• SecurityAutoConfiguration是SpringSecurity最重要的一个自动配置类
• 像以前版本的教程说要在启动类上配@EnableWebSecurity，现在也是由这个自动配置类负责引入
• 分析一 已经介绍了DefaultAuthenticationEventPublisher，所以说重点就只有使用@Import导入的三个类 , SpringBootWebSecurityConfiguration, WebSecurityEnablerConfiguration, SecurityDataConfiguration

@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
@EnableConfigurationProperties(SecurityProperties.class)
@Import({ SpringBootWebSecurityConfiguration.class, WebSecurityEnablerConfiguration.class,
      SecurityDataConfiguration.class })
public class SecurityAutoConfiguration {

   /**
    * 注册一个 {@link DefaultAuthenticationEventPublisher}
    * <li>是为了在认证成功或者失败的时候能够发布对于的事件</li>
    * @param publisher
    * @return
    */
   @Bean
   @ConditionalOnMissingBean(AuthenticationEventPublisher.class)
   public DefaultAuthenticationEventPublisher authenticationEventPublisher(ApplicationEventPublisher publisher) {
      return new DefaultAuthenticationEventPublisher(publisher);
   }

}

1、SpringBootWebSecurityConfiguration

• 从源码能看出当容器中没有类型为WebSecurityConfigurerAdapter的Bean的时候并且当前环境为Serviet的情况下，会往容器中注册一个DefaultConfigurerAdapter
• 这个类就是对于SpringSecurity的过滤器链做一个默认配置，比如说开启CSRF、Session管理、默认登录登出页等等

@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration {

   @Configuration(proxyBeanMethods = false)
   @Order(SecurityProperties.BASIC_AUTH_ORDER)
   static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {

   }

}

2、WebSecurityEnablerConfiguration

• 此类的核心就是导入了@EnableWebSecurity

@Configuration(proxyBeanMethods = false)
@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@EnableWebSecurity
public class WebSecurityEnablerConfiguration {

}

• @EnableWebSecurity先是导入了三个类
  • WebSecurityConfiguration：使用WebSecurity创建FilterChainProxy，这是注册到Tomcat容器中的过滤器链
  • SpringWebMvcImportSelector：有关于一些SpringSecurity的参数可以借助SrpingMVC的参数解析功能进行获取的，正是因为这里注册了某些参数解析器
  • OAuth2ImportSelector：注册一些OAuth2的类

@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import({ WebSecurityConfiguration.class,
      SpringWebMvcImportSelector.class,
      OAuth2ImportSelector.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {

   /**
    * Controls debugging support for Spring Security. Default is false.
    * @return if true, enables debug support with Spring Security
    */
   boolean debug() default false;
}

• 后又标记了一个@EnableGlobalAuthentication，紧接着导入了AuthenticationConfiguration
• 而这个AuthenticationConfiguration是全局认证管理器的配置类，而认证管理器也就是整个认证的入口

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
@Documented
@Import(AuthenticationConfiguration.class)
@Configuration
public @interface EnableGlobalAuthentication {

}

3、SecurityDataConfiguration

• 自动添加Spring Security与Spring Data的集成

@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(SecurityEvaluationContextExtension.class)
public class SecurityDataConfiguration {

   @Bean
   @ConditionalOnMissingBean
   public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
      return new SecurityEvaluationContextExtension();
   }

}