数据结构与算法/分布式算法/ZAB

2020-09-08

ZAB

基本与raft相同

叫法有些区别

leader周期为epoch 而不是 term

心跳方向相反，followe向leader发送心跳

展开全文 >>

数据结构与算法/分布式算法/Paxos

2020-09-08

Paxos

三种版本

Basic paxos

Multi Paxos

Fast Paxos

paxos的算法基于一个岛屿法律制定的故事

Basic paxos

client: 请求的发起者，就是公民

Propser ：接收client的请求，向集群发送提议。并在冲突发生时，收到冲突调节的作用，。就是议员，收集公民提议，整理提议提出议案

Acceptor（Voter）：投票和接收议案。只有在形成法定人数的时候，提议才会被最终接收。就是最终决定的领导

Learner：提议接收者，backup，备份，对集群一致性没什么影响，就是用来记录提议的

步骤：

准备阶段

Propser 议员对client的提议整理出一个议案，编号X，交给Acceptor 领导

是否允许

由于Propser 有很多个，那么针对 X 议案，如果以前提过，那么拒绝，（其实就是比较编号X的大小）

接待议案

此时还要看是否为多数派都通过，就是Acceptor数量的超过一半了，那么发送议案请求和编号，那么就准备立案

立案

在Acceptor接收此议案的过程中没有新的编号议案过来时，则立案，Learner记下议案内容，否则忽略此次议案

Multi Paxos

加入了

Leader 唯一的propser ，所有的请求都经过此propser

展开全文 >>

数据结构与算法/分布式算法/Raft

2020-09-08

Raft

分布式系统常见问题之一致性

多系统之间要想保证一致性，毫无疑问同步是最强的一致性体现，但是同步严重降低了系统之间的可用性

C（consistency）和 A（available）之间的取舍是当前分布式系统的困扰

Raft算法是什么？

Paxos一直是分布式协议的标准，但是Paxos难于理解，更难以实现，Google的分布式锁系统Chubby作为Paxos实现曾经遭遇到很多坑。后来斯坦福大学提出了Raft算法。

Raft是用于管理复制日志的一致性算法。它的效果相当于(multi-)Paxos，跟Paxos一样高效，但结构与Paxos不同。这使得Raft比Paxos更容易理解，也为构建实用系统提供了更好的基础。

Raft基础知识

Raft集群包含多个服务器，5个服务器是比较典型的，允许系统容忍两个故障。在任何给定时间，每个服务器都处于以下三种状态之一，领导者（Leader），追随者（Follower）或候选人（Candidate）。这几个状态间可以相互转换。

Leader：处理所有客户端交互，日志复制等，一般一次只有一个Leader

Follower：类似选民，完全被动

Candidate：类似Proposer律师，可以被选为一个新的领导人

三个子问题：

Log Replication

Safety

2pc

leader Election

选举算法是利用时间窗口的来进行选举

无论集群有多少台机器

每一台集群在指定超时时间结束前没有收到 leader的心跳，此机器认为集群中没有leader，此时就会发起对自己的投票

既然是每一台机器的都干的活，那么此时集群中会有多台机器发起投票，发起投票的机器不对其他发起投票的机器做出相应，没有发起投票的机器只能接待最先达到的投票，并给出响应

一轮过去后，发起投票的所有机器中有可能有且仅有一台获得一半以上的票数,此时他就是leader，向集群发送心跳维持关系，其他发起投票机器和投给其他机器的机器收到leader的心跳包，此时认为给他发心跳包的机器就是leader。如果发起投票的所有机器没有一台超过一半同意，那么超时进行第二轮选，票数重置

Log Replication

client发送一次请求

读请求

写请求

client 这些外部系统发送写请求

直接发给leader，那么leader日志备份，并同时发送写请求给集群，集群收到之后日志备份，返回 leader，leader此时提交，可以返回给客户端了，同时发送提交心跳包给集群，

（leader 发给集群，没有收到响应，重新退回候选，选出新leader后在进行处理请求）

（leader发送给集群，收到响应提交了，但是集群没收到提交包，leader又为候选，重选leader）

（leader发送给集群，收到响应提交了，但是集群只有少部分收到提交包，leader又为候选，重选leader）

展开全文 >>

数据结构与算法/链表

2020-09-07

链表面试题：一般有快慢指针的概念

回文算法：

利用栈：先遍历压栈，然后遍历弹栈比较

右半链表反向

展开全文 >>

数据结构与算法/trie

2020-09-07

前缀树

“abc”,”ab”

root(pass = 2 , end = 0)

a (pass=2,end =0)

b(pass=2 ,end = 1)

c(pass = 1,end = 1)

package trie;

import java.util.HashMap;

/**
 * @author 忘忧症
 * @Distribute
 */
public class Trie {

    private  final TrieNode root = new TrieNode();


    public  void process(String str){
        TrieNode node = root;
        root.pass+=1;
        for (int i = 0; i < str.length(); i++) {
            char c = str.charAt(i);
            String cStr = c+"";
            if (i == str.length()-1) {
               node = node.insertTrie(cStr,true);
            }else{
               node =  node.insertTrie(cStr,false);
            }
        }
    }

    public void remove(String str){
        _remove(str,root,0);
    }

    private boolean  _remove(String str,TrieNode node,int index){
        char c = str.charAt(index);
        String cStr = c+"";
        TrieNode trieNode = node.children.get(cStr);
        if (trieNode == null ) {
            return  false;
        }
        if (index== str.length()-1){
            trieNode.pass --;
            trieNode.end--;
            if (trieNode.pass == 0){
                node.children.remove(cStr);
            }
        }
        else if (_remove(str,trieNode,index+1)){
            trieNode.pass --;
            if (trieNode.pass == 0){
                node.children.remove(cStr);
            }
        }
        return true;
    }

    public static void main(String[] args) {

        Trie trie = new Trie();

        trie.process("abc");
        trie.process("ab");
        trie.process("dc");
        trie.process("abdc");
        trie.process("abcd");
        System.out.println(trie.root);


        trie.remove("abc");
        trie.remove("abcd");
        System.out.println(trie.root);
    }


    private static class TrieNode{

        private int pass = 0;
        private int end = 0;
        private HashMap<String,TrieNode> children = new HashMap<>();

        private TrieNode insertTrie(String str,Boolean isEnd){

            TrieNode child = children.get(str);
            if (null == child) {
                //新前缀
                child = new TrieNode();
                children.put(str,child);
            }
            child.pass = child.pass+1;
            child.end = isEnd? child.end+1: child.end;

            return child;
        }


        @Override
        public String toString() {
            return "TrieNode{" +
                    "pass=" + pass +
                    ", end=" + end +
                    ", children=" + children +
                    '}';
        }
    }
}

桶排序


package bucket;


import merger.MergerAlgorithm;

import static merger.MergerAlgorithm.printArray;

/**
 * @author 忘忧症
 * @Distribute
 */
public class BucketSorting {


    public static int findMax(int[] arr,int start,int end){
        int result = start;
        for (int i = start; i <= end; i++) {
            if (arr[i]>arr[result]){
                result = i;
            }
        }
        return arr[result];
    }

    public static void countSort(int[] arr,int start,int end){

        int max = findMax(arr,start ,end);
        int[] help = new int[max+1];
        for (int i = 0; i < arr.length; i++) {
            help[ arr[i] ] ++;
        }
        int j =0 ;
        for (int i = start; i <= end ; i++) {
           while (help[j]-->0){
               arr[i++] = j;
           }
        }
    }

    public static int  digit(int num){

        int result = 0;
        while ( num >0){
            num/=10;
            result++;
        }
        return result;
    }


    public static int  findDigit(int num, int type){

        while (type>0){
            num/=10;
            type --;
        }
        return  num%10;
    }

    public static void radixSort(int[] arr,int start,int end){

        int max = findMax(arr,start,end);
        int digit = digit(max);

        int [] help = new int[end -start+1];

        for (int i = 0; i < digit; i++) {

            int[] radix = new int[10];
            for (int j = start; j <= end ; j++) {
                int digit1 = findDigit(arr[j], i);
                radix[digit1]++;
            }

            for (int j = 1; j < 10; j++) {
                radix[j]=radix[j]+radix[j-1];
            }

            for (int j = end; j >= start ; j--) {
                int digit1 = findDigit(arr[j], i);
                int radix1 = radix[digit1];
                radix[digit1]--;
                help[ radix1-1 ] = arr[j];
            }

            MergerAlgorithm.copyArray(arr,start,help,start,end);
        }
    }


    public static void main(String[] args) {

        int[] arr = new int[]{55,33,11,798,2,648,2,3,78,6};
        radixSort(arr,0,arr.length-1);
        printArray(arr);

    }
}

O（N^2）的常数项可以很低

O （N*logN ）常数一般比较高

所以 O （N*logN ）算法和 O（N^2）算法可以一起用

展开全文 >>

数据结构与算法/堆算法

2020-09-07

堆

package heap;


import merger.MergerAlgorithm;
import quick.QuickSorting;

/**
 * @author 忘忧症
 * @Distribute
 */


public class HeapSort {


    /*
    
     
     0层  比较  0次
     1层  比较   1次
     .........
    logn层 比较  logn 次   节点数量与层数成正比
    
    出现很多的节点 出现很多次的操作
    */
    public static void process2(int[] arr, int start, int end) {

        for (int i = start+1; i <= end ; i++) {
            handleUp(arr,i,start);
        }

    }
    public static void handleUp(int[] arr, int position, int start) {

        while (position>start){
            int child= position;
            int temp = position-start+1;
            temp>>= 1;
            position = temp+start-1;

            if (arr[position]< arr[child]){
                swap(arr,position,child);
            }
        }
    }


    /**
     * 向下处理的方式,推荐
     
     
     最后一层节点多，并且不需要比较次数少
     0层  比较  logn次
     1层  比较   logn-1次
     .........
    logn层 比较  0 次   节点数量与层数成正比
     * @param arr
     * @param start
     * @param end
     */
    public static void process(int[] arr, int start, int end) {
        int mid = start+ ((end-start)>>1);
        for (int i = mid; i >= start ; i--) {
            handleDown(arr,i,start,end);
        }

    }

    public static void handleDown(int[] arr, int position, int start, int end) {

       while (position<=end){
           int temp = position-start+1;
           temp*=2;
           int left = temp+start-1;
           int right = temp+start;

           int child=left;
           if (left<=end&& right<=end && arr[left]<arr[right] ){
               child=right;
           }
           if (child<=end && arr[position]< arr[child]){
               swap(arr,position,child);
           }
           position = child;
       }
    }
    public static void  swap(int[] arr,int oldPosition,int newPosition){
        int i = arr[oldPosition];
        arr[oldPosition]=arr[newPosition];
        arr[newPosition]=i;
    }

    public static int maxInArr(int arr[], int start, int end) {

        int result = 0;
        for (int i = start; i <= end; i++) {
            if (result < arr[i]) {
                result = arr[i];
            }
        }
        return result;
    }


    public static int digit(int num) {

        int count = 0;
        while (num > 0) {

            num /= 10;
            count++;
        }
        return count;
    }

    public static int zeroNum(int o) {

        int result = 0;
        if (o >= 1 << 16) {
            o >>= 16;
            result += 16;
        }
        if (o >= 1 << 8) {
            o >>= 8;
            result += 8;
        }
        if (o >= 1 << 4) {
            o >>= 4;
            result += 4;
        }
        if (o >= 1 << 2) {
            o >>= 2;
            result += 2;
        }
        if (o >= 1 << 1) {
            result += 1;
        }
        return result;
    }


    public static void printHeap(int[] arr, int start, int end) {

        System.out.println("===========堆开始打印================");
        System.out.println("heap length:" + arr.length);

        int digit = digit(maxInArr(arr, start, end));
        int d = end - start + 1;
        d = zeroNum(d);
        int position = start;
        for (int i = 0; i <= d; i++) {

            int spaceNum = (1<<(d-i))-1;

            while (spaceNum > 0) {
                System.out.printf("%" +digit+"s"," ");
                spaceNum--;
            }


            int depth = 1 << i;
            while (depth > 0) {
                depth--;
                System.out.printf("%"+digit+"d",arr[position]);
                position++;

                spaceNum = (1<<(d+1-i))-1;
                while (spaceNum>0){
                    System.out.printf("%"+digit+"s", " ");
                    spaceNum--;
                }
                if (position > end) {
                    break;
                }
            }
            System.out.print("\n");
        }
        System.out.println("===========堆打印结束================");

    }

    public static void main(String[] args) {

        int[] arr = new int[]{55,33,11,798,2,648,2,3,78,6};
        process2(arr,0,arr.length-1);
        printHeap(arr,0,arr.length-1);


        int position = arr.length-1;

        while (position>0){

            swap(arr,0,position);
            position--;
            handleDown(arr,0,0,position);
        }
        MergerAlgorithm.printArray(arr);


        /*           55
        *      33        11
        *   798  2     648  2
        * 3   78 6
        * */
    }
}

展开全文 >>

数据结构与算法/归并和随机快排

2020-09-06

归并

先解决小问题排序，然后解决大问题排序

package merger;

/**
 * @author 忘忧症
 * @Distribute
 */


public class MergerAlgorithm {


    /**
     * 使arr再start到end区间有序,升序
     * @param arr
     * @param start
     * @param end
     */
    public static void process(int[] arr, int start, int end){
        if (start>= end){ //base case 最小规模
            return;
        }
        // 取中间值
        int mid = start + ((end-start)>>1);

        process(arr,start,mid);
        process(arr,mid+1,end);

        if (arr[mid] <= arr[mid+1]){
            return;
        }else{
            merger(arr,start,end,mid);
        }

    }


    public static void process2(int[] arr, int start, int end){
        int d = 1;

        while (d<=end){

            for (int i = 0; i <= end; i=i+2*d) {
                int mid = i+d-1;
                int _start = i;
                int _end = i+2*d-1;
                if (_end<=end){
                    merger(arr,_start,_end, mid);
                }
                else if (mid <= end){
                    if (mid==end){
                        // do nothing
                    }else{
                        merger(arr,_start,end, mid);
                    }
                }
            }
            d<<=1;
        }
    }

    public static void merger(int[] arr,final int start,final int end,final int mid){
        int[] temp = new int[end-start+1];
        int count = 0;
        int i= start;
        int j = mid+1;
        for (;i <= mid && j<= end ;) {

            if (arr[i] <= arr[j]){
                temp[count++]=arr[i++];
            }else{
                temp[count++]=arr[j++];
            }
        }
        if (i<=mid){
            copyArray(temp,count,arr,i,mid);
        }else {
            copyArray(temp,count,arr,j,end);
        }
        copyArray(arr,start,temp,0,end-start);
    }

    public static void copyArray(int[] newArr, int position, int[] oldArr,final int start,final int end){
        for (int i = start; i <= end ; i++) {
            try {
                newArr[position++] = oldArr[i];
            }catch (RuntimeException e){
                throw new RuntimeException("copyArray： 新数组可用长度不够");

            }
        }
    }

    public static void printArray(int[] arr){
        System.out.println("*******************arr开始打印*************");
        System.out.println("arr长度:" +arr.length);
        System.out.print("arr内容: ");
        for (int i = 0; i < arr.length; i++) {
            System.out.print(arr[i]);
            if (i!=arr.length-1){
                System.out.print(",");
            }
        }
        System.out.print("\n");
        System.out.println("*******************arr打印结束*************");
    }

    public static void main(String[] args) {

        int[] arr = new int[]{55,33,11,798,2,648,2,3,78,6};
        process2(arr,0,arr.length-1);
        printArray(arr);
    }
}

快排


package quick;

import java.util.Stack;

import static merger.MergerAlgorithm.printArray;

/**
 * @author 忘忧症
 * @Distribute
 */
public class QuickSorting {


    public static void process(int[] arr,int start,int end){

        if (start >= end ){
            return;
        }

        int mid = partition2(arr,start,end);
        process(arr,start,mid-1);
        process(arr,mid+1,end);
    }



    public static void process2(int[] arr,final int start,final int end){

        Stack<Integer> stack = new Stack<>();

        stack.push(start);
        stack.push(end);

        while (!stack.isEmpty()){
            int _end = stack.pop();
            int _start = stack.pop();
            if (_start<_end){
                int mid = partition2(arr, _start,end);
                stack.push(_start);
                stack.push(mid);
                stack.push(mid+1);
                stack.push(_end);
            }
        }
    }

    public static int partition(int[] arr,final int start,final int end){

        int i= start;
        int j = end;

        int separateNum = arr[i];
        while (i<j){
            while (i<j&& arr[j]>=separateNum) j--;
            if (i<j){
                arr[i] = arr[j];
                i++;
            }
            while (i<j&& arr[i]<separateNum) i++;
            if (i<j){
                arr[j]=arr[i];
            }
        }
        arr[i] = separateNum;
        return i;
    }

    /**
     * 此形式不友好
     * @param arr
     * @param start
     * @param end
     * @return
     */
    public static int partition2(int[] arr,final int start,final int end){
        int i = start;
        int separateNum = arr[i];

        for (int k = start+1; k <= end ; k++) {
            if (arr[k]< separateNum){
                i++;
                if (i!= k){
                    swap(arr,i,k);
                }
            }
        }

        if (i != start){
            swap(arr,i,start);
        }
        return i;
    }


    public static void  swap(int[] arr,int oldPosition,int newPosition){
        int i = arr[oldPosition];
        arr[oldPosition]=arr[newPosition];
        arr[newPosition]=i;
    }

    public static void main(String[] args) {
        int[] arr = new int[]{55,33,11,798,2,648,2,3,78,6};
        process(arr,0,arr.length-1);
        printArray(arr);

    }
}

展开全文 >>

framework/SpringSecurity/SpringSecurity源码

2020-09-04

SpringSecurity源码

再SpringBoot里面对SpringSecurity做了很好的集成

spring.factories

org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,\
org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration,\
org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration,\
org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration,\
org.springframework.boot.autoconfigure.security.reactive.ReactiveUserDetailsServiceAutoConfiguration,\
org.springframework.boot.autoconfigure.security.rsocket.RSocketSecurityAutoConfiguration,\
org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration,\
org.springframework.boot.autoconfigure.sendgrid.SendGridAutoConfiguration,\
org.springframework.boot.autoconfigure.session.SessionAutoConfiguration,\
org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration,\
org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientAutoConfiguration,\
org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration,\
org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerAutoConfiguration,\

SecurityAutoConfiguration

@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
//自动导入的配置类
@EnableConfigurationProperties(SecurityProperties.class)
@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
		SecurityDataConfiguration.class })
public class SecurityAutoConfiguration {

	@Bean
	@ConditionalOnMissingBean(AuthenticationEventPublisher.class)
	public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {
		return new DefaultAuthenticationEventPublisher(publisher);
	}

}

SecurityProperties

配置类


@ConfigurationProperties(prefix = "spring.security")
public class SecurityProperties {

	/**
	 * 应用于用于为应用程序终结点配置基本身份验证的WebSecurityConfigurerAdapter的顺序。如果您想为所有或部分端点添加您自己的身份验证，最好的做法是以较低的顺序添加您自己的WebSecurityConfigurerAdapter。
	 */
	public static final int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5;

	/**
	 * 应用于忽略标准静态资源路径的WebSecurityConfigurer的顺序。
	 */
	public static final int IGNORED_ORDER = Ordered.HIGHEST_PRECEDENCE;

	/**
	 * springsecurity过滤器在servlet容器中的默认顺序（即在容器注册的其他过滤器中）。这与Web安全配置程序上的{@code@Order}之间没有连接。
	 */
	public static final int DEFAULT_FILTER_ORDER = OrderedFilter.REQUEST_WRAPPER_FILTER_MAX_ORDER - 100;

	private final Filter filter = new Filter();

	private User user = new User();

	public User getUser() {
		return this.user;
	}

	public Filter getFilter() {
		return this.filter;
	}

	public static class Filter {

		/**
		 * Security filter chain order.
		 */
		private int order = DEFAULT_FILTER_ORDER;

		/**
		 * Security filter chain dispatcher types.
		 */
		private Set<DispatcherType> dispatcherTypes = new HashSet<>(
				Arrays.asList(DispatcherType.ASYNC, DispatcherType.ERROR, DispatcherType.REQUEST));

		public int getOrder() {
			return this.order;
		}

		public void setOrder(int order) {
			this.order = order;
		}

		public Set<DispatcherType> getDispatcherTypes() {
			return this.dispatcherTypes;
		}

		public void setDispatcherTypes(Set<DispatcherType> dispatcherTypes) {
			this.dispatcherTypes = dispatcherTypes;
		}

	}

	public static class User {

		/**
		 * Default user name.
		 */
		private String name = "user";

		/**
		 * Password for the default user name.
		 */
		private String password = UUID.randomUUID().toString();

		/**
		 * 为默认用户名授予角色。
		 */
		private List<String> roles = new ArrayList<>();

        //如果配置文件不指定密码，那么默认按自动生成的密码来
		private boolean passwordGenerated = true;

		public String getName() {
			return this.name;
		}

		public void setName(String name) {
			this.name = name;
		}

		public String getPassword() {
			return this.password;
		}

		public void setPassword(String password) {
			if (!StringUtils.hasLength(password)) {
				return;
			}
			this.passwordGenerated = false;
			this.password = password;
		}

		public List<String> getRoles() {
			return this.roles;
		}

		public void setRoles(List<String> roles) {
			this.roles = new ArrayList<>(roles);
		}

		public boolean isPasswordGenerated() {
			return this.passwordGenerated;
		}

	}

}

SpringBootWebSecurityConfiguration

配置类


web安全的默认配置。它依赖于springsecurity的内容协商策略来确定使用哪种身份验证。如果用户指定了他们自己的{@link WebSecurityConfigurerAdapter}，这将完全退出，用户应该指定他们想要配置的所有位作为自定义安全配置的一部分。

@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration {

	@Configuration(proxyBeanMethods = false)
	@Order(SecurityProperties.BASIC_AUTH_ORDER)
	static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {

	}

}

WebSecurityEnablerConfiguration

 If there is a bean of type WebSecurityConfigurerAdapter, this adds the {@link EnableWebSecurity @EnableWebSecurity} annotation. This will make sure that the annotation is present with default security auto-configuration and also if the user adds custom security and forgets to add the annotation. If {@link EnableWebSecurity @EnableWebSecurity} has already been added or if a bean with name {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has been configured by the user, this will back-off.
如果存在WebSecurityConfigurerAdapter类型的bean，则添加{@link @EnableWebSecurity}注释。这将确保注释具有默认的安全性自动配置，并且如果用户添加了自定义安全性而忘记添加注释。如果{@link @EnableWebSecurity}已经添加，或者如果用户已经配置了名为{@value BeanIds#SPRING_SECURITY_FILTER_CHAIN}的bean，则此操作将退出。

@Configuration(proxyBeanMethods = false)
@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@EnableWebSecurity
public class WebSecurityEnablerConfiguration {

}

SecurityDataConfiguration


自动添加springsecurity与Spring数据的集成。
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(SecurityEvaluationContextExtension.class)
public class SecurityDataConfiguration {

	@Bean
	@ConditionalOnMissingBean
	public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
		return new SecurityEvaluationContextExtension();
	}

}

SpringSecurity-config

@EnableWebSecurity

/*

将此注释添加到{@code@Configuration}类，以便在任何{@link WebSecurityConfigurer}中定义Spring安全配置，或者更可能的方法是扩展{@link websecurityconfigureradapper}基类并重写各个方法：

<pre class="code">
 * @Configuration
 * @EnableWebSecurity
 * public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
 *
 * 	@Override
 * 	public void configure(WebSecurity web) throws Exception {
 * 		web.ignoring()
 * 		// Spring Security should completely ignore URLs starting with /resources/
 * 				.antMatchers(&quot;/resources/**&quot;);
 * 	}
 *
 * 	@Override
 * 	protected void configure(HttpSecurity http) throws Exception {
 * 		http.authorizeRequests().antMatchers(&quot;/public/**&quot;).permitAll().anyRequest()
 * 				.hasRole(&quot;USER&quot;).and()
 * 				// Possibly more configuration ...
 * 				.formLogin() // enable form based log in
 * 				// set permitAll for all URLs associated with Form Login
 * 				.permitAll();
 * 	}
 *
 * 	@Override
 * 	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 * 		auth
 * 		// enable in memory based authentication with a user named &quot;user&quot; and &quot;admin&quot;
 * 		.inMemoryAuthentication().withUser(&quot;user&quot;).password(&quot;password&quot;).roles(&quot;USER&quot;)
 * 				.and().withUser(&quot;admin&quot;).password(&quot;password&quot;).roles(&quot;USER&quot;, &quot;ADMIN&quot;);
 * 	}
 *
 * }
 * </pre>
*/
@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import({ WebSecurityConfiguration.class,
		SpringWebMvcImportSelector.class,
		OAuth2ImportSelector.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {

	/**
	 * Controls debugging support for Spring Security. Default is false.
	 * @return if true, enables debug support with Spring Security
	 */
	boolean debug() default false;
}

@EnableGlobalAuthentication

@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import(AuthenticationConfiguration.class)
@Configuration
public @interface EnableGlobalAuthentication {
}

AuthenticationConfiguration


@Configuration(proxyBeanMethods = false)
@Import(ObjectPostProcessorConfiguration.class)
public class AuthenticationConfiguration {

	private AtomicBoolean buildingAuthenticationManager = new AtomicBoolean();

	private ApplicationContext applicationContext;

	private AuthenticationManager authenticationManager;

	private boolean authenticationManagerInitialized;

	private List<GlobalAuthenticationConfigurerAdapter> globalAuthConfigurers = Collections
			.emptyList();

	private ObjectPostProcessor<Object> objectPostProcessor;

ObjectPostProcessorConfiguration

@Configuration(proxyBeanMethods = false)
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
public class ObjectPostProcessorConfiguration {

	@Bean
	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
	public ObjectPostProcessor<Object> objectPostProcessor(
			AutowireCapableBeanFactory beanFactory) {
		return new AutowireBeanFactoryObjectPostProcessor(beanFactory);
	}
}

WebSecurityConfiguration

public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {

private WebSecurity webSecurity;

	private Boolean debugEnabled;

	private List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers;

	private ClassLoader beanClassLoader;

	@Autowired(required = false)
	private ObjectPostProcessor<Object> objectObjectPostProcessor;

	@Bean
	public static DelegatingApplicationListener delegatingApplicationListener() {
		return new DelegatingApplicationListener();
	}

	@Bean
	@DependsOn(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
	public SecurityExpressionHandler<FilterInvocation> webSecurityExpressionHandler() {
		return webSecurity.getExpressionHandler();
	}

	/**
	 * Creates the Spring Security Filter Chain
	 * @return the {@link Filter} that represents the security filter chain
	 * @throws Exception
	 */
	@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
	public Filter springSecurityFilterChain() throws Exception {
		boolean hasConfigurers = webSecurityConfigurers != null
				&& !webSecurityConfigurers.isEmpty();
		if (!hasConfigurers) {
			WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
					.postProcess(new WebSecurityConfigurerAdapter() {
					});
			webSecurity.apply(adapter);
		}
		return webSecurity.build();
	}

	/**
	 * Creates the {@link WebInvocationPrivilegeEvaluator} that is necessary for the JSP
	 * tag support.
	 * @return the {@link WebInvocationPrivilegeEvaluator}
	 */
	@Bean
	@DependsOn(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
	public WebInvocationPrivilegeEvaluator privilegeEvaluator() {
		return webSecurity.getPrivilegeEvaluator();
	}

	/**
	 * 设置用于创建web配置的{@code<SecurityConfigurer<FilterChainProxy，WebSecurityBuilder>}实例。
	 *
	 @param objectPostProcessor用于创建{@link WebSecurity}实例@param WebSecurity配置用于创建web配置的{@code<SecurityConfigurer<FilterChainProxy，WebSecurityBuilder>}实例
	 * @throws Exception
	 */
	@Autowired(required = false)
	public void setFilterChainProxySecurityConfigurer(
			ObjectPostProcessor<Object> objectPostProcessor,
			@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers)
			throws Exception {
		webSecurity = objectPostProcessor
				.postProcess(new WebSecurity(objectPostProcessor));
		if (debugEnabled != null) {
			webSecurity.debug(debugEnabled);
		}

		webSecurityConfigurers.sort(AnnotationAwareOrderComparator.INSTANCE);

		Integer previousOrder = null;
		Object previousConfig = null;
		for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) {
			Integer order = AnnotationAwareOrderComparator.lookupOrder(config);
			if (previousOrder != null && previousOrder.equals(order)) {
				throw new IllegalStateException(
						"@Order on WebSecurityConfigurers must be unique. Order of "
								+ order + " was already used on " + previousConfig + ", so it cannot be used on "
								+ config + " too.");
			}
			previousOrder = order;
			previousConfig = config;
		}
		for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {
			webSecurity.apply(webSecurityConfigurer);
		}
		this.webSecurityConfigurers = webSecurityConfigurers;
	}

	@Bean
	public static BeanFactoryPostProcessor conversionServicePostProcessor() {
		return new RsaKeyConversionServicePostProcessor();
	}

	@Bean
	public static AutowiredWebSecurityConfigurersIgnoreParents autowiredWebSecurityConfigurersIgnoreParents(
			ConfigurableListableBeanFactory beanFactory) {
		return new AutowiredWebSecurityConfigurersIgnoreParents(beanFactory);
	}

SpringWebMvcImportSelector


class SpringWebMvcImportSelector implements ImportSelector {

	/*
	 * (non-Javadoc)
	 *
	 * @see org.springframework.context.annotation.ImportSelector#selectImports(org.
	 * springframework .core.type.AnnotationMetadata)
	 */
	public String[] selectImports(AnnotationMetadata importingClassMetadata) {
		boolean webmvcPresent = ClassUtils.isPresent(
				"org.springframework.web.servlet.DispatcherServlet",
				getClass().getClassLoader());
		return webmvcPresent
				? new String[] {
						"org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration" }
				: new String[] {};
	}
}
//
/*

Used to add a {@link RequestDataValueProcessor} for Spring MVC and Spring Security CSRF integration. This configuration is added whenever {@link EnableWebMvc} is added by SpringWebMvcImportSelector and the DispatcherServlet is present on the classpath. It also adds the {@link AuthenticationPrincipalArgumentResolver} as a {@link HandlerMethodArgumentResolver}.
用于为springmvc和springsecurity CSRF集成添加一个{@linkrequestdatavalueprocessor}。每当SpringWebMvcImportSelector添加{@link EnableWebMvc}并且DispatcherServlet出现在类路径上时，就会添加这个配置。它还将{@link AuthenticationPrincipalArgumentResolver}添加为{@link HandlerMethodArgumentResolver}。
*/

class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContextAware {
	private BeanResolver beanResolver;

	@Override
	@SuppressWarnings("deprecation")
	public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
		AuthenticationPrincipalArgumentResolver authenticationPrincipalResolver = new AuthenticationPrincipalArgumentResolver();
		authenticationPrincipalResolver.setBeanResolver(beanResolver);
		argumentResolvers.add(authenticationPrincipalResolver);
		argumentResolvers
				.add(new org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver());

		CurrentSecurityContextArgumentResolver currentSecurityContextArgumentResolver = new CurrentSecurityContextArgumentResolver();
		currentSecurityContextArgumentResolver.setBeanResolver(beanResolver);
		argumentResolvers.add(currentSecurityContextArgumentResolver);
		argumentResolvers.add(new CsrfTokenArgumentResolver());
	}

	@Bean
	public RequestDataValueProcessor requestDataValueProcessor() {
		return new CsrfRequestDataValueProcessor();
	}

	@Override
	public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
		this.beanResolver = new BeanFactoryResolver(applicationContext.getAutowireCapableBeanFactory());
	}
}

OAuth2ImportSelector

final class OAuth2ImportSelector implements ImportSelector {

	@Override
	public String[] selectImports(AnnotationMetadata importingClassMetadata) {
		Set<String> imports = new LinkedHashSet<>();

		boolean oauth2ClientPresent = ClassUtils.isPresent(
				"org.springframework.security.oauth2.client.registration.ClientRegistration", getClass().getClassLoader());
		if (oauth2ClientPresent) {
			imports.add("org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration");
		}

		boolean webfluxPresent = ClassUtils.isPresent(
				"org.springframework.web.reactive.function.client.ExchangeFilterFunction", getClass().getClassLoader());
		if (webfluxPresent && oauth2ClientPresent) {
			imports.add("org.springframework.security.config.annotation.web.configuration.SecurityReactorContextConfiguration");
		}

		boolean oauth2ResourceServerPresent = ClassUtils.isPresent(
				"org.springframework.security.oauth2.server.resource.BearerTokenError", getClass().getClassLoader());
		if (webfluxPresent && oauth2ResourceServerPresent) {
			imports.add("org.springframework.security.config.annotation.web.configuration.SecurityReactorContextConfiguration");
		}

		return imports.toArray(new String[0]);
	}
}

UserDetailsServiceAutoConfiguration

@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(AuthenticationManager.class)
@ConditionalOnBean(ObjectPostProcessor.class)
@ConditionalOnMissingBean(
		value = { AuthenticationManager.class, AuthenticationProvider.class, UserDetailsService.class },
		type = { "org.springframework.security.oauth2.jwt.JwtDecoder",
				"org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector" })
public class UserDetailsServiceAutoConfiguration {

	private static final String NOOP_PASSWORD_PREFIX = "{noop}";

	private static final Pattern PASSWORD_ALGORITHM_PATTERN = Pattern.compile("^\\{.+}.*$");

	private static final Log logger = LogFactory.getLog(UserDetailsServiceAutoConfiguration.class);

	@Bean
	@ConditionalOnMissingBean(
			type = "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository")
	@Lazy
	public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties,
			ObjectProvider<PasswordEncoder> passwordEncoder) {
		SecurityProperties.User user = properties.getUser();
		List<String> roles = user.getRoles();
		return new InMemoryUserDetailsManager(
				User.withUsername(user.getName()).password(getOrDeducePassword(user, passwordEncoder.getIfAvailable()))
						.roles(StringUtils.toStringArray(roles)).build());
	}

	private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {
		String password = user.getPassword();
		if (user.isPasswordGenerated()) {
			logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));
		}
		if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {
			return password;
		}
		return NOOP_PASSWORD_PREFIX + password;
	}

}

SecurityFilterAutoConfiguration

@Configuration(proxyBeanMethods = false)
@ConditionalOnWebApplication(type = Type.SERVLET)
@EnableConfigurationProperties(SecurityProperties.class)
@ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class })
@AutoConfigureAfter(SecurityAutoConfiguration.class)
public class SecurityFilterAutoConfiguration {

	private static final String DEFAULT_FILTER_NAME = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME;

	@Bean
	@ConditionalOnBean(name = DEFAULT_FILTER_NAME)
	public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(
			SecurityProperties securityProperties) {
		DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(
				DEFAULT_FILTER_NAME);
		registration.setOrder(securityProperties.getFilter().getOrder());
		registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
		return registration;
	}

	private EnumSet<DispatcherType> getDispatcherTypes(SecurityProperties securityProperties) {
		if (securityProperties.getFilter().getDispatcherTypes() == null) {
			return null;
		}
		return securityProperties.getFilter().getDispatcherTypes().stream()
				.map((type) -> DispatcherType.valueOf(type.name()))
				.collect(Collectors.toCollection(() -> EnumSet.noneOf(DispatcherType.class)));
	}

}

流程

找到RegistrationBean的子类


	@Bean
	@ConditionalOnBean(name = DEFAULT_FILTER_NAME)
	public DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(
			SecurityProperties securityProperties) {
		DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(
				DEFAULT_FILTER_NAME);
		registration.setOrder(securityProperties.getFilter().getOrder());
		registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
		return registration;
	}
通过这个来注册filter到web容器
    里面	public static final String DEFAULT_FILTER_NAME = "springSecurityFilterChain";
会去找bean的名字式这个的filer

找到filter


@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)
public Filter springSecurityFilterChain() throws Exception {
	boolean hasConfigurers = webSecurityConfigurers != null
			&& !webSecurityConfigurers.isEmpty();
	if (!hasConfigurers) {
		WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor
				.postProcess(new WebSecurityConfigurerAdapter() {
				});
		webSecurity.apply(adapter);
	}
	return webSecurity.build();
}

发现是通过webSecurity构建得到


@Autowired(required = false)
public void setFilterChainProxySecurityConfigurer(
		ObjectPostProcessor<Object> objectPostProcessor,
		@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers)
		throws Exception {
	webSecurity = objectPostProcessor
			.postProcess(new WebSecurity(objectPostProcessor));
	if (debugEnabled != null) {
		webSecurity.debug(debugEnabled);
	}

	webSecurityConfigurers.sort(AnnotationAwareOrderComparator.INSTANCE);

	Integer previousOrder = null;
	Object previousConfig = null;
	for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) {
		Integer order = AnnotationAwareOrderComparator.lookupOrder(config);
		if (previousOrder != null && previousOrder.equals(order)) {
			throw new IllegalStateException(
					"@Order on WebSecurityConfigurers must be unique. Order of "
							+ order + " was already used on " + previousConfig + ", so it cannot be used on "
							+ config + " too.");
		}
		previousOrder = order;
		previousConfig = config;
	}
	for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {
		webSecurity.apply(webSecurityConfigurer);
	}
	this.webSecurityConfigurers = webSecurityConfigurers;
}

又发现webSecurity获取是通过objectPostProcessor

	@Autowired(required = false)
	private ObjectPostProcessor<Object> objectObjectPostProcessor;


发现这个东西再Spring-config下面
	@Bean
	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
	public ObjectPostProcessor<Object> objectPostProcessor(
			AutowireCapableBeanFactory beanFactory) {
		return new AutowireBeanFactoryObjectPostProcessor(beanFactory);
	}

看一下AutowireBeanFactoryObjectPostProcessor


/**
 * Allows registering Objects to participate with an {@link AutowireCapableBeanFactory}'s
 * post processing of {@link Aware} methods, {@link InitializingBean#afterPropertiesSet()}
 * , and {@link DisposableBean#destroy()}.
 *
 * @author Rob Winch
 * @since 3.2
 */
final class AutowireBeanFactoryObjectPostProcessor
		implements ObjectPostProcessor<Object>, DisposableBean, SmartInitializingSingleton {
	private final Log logger = LogFactory.getLog(getClass());
	private final AutowireCapableBeanFactory autowireBeanFactory;
	private final List<DisposableBean> disposableBeans = new ArrayList<>();
	private final List<SmartInitializingSingleton> smartSingletons = new ArrayList<>();

	AutowireBeanFactoryObjectPostProcessor(
			AutowireCapableBeanFactory autowireBeanFactory) {
		Assert.notNull(autowireBeanFactory, "autowireBeanFactory cannot be null");
		this.autowireBeanFactory = autowireBeanFactory;
	}

	/*
	 * (non-Javadoc)
	 *
	 * @see
	 * org.springframework.security.config.annotation.web.Initializer#initialize(java.
	 * lang.Object)
	 */
	@SuppressWarnings("unchecked")
	public <T> T postProcess(T object) {
		if (object == null) {
			return null;
		}
		T result = null;
		try {
            //使用ioc工程，初始化这个bean，就是经过一个bean的生命周期
			result = (T) this.autowireBeanFactory.initializeBean(object,
					object.toString());
		}
		catch (RuntimeException e) {
			Class<?> type = object.getClass();
			throw new RuntimeException(
					"Could not postProcess " + object + " of type " + type, e);
		}
        //然后对这个bean自动注入
		this.autowireBeanFactory.autowireBean(object);
		if (result instanceof DisposableBean) {
			this.disposableBeans.add((DisposableBean) result);
		}
		if (result instanceof SmartInitializingSingleton) {
			this.smartSingletons.add((SmartInitializingSingleton) result);
		}
		return result;
	}

	/* (non-Javadoc)
	 * @see org.springframework.beans.factory.SmartInitializingSingleton#afterSingletonsInstantiated()
	 */
	@Override
	public void afterSingletonsInstantiated() {
		for (SmartInitializingSingleton singleton : smartSingletons) {
			singleton.afterSingletonsInstantiated();
		}
	}

	/*
	 * (non-Javadoc)
	 *
	 * @see org.springframework.beans.factory.DisposableBean#destroy()
	 */
	public void destroy() {
		for (DisposableBean disposable : this.disposableBeans) {
			try {
				disposable.destroy();
			}
			catch (Exception error) {
				this.logger.error(error);
			}
		}
	}

}

WebSecurity构建

public final class WebSecurity extends
		AbstractConfiguredSecurityBuilder<Filter, WebSecurity> implements
		SecurityBuilder<Filter>, ApplicationContextAware {
主要是把可以让一个对象经过生命周期的帮助器传进去

public WebSecurity(ObjectPostProcessor<Object> objectPostProcessor) {
		super(objectPostProcessor);
	}


    
    @SuppressWarnings({ "rawtypes", "unchecked" })
	public List<SecurityConfigurer<Filter, WebSecurity>> getWebSecurityConfigurers() {
		List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers = new ArrayList<>();
		Map<String, WebSecurityConfigurer> beansOfType = beanFactory
				.getBeansOfType(WebSecurityConfigurer.class);
		for (Entry<String, WebSecurityConfigurer> entry : beansOfType.entrySet()) {
			webSecurityConfigurers.add(entry.getValue());
		}
		return webSecurityConfigurers;
	}
    
    对所有的webSecurityConfigurers进行排序操作
    webSecurityConfigurers.sort(AnnotationAwareOrderComparator.INSTANCE);

    
    去应用这些SecurityConfigurer
    	public <C extends SecurityConfigurer<O, B>> C apply(C configurer) throws Exception {
		add(configurer);
		return configurer;
	}
    
    
    开始构建监听器
    	public final O build() throws Exception {
		if (this.building.compareAndSet(false, true)) {
			this.object = doBuild();
			return this.object;
		}
		throw new AlreadyBuiltException("This object has already been built");
	}    
        
    
    @Override
	protected final O doBuild() throws Exception {
		synchronized (configurers) {
			buildState = BuildState.INITIALIZING;

			beforeInit();
			init();//如果默认使用WebSecurityConfigurerAdapter
            /*
            webSecurity只是一个规范，一层包装，具体的安全校验再Http中
            发现这里
            	public void init(final WebSecurity web) throws Exception {
		final HttpSecurity http = getHttp();
		web.addSecurityFilterChainBuilder(http).postBuildAction(() -> {
			FilterSecurityInterceptor securityInterceptor = http
					.getSharedObject(FilterSecurityInterceptor.class);
			web.securityInterceptor(securityInterceptor);
		});
	}
            */

			buildState = BuildState.CONFIGURING;

			beforeConfigure();
			configure();

			buildState = BuildState.BUILDING;

			O result = performBuild();

			buildState = BuildState.BUILT;

			return result;
		}
	}

performBuild

protected Filter performBuild() throws Exception {
		Assert.state(
				!securityFilterChainBuilders.isEmpty(),
				() -> "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. "
						+ "Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. "
						+ "More advanced users can invoke "
						+ WebSecurity.class.getSimpleName()
						+ ".addSecurityFilterChainBuilder directly");
		int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
		List<SecurityFilterChain> securityFilterChains = new ArrayList<>(
				chainSize);
		for (RequestMatcher ignoredRequest : ignoredRequests) {
			securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));
		}
		for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {
			securityFilterChains.add(securityFilterChainBuilder.build());
		}
		FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
		if (httpFirewall != null) {
			filterChainProxy.setFirewall(httpFirewall);
		}
		filterChainProxy.afterPropertiesSet();

		Filter result = filterChainProxy;
		if (debugEnabled) {
			logger.warn("\n\n"
					+ "********************************************************************\n"
					+ "**********        Security debugging is enabled.       *************\n"
					+ "**********    This may include sensitive information.  *************\n"
					+ "**********      Do not use in a production system!     *************\n"
					+ "********************************************************************\n\n");
			result = new DebugFilter(filterChainProxy);
		}
		postBuildAction.run();
		return result;
	}

会发现使用了一层代理FilterChainProxy

@Override
	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;
		if (clearContext) {
			try {
				request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
				doFilterInternal(request, response, chain);
			}
			finally {
				SecurityContextHolder.clearContext();
				request.removeAttribute(FILTER_APPLIED);
			}
		}
		else {
			doFilterInternal(request, response, chain);
		}
	}

	private void doFilterInternal(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {

        //经历网关包装
		FirewalledRequest fwRequest = firewall
				.getFirewalledRequest((HttpServletRequest) request);
		HttpServletResponse fwResponse = firewall
				.getFirewalledResponse((HttpServletResponse) response);

		List<Filter> filters = getFilters(fwRequest);

		if (filters == null || filters.size() == 0) {
			if (logger.isDebugEnabled()) {
				logger.debug(UrlUtils.buildRequestUrl(fwRequest)
						+ (filters == null ? " has no matching filters"
								: " has an empty filter list"));
			}

			fwRequest.reset();

			chain.doFilter(fwRequest, fwResponse);

			return;
		}
		//获取实际的过滤链路
		VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters);
		vfc.doFilter(fwRequest, fwResponse);
	}


//获取过滤链
private List<Filter> getFilters(HttpServletRequest request) {
		for (SecurityFilterChain chain : filterChains) {
			if (chain.matches(request)) {
				return chain.getFilters();
			}
		}

		return null;
	}

HttpSecurity构建


@SuppressWarnings({ "rawtypes", "unchecked" })
	protected final HttpSecurity getHttp() throws Exception {
		if (http != null) {
			return http;
		}
        //获取身份认证的一个事件发布器

		AuthenticationEventPublisher eventPublisher = getAuthenticationEventPublisher();
        //本地身份认证管理生成器设置指定发布器
		localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);
//认证管理器
		AuthenticationManager authenticationManager = authenticationManager();
		authenticationBuilder.parentAuthenticationManager(authenticationManager);
		Map<Class<?>, Object> sharedObjects = createSharedObjects();

		http = new HttpSecurity(objectPostProcessor, authenticationBuilder,
				sharedObjects);
		if (!disableDefaults) {
			// @formatter:off
			http
				.csrf().and()
				.addFilter(new WebAsyncManagerIntegrationFilter())
				.exceptionHandling().and()
				.headers().and()
				.sessionManagement().and()
				.securityContext().and()
				.requestCache().and()
				.anonymous().and()
				.servletApi().and()
				.apply(new DefaultLoginPageConfigurer<>()).and()
				.logout();
			// @formatter:on
			ClassLoader classLoader = this.context.getClassLoader();
			List<AbstractHttpConfigurer> defaultHttpConfigurers =
					SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);

			for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
				http.apply(configurer);
			}
		}
		configure(http);
		return http;
        
	}

然后httpSecurity又会添加很多的Configuer，这些configuer又可以init和config

展开全文 >>

framework/SpringSecurity/SpringSecurity基础

2020-09-04

SpringSecurity基础

Jwt Java web token

SSO

单点登录 Single sign on

Session共享

Oauth

OAuth 再客户端与服务器提供商之间，设置了一个授权层（authorization layer），客户端不能直接登录服务提供商，只能登录授权层，已此将用户与客户端区分开来，客户端登录授权所用令牌（token），与用户密码不同，用户可以再登录的时候，指定授权层令牌范围和有效期

Spring Social

Spring Session

JWT

OpenID

别人系统鉴权时使用

CAS

权限认证

CSRF

伪装请求

token，权限认证

XSS

就是普通用户式的流量攻击

跨站点脚本攻击

攻击安全与防御

使用

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>


@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // xml形式的配置
        //父标签
        http
                //开启一个子标签
                .authorizeRequests()
                //配置子标签属性
                .antMatchers().denyAll()
                //子标签闭合
                .and()
                // 新的子标签
                .csrf()
                //属性配置
                .ignoringAntMatchers("ss")
                //闭合
                .and();

    }
}


防止csrf   post ，禁止外联（token）token不能写到cookie，写到页面

密码安全

MD5，cpu太快可以暴力破解

MD5（明文+加盐）

MD5（明文+随机盐）

MD5 （MD5+真随机数）

DDOS攻击就是占用资源式的攻击

有几种情况：

第一次握手，但是不响应服务端，资源占用

三次握手完成，但是不想服务端发送任何数据，使得连接保持

防：连接占用后，指定时间内没收到信息，取消连接

tcp协议，判断客户端发出第一次握手后，指定时间没有收到客户端第二次响应，于是断开

展开全文 >>

framework/shiro/Shiro

2020-09-04

Shiro

Shiro是java的一个安全框架，目前，使用Apache Shiro的人越来越多，因为他相当简单，对比Spring Security，可能没有Spring Security强大，但是实际工作中不需要那么复杂的东西，所以使用小而简单的Shiro就足够了

Authentication ，Authorization

Session Manager ， Cryptography

Web Support，caching

concurrency ，testing，run as ，Remenber me

Realm ：域，Shiro从Realm获取安全数据（用户，角色，权限），就是说SecurityManager要验证用户身份，那么需要从realm获取对应的用户进行比较，可以把realm看成DataSource，安全数据源

展开全文 >>