
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (7/16)
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking UsernamePasswordAuthenticationFilter (8/16)
2024-02-03T09:24:07.865+08:00 TRACE 13892 --- [nio-8080-exec-7] w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='/login', POST]
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking DefaultLoginPageGeneratingFilter (9/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking DefaultLogoutPageGeneratingFilter (10/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] .w.a.u.DefaultLogoutPageGeneratingFilter : Did not render default logout page since request did not match [Ant [pattern='/logout', GET]]
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking BasicAuthenticationFilter (11/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.a.www.BasicAuthenticationFilter : Did not process authentication request since failed to find username and password in Basic Authorization header
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (12/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.s.HttpSessionRequestCache : matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (13/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (14/16)
2024-02-03T09:24:07.866+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (15/16)
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (16/16)
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@219ea36b]
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@219ea36b] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@2973568c
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Did not find SecurityContext in HttpSession 9103C6E281234FE6BA1B598A7FC64D41 using the SPRING_SECURITY_CONTEXT session attribute
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-02-03T09:24:07.867+08:00 TRACE 13892 --- [nio-8080-exec-7] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-02-03T09:24:07.868+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=9103C6E281234FE6BA1B598A7FC64D41], Granted Authorities=[ROLE_ANONYMOUS]]
2024-02-03T09:24:07.868+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=9103C6E281234FE6BA1B598A7FC64D41], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:181) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter.doFilterInternal(DefaultLogoutPageGeneratingFilter.java:58) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:189) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:175) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.2.1.jar:6.2.1]
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195) ~[spring-webmvc-6.1.3.jar:6.1.3]
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:225) ~[spring-security-config-6.2.1.jar:6.2.1]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.1.3.jar:6.1.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.1.3.jar:6.1.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.3.jar:6.1.3]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:340) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.18.jar:10.1.18]
at java.base/java.lang.Thread.run(Thread.java:842) ~[na:na]
2024-02-03T09:24:07.878+08:00 DEBUG 13892 --- [nio-8080-exec-7] o.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8080/hello?continue to session
2024-02-03T09:24:07.878+08:00 DEBUG 13892 --- [nio-8080-exec-7] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@4f223bee, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]
2024-02-03T09:24:07.878+08:00 DEBUG 13892 --- [nio-8080-exec-7] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@d902300
2024-02-03T09:24:07.878+08:00 DEBUG 13892 --- [nio-8080-exec-7] o.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/login
2024-02-03T09:24:07.878+08:00 TRACE 13892 --- [nio-8080-exec-7] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2024-02-03T09:24:07.885+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@4eaa375c, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2404b5a, org.springframework.security.web.context.SecurityContextHolderFilter@6088451e, org.springframework.security.web.header.HeaderWriterFilter@3ba3d4b6, org.springframework.web.filter.CorsFilter@3af58f76, org.springframework.security.web.csrf.CsrfFilter@6bcb12e6, org.springframework.security.web.authentication.logout.LogoutFilter@3a7e365, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@5f05c8d6, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@5416f8db, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@2ead6ba4, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7885776b, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2f10f633, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1642eeae, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@31a2a9fa, org.springframework.security.web.access.ExceptionTranslationFilter@40de8f93, org.springframework.security.web.access.intercept.AuthorizationFilter@78422efb]] (1/1)
2024-02-03T09:24:07.885+08:00 DEBUG 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Securing GET /login
2024-02-03T09:24:07.885+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking CorsFilter (5/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (6/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (7/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking UsernamePasswordAuthenticationFilter (8/16)
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='/login', POST]
2024-02-03T09:24:07.886+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy : Invoking DefaultLoginPageGeneratingFilter (9/16)
2024-02-03T09:24:07.887+08:00 TRACE 13892 --- [nio-8080-exec-8] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
重定向到 /login 流程图
流程图说明
- 过滤器链,org.springframework.security.web.FilterChainProxy.VirtualFilterChain#doFilter,一个接着一个filter 执行
- DefaultLoginPageGeneratingFilter,默认登录页生成过滤器。判断当前url 是否是login、loginError,logout 的url,如果是,就生成登录页面,并且输出到浏览器
- AuthorizationFilter,权限过滤器,判断当前用户是否有权限访问url。当浏览器访问 /hello 地址,经过 AnonymousAuthenticationFilter 过滤器,未获取到认证信息,会生成匿名的认证Token-AnonymousAuthenticationToken。
授权认证器校验到当前的AnonymousAuthenticationToken无权限访问/hello, 抛出AccessDeniedException异常
- ExceptionTranslationFilter,异常处理过滤器,处理 AuthenticationException、AccessDeniedException异常。它catch 到 AuthorizationFilter 抛出的 AccessDeniedException异常,调用 handleSpringSecurityException 方法处理异常
根据不同的异常类型,不同的处理逻辑
处理AccessDeniedException 异常
由于是匿名的认证用户,执行sendStartAuthentication方法
- DelegatingAuthenticationEntryPoint 开始处理异常 commence 方法
匹配到 LoginUrlAuthenticationEntryPoint,登录URL身份验证入口点,它生成重定向的URL http://localhost:8080/login。
- DefaultRedirectStrategy,默认的重定向策略类,重定向到登录地址 http://localhost:8080/login
