1. Preface
We previously analyzed the details of the initialization of AuthenticationManager
, and there was a piece of code in it that caught the attention of many people.
How does the above get the Spring application context object ApplicationContext
directly from the HttpSecurity
object? And what is the concept of SharedObject? Let’s figure this out today.
2. SharedObject
In Spring Security SharedObject is neither an object nor an interface, but a generic term for a class of “sharable” objects.
As the name implies, SharedObject means a shareable object. What it does is if there are objects that you want to share in different scope configurations, you turn those objects into SharedObject, which is a bit of a distributed object. To make it easier for you to understand, here is the architecture.
An implementation class of AbstractConfiguredSecurityBuilder
or HttpSecurityBuilder
has the ability to manipulate SharedObject. One is to register SharedObject and the other is to get SharedObject.
Registration of SharedObject
A SharedObject is stored in a HashMap<Class<? >,Object>
, see the HttpSecurity
source code for details. Its registration is divided into two parts, the first is HttpSecurity
initialization when assembled into. Let’s take a look.
The familiar AuthenticationManagerBuilder
is shared here.
There is also a part that is registered during the initialization of all HttpSecurityBuilder
objects. It is initialized and configured by the SecurityConfigurer
.
The above two methods are used to initialize and configure HttpSecurityBuilder
respectively. For example, the familiar WebSecurityConfigurerAdapter
is used to configure HttpSecurity
, and we can find the relevant code in its init
method.
|
|
This is the fundamental reason why I could get ApplicationContext
at the beginning of the article.
Getting and using SharedObject
What classes can we get that are marked as SharedObject? There are many implementations of SecurityConfigurer
that are used to configure specific authentication-related functions. For example, OAuth2ClientConfigurer
is used to configure the OAuth2 client, and it sets some common objects as SharedObject.
|
|
When you need to use ClientRegistrationRepository
elsewhere in the HttpSecurity
configuration, you can get it directly through getSharedObject
, just like at the beginning of the article, without having to write some methods to get it.
3. Summary
SharedObject is a very useful feature provided by Spring Security, if you need to reuse an object in different places you can register it as a SharedObject or even inject it directly into Spring IoC and get it like at the beginning. This feature simplifies configuration, improves code readability, and provides the foundation for Spring Security’s DSL feature.
Reference https://felord.cn/spring-security-shared-object.html