Spring Security Config : HttpSecurity安全配置器 AnonymousConfigurer

概述

介绍

作为一个配置HttpSecurity的SecurityConfigurer,AnonymousConfigurer的配置任务如下 :

• 配置如下安全过滤器Filter
  • AnonymousAuthenticationFilter
• 增加了一个AnonymousAuthenticationProvider

  其实是增加到了目标HttpSecurity的共享对象AuthenticationManagerBuilder上，专门用于匿名认证。

缺省情况下，AnonymousConfigurer 是被启用的，也就是说，即使用户不登录访问某个页面，SecurityContextHolder中也会持有一个Authentication，只不过这个Authentication是一个AnonymousAuthenticationToken。这么做的目的主要是为了方便使用者，即使用户未登录，使用者从SecurityContextHolder获得的Authentication也不会是null。而在概念和语义上，"匿名认证用户"和"未认证的用户"这二者并无区别。

继承关系

使用

    // HttpSecurity 代码片段
	public AnonymousConfigurer<HttpSecurity> anonymous() throws Exception {
		return getOrApply(new AnonymousConfigurer<>());
	}

源代码

源代码版本 Spring Security Config 5.1.4.RELEASE

package org.springframework.security.config.annotation.web.configurers;

// 省略 imports


public final class AnonymousConfigurer<H extends HttpSecurityBuilder<H>> extends
		AbstractHttpConfigurer<AnonymousConfigurer<H>, H> {
	private String key;
	private AuthenticationProvider authenticationProvider;
	private AnonymousAuthenticationFilter authenticationFilter;
	private Object principal = "anonymousUser";
	private List<GrantedAuthority> authorities = AuthorityUtils
			.createAuthorityList("ROLE_ANONYMOUS");

	/**
	 * Creates a new instance
	 * @see HttpSecurity#anonymous()
	 */
	public AnonymousConfigurer() {
	}

	/**
	 * Sets the key to identify tokens created for anonymous authentication. Default is a
	 * secure randomly generated key.
	 *
	 * @param key the key to identify tokens created for anonymous authentication. Default
	 * is a secure randomly generated key.
	 * @return the AnonymousConfigurer for further customization of anonymous
	 * authentication
	 */
	public AnonymousConfigurer<H> key(String key) {
		this.key = key;
		return this;
	}

	/**
	 * Sets the principal for Authentication objects of anonymous users
	 *
	 * @param principal used for the Authentication object of anonymous users
	 * @return the AnonymousConfigurer for further customization of anonymous
	 * authentication
	 */
	public AnonymousConfigurer<H> principal(Object principal) {
		this.principal = principal;
		return this;
	}

	/**
	 * Sets the org.springframework.security.core.Authentication#getAuthorities()
	 * for anonymous users
	 *
	 * @param authorities Sets the
	 * org.springframework.security.core.Authentication#getAuthorities() for
	 * anonymous users
	 * @return the AnonymousConfigurer for further customization of anonymous
	 * authentication
	 */
	public AnonymousConfigurer<H> authorities(List<GrantedAuthority> authorities) {
		this.authorities = authorities;
		return this;
	}

	/**
	 * Sets the org.springframework.security.core.Authentication#getAuthorities()
	 * for anonymous users
	 *
	 * @param authorities Sets the
	 * org.springframework.security.core.Authentication#getAuthorities() for
	 * anonymous users (i.e. "ROLE_ANONYMOUS")
	 * @return the AnonymousConfigurer for further customization of anonymous
	 * authentication
	 */
	public AnonymousConfigurer<H> authorities(String... authorities) {
		return authorities(AuthorityUtils.createAuthorityList(authorities));
	}

	/**
	 * Sets the AuthenticationProvider used to validate an anonymous user. If this
	 * is set, no attributes on the AnonymousConfigurer will be set on the
	 * AuthenticationProvider.
	 *
	 * @param authenticationProvider the AuthenticationProvider used to validate
	 * an anonymous user. Default is AnonymousAuthenticationProvider
	 *
	 * @return the AnonymousConfigurer for further customization of anonymous
	 * authentication
	 */
	public AnonymousConfigurer<H> authenticationProvider(
			AuthenticationProvider authenticationProvider) {
		this.authenticationProvider = authenticationProvider;
		return this;
	}

	/**
	 * Sets the AnonymousAuthenticationFilter used to populate an anonymous user.
	 * If this is set, no attributes on the AnonymousConfigurer will be set on the
	 * AnonymousAuthenticationFilter.
	 *
	 * @param authenticationFilter the AnonymousAuthenticationFilter used to
	 * populate an anonymous user.
	 *
	 * @return the AnonymousConfigurer for further customization of anonymous
	 * authentication
	 */
	public AnonymousConfigurer<H> authenticationFilter(
			AnonymousAuthenticationFilter authenticationFilter) {
		this.authenticationFilter = authenticationFilter;
		return this;
	}

   // 初始化方法
	@Override
	public void init(H http) throws Exception {
        // 准备 AnonymousAuthenticationProvider
		if (authenticationProvider == null) {
			authenticationProvider = new AnonymousAuthenticationProvider(getKey());
		}
        
       // 准备  AnonymousAuthenticationFilter
		if (authenticationFilter == null) {
			authenticationFilter = new AnonymousAuthenticationFilter(getKey(), principal,
					authorities);
		}
        
       // 将 新建 AnonymousAuthenticationProvider 添加到 HttpSecurity http
		authenticationProvider = postProcess(authenticationProvider);
		http.authenticationProvider(authenticationProvider);
	}

    // 配置方法
	@Override
	public void configure(H http) throws Exception {
      // 将新建的 AnonymousAuthenticationFilter  添加到 HttpSecurity http
		authenticationFilter.afterPropertiesSet();
		http.addFilter(authenticationFilter);
	}

    // 使用 UUID 机制随机生成的 key
	private String getKey() {
		if (key == null) {
			key = UUID.randomUUID().toString();
		}
		return key;
	}
}

参考文章

• Anonymous Authentication