springboot reactive servle 安全

最新推荐文章于 2025-03-25 15:13:18 发布

原创最新推荐文章于 2025-03-25 15:13:18 发布 · 635 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#spring boot #java #后端

spring boot 专栏收录该内容

74 篇文章

订阅专栏

SpringSecurity，shiro 技术的是支持对应的安全架构分析模式:如下：
源码如下：

public abstract class ApplicationContextServerWebExchangeMatcher<C> implements ServerWebExchangeMatcher {

	private final Class<? extends C> contextClass;

	private volatile Supplier<C> context;

	private final Object contextLock = new Object();

	public ApplicationContextServerWebExchangeMatcher(Class<? extends C> contextClass) {
		Assert.notNull(contextClass, "Context class must not be null");
		this.contextClass = contextClass;
	}

	@Override
	public final Mono<MatchResult> matches(ServerWebExchange exchange) {
		if (ignoreApplicationContext(exchange.getApplicationContext())) {
			return MatchResult.notMatch();
		}
		return matches(exchange, getContext(exchange));
	}

	/**
	 * Decides whether the rule implemented by the strategy matches the supplied exchange.
	 * @param exchange the source exchange
	 * @param context a supplier for the initialized context (may throw an exception)
	 * @return if the exchange matches
	 */
	protected abstract Mono<MatchResult> matches(ServerWebExchange exchange, Supplier<C> context);

	/**
	 * Returns if the {@link ApplicationContext} should be ignored and not used for
	 * matching. If this method returns {@code true} then the context will not be used and
	 * the {@link #matches(ServerWebExchange) matches} method will return {@code false}.
	 * @param applicationContext the candidate application context
	 * @return if the application context should be ignored
	 * @since 2.2.5
	 */
	protected boolean ignoreApplicationContext(ApplicationContext applicationContext) {
		return false;
	}

	protected Supplier<C> getContext(ServerWebExchange exchange) {
		if (this.context == null) {
			synchronized (this.contextLock) {
				if (this.context == null) {
					Supplier<C> createdContext = createContext(exchange);
					initialized(createdContext);
					this.context = createdContext;
				}
			}
		}
		return this.context;
	}

	/**
	 * Called once the context has been initialized.
	 * @param context a supplier for the initialized context (may throw an exception)
	 */
	protected void initialized(Supplier<C> context) {
	}

	@SuppressWarnings("unchecked")
	private Supplier<C> createContext(ServerWebExchange exchange) {
		ApplicationContext context = exchange.getApplicationContext();
		Assert.state(context != null, "No ApplicationContext found on ServerWebExchange.");
		if (this.contextClass.isInstance(context)) {
			return () -> (C) context;
		}
		return () -> context.getBean(this.contextClass);
	}

}

这里实现了2个工具类：

public abstract class ApplicationContextRequestMatcher<C> implements RequestMatcher {

	private final Class<? extends C> contextClass;

	private volatile boolean initialized;

	private final Object initializeLock = new Object();

	public ApplicationContextRequestMatcher(Class<? extends C> contextClass) {
		Assert.notNull(contextClass, "Context class must not be null");
		this.contextClass = contextClass;
	}

	@Override
	public final boolean matches(HttpServletRequest request) {
		WebApplicationContext webApplicationContext = WebApplicationContextUtils
				.getRequiredWebApplicationContext(request.getServletContext());
		if (ignoreApplicationContext(webApplicationContext)) {
			return false;
		}
		Supplier<C> context = () -> getContext(webApplicationContext);
		if (!this.initialized) {
			synchronized (this.initializeLock) {
				if (!this.initialized) {
					initialized(context);
					this.initialized = true;
				}
			}
		}
		return matches(request, context);
	}

	@SuppressWarnings("unchecked")
	private C getContext(WebApplicationContext webApplicationContext) {
		if (this.contextClass.isInstance(webApplicationContext)) {
			return (C) webApplicationContext;
		}
		return webApplicationContext.getBean(this.contextClass);
	}

	/**
	 * Returns if the {@link WebApplicationContext} should be ignored and not used for
	 * matching. If this method returns {@code true} then the context will not be used and
	 * the {@link #matches(HttpServletRequest) matches} method will return {@code false}.
	 * @param webApplicationContext the candidate web application context
	 * @return if the application context should be ignored
	 * @since 2.1.8
	 */
	protected boolean ignoreApplicationContext(WebApplicationContext webApplicationContext) {
		return false;
	}

	/**
	 * Method that can be implemented by subclasses that wish to initialize items the
	 * first time that the matcher is called. This method will be called only once and
	 * only if {@link #ignoreApplicationContext(WebApplicationContext)} returns
	 * {@code false}. Note that the supplied context will be based on the
	 * <strong>first</strong> request sent to the matcher.
	 * @param context a supplier for the initialized context (may throw an exception)
	 * @see #ignoreApplicationContext(WebApplicationContext)
	 */
	protected void initialized(Supplier<C> context) {
	}

	/**
	 * Decides whether the rule implemented by the strategy matches the supplied request.
	 * @param request the source request
	 * @param context a supplier for the initialized context (may throw an exception)
	 * @return if the request matches
	 */
	protected abstract boolean matches(HttpServletRequest request, Supplier<C> context);

}