SpringSecurity: 默认添加的15个Filter是怎么添加进去的?

总的流程分为两部分，一是先用Map把configurer收集起来，然后再把maper中所有的configurer应用到HttpSecurity对象。

其中的map位于AbstractConfiguredSecurityBuilder这个类。

    private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers;

configurer添加分为两部分，都通过WebSecurityConfigurerAdapter的init方法来实现，

    public void init(WebSecurity web) throws Exception {HttpSecurity http = this.getHttp();web.addSecurityFilterChainBuilder(http).postBuildAction(() -> {FilterSecurityInterceptor securityInterceptor = (FilterSecurityInterceptor)http.getSharedObject(FilterSecurityInterceptor.class);web.securityInterceptor(securityInterceptor);});}

其中init方法会调用的 protected final HttpSecurity getHttp() throws Exception方法：

    protected final HttpSecurity getHttp() throws Exception {if (this.http != null) {return this.http;} else {AuthenticationEventPublisher eventPublisher = this.getAuthenticationEventPublisher();this.localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);AuthenticationManager authenticationManager = this.authenticationManager();this.authenticationBuilder.parentAuthenticationManager(authenticationManager);Map<Class<?>, Object> sharedObjects = this.createSharedObjects();this.http = new HttpSecurity(this.objectPostProcessor, this.authenticationBuilder, sharedObjects);if (!this.disableDefaults) {//添加第一部分configurerthis.applyDefaultConfiguration(this.http);ClassLoader classLoader = this.context.getClassLoader();List<AbstractHttpConfigurer> defaultHttpConfigurers = SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);Iterator var6 = defaultHttpConfigurers.iterator();while(var6.hasNext()) {AbstractHttpConfigurer configurer = (AbstractHttpConfigurer)var6.next();this.http.apply(configurer);}}//这句代码调用本类中的configure方法继续添加configurerthis.configure(this.http);return this.http;}}

该方法中执行了this.applyDefaultConfiguration(this.http)，其代码为：

   private void applyDefaultConfiguration(HttpSecurity http) throws Exception {http.csrf();http.addFilter(new WebAsyncManagerIntegrationFilter());http.exceptionHandling();http.headers();http.sessionManagement();http.securityContext();http.requestCache();http.anonymous();http.servletApi();http.apply(new DefaultLoginPageConfigurer());http.logout();}

另一部分是通过WebSecurityConfigurerAdapter的config方法添加的configurer

    protected void configure(HttpSecurity http) throws Exception {this.logger.debug("Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).");http.authorizeRequests((requests) -> {((AuthorizedUrl)requests.anyRequest()).authenticated();});http.formLogin();http.httpBasic();}

至此，configurers填充完毕。

AbstractConfigedSecurityBuilder的private void configure() throws Exception
这个方法会遍历之前填充好的configurer,将其应用到HttpSecurity对象，也就是添加了Fliter

   private void configure() throws Exception {Collection<SecurityConfigurer<O, B>> configurers = this.getConfigurers();Iterator var2 = configurers.iterator();while(var2.hasNext()) {SecurityConfigurer<O, B> configurer = (SecurityConfigurer)var2.next();configurer.configure(this);}}

该方法的循环体执行完成后HttpSecurity对象就包含了15个过滤器。

以上是使用Spring Security5进行的分析。
Spring Security 6使用AuthorizationFilter取代了FilterSecurityInterceptor