Spring Security Config : HttpSecurity安全配置器 ServletApiConfigurer_servletapiconfigurer 是干嘛的?-优快云博客

本文链接：https://blog.youkuaiyun.com/andy_zhang2007/article/details/92390321

本文深入解析了HttpSecurity配置中ServletApiConfigurer的任务与实现细节，包括安全过滤器Filter的配置，如SecurityContextHolderAwareRequestFilter的属性设置，以及这些属性如何从共享对象和配置器中获取。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

概述

介绍

作为一个配置HttpSecurity的SecurityConfigurer,ServletApiConfigurer的配置任务如下 :

配置如下安全过滤器Filter
- SecurityContextHolderAwareRequestFilter
  - 过滤器的属性authenticationManager来自共享对象AuthenticationManager
  - 过滤器的属性authenticationEntryPoint来自配置器ExceptionHandlingConfigurer的设置值，否则缺省为null
  - 过滤器的属性logoutHandlers来自配置器LogoutConfigurer的设置值，否则缺省为null
  - 过滤器的属性trustResolver来自共享对象AuthenticationTrustResolver,否则额缺省为AuthenticationTrustResolverImpl
  - 过滤器的属性rolePrefix来自类型为GrantedAuthorityDefaults的bean，否则缺省为ROLE_

继承关系

ServletApiConfigurer

使用

	// HttpSecurity 源代码片段
    public ServletApiConfigurer<HttpSecurity> servletApi() throws Exception {
		return getOrApply(new ServletApiConfigurer<>());
	}

源代码

源代码版本 Spring Security Config 5.1.4.RELEASE

package org.springframework.security.config.annotation.web.configurers;

// 省略 imports

public final class ServletApiConfigurer<H extends HttpSecurityBuilder<H>> extends
		AbstractHttpConfigurer<ServletApiConfigurer<H>, H> {
	private SecurityContextHolderAwareRequestFilter securityContextRequestFilter = 
		new SecurityContextHolderAwareRequestFilter();

	/**
	 * Creates a new instance
	 * @see HttpSecurity#servletApi()
	 */
	public ServletApiConfigurer() {
	}

	public ServletApiConfigurer<H> rolePrefix(String rolePrefix) {
		securityContextRequestFilter.setRolePrefix(rolePrefix);
		return this;
	}

	@Override
	@SuppressWarnings("unchecked")
	public void configure(H http) throws Exception { 
		securityContextRequestFilter.setAuthenticationManager(http
				.getSharedObject(AuthenticationManager.class));
		ExceptionHandlingConfigurer<H> exceptionConf = http
				.getConfigurer(ExceptionHandlingConfigurer.class);
		AuthenticationEntryPoint authenticationEntryPoint = exceptionConf == null ? null
				: exceptionConf.getAuthenticationEntryPoint(http);
		securityContextRequestFilter
				.setAuthenticationEntryPoint(authenticationEntryPoint);
		LogoutConfigurer<H> logoutConf = http.getConfigurer(LogoutConfigurer.class);
		List<LogoutHandler> logoutHandlers = logoutConf == null ? null : logoutConf
				.getLogoutHandlers();
		securityContextRequestFilter.setLogoutHandlers(logoutHandlers);
		AuthenticationTrustResolver trustResolver = http
				.getSharedObject(AuthenticationTrustResolver.class);
		if (trustResolver != null) {
			securityContextRequestFilter.setTrustResolver(trustResolver);
		}
		ApplicationContext context = http.getSharedObject(ApplicationContext.class);
		if (context != null) {
			String[] grantedAuthorityDefaultsBeanNames = 
				context.getBeanNamesForType(GrantedAuthorityDefaults.class);
			if (grantedAuthorityDefaultsBeanNames.length == 1) {
				GrantedAuthorityDefaults grantedAuthorityDefaults = 
					context.getBean(grantedAuthorityDefaultsBeanNames[0], 
					GrantedAuthorityDefaults.class);
				securityContextRequestFilter.setRolePrefix(grantedAuthorityDefaults.getRolePrefix());
			}
		}
		securityContextRequestFilter = postProcess(securityContextRequestFilter);
		http.addFilter(securityContextRequestFilter);
	}
}