原文出自  https://spring.io/guides/topicals/spring-security-architecture

Spring Security Architecture

　　This guide is a primer for Spring Security, offering insight into the design and basic building blocks of the framework. We only cover the very basics of application security but in doing so we can clear up some of the confusion experienced by developers using Spring Security. To do this we take a look at the way security is applied in web applications using filters and more generally using method annotations. Use this guide when you need to understand at a high level how a secure application works, and how it can be customized, or if you just need to learn how to think about application security.

本指南是Spring Security的入门读物，提供对框架设计和基本构建块的深入了解。我们只介绍应用程序安全性的基础知识，但这样做可以清除开发人员使用Spring Security时遇到的一些困惑。为此，我们将介绍使用过滤器在Web应用程序中应用安全性的方式，更常见的是使用方法注释。当您需要从高层次了解安全应用程序如何工作，如何自定义，或者您只需要学习如何考虑应用程序安全性时，请使用本指南。

This guide is not intended as a manual or recipe for solving more than the most basic problems (there are other sources for those), but it could be useful for beginners and experts alike. Spring Boot is also referred to a lot because it provides some default behaviour for a secure application and it can be useful to understand how that fits in with the overall architecture. All of the principles apply equally well to applications that do not use Spring Boot.

本指南不是作为解决超过最基本问题的手册或配方（还有其他来源），但它对初学者和专家都很有用。 Spring Boot也引用了很多，因为它为安全应用程序提供了一些默认行为，了解它如何适应整体架构非常有用。所有原则同样适用于不使用Spring Boot的应用程序。

Authentication and Access Control

Application security boils down to two more or less independent problems: authentication (who are you?) and authorization (what are you allowed to do?). Sometimes people say "access control" instead of "authorization" which can get confusing, but it can be helpful to think of it that way because "authorization" is overloaded in other places. Spring Security has an architecture that is designed to separate authentication from authorization, and has strategies and extension points for both.　　

应用程序安全性可归结为两个或多或少独立的问题：身份验证（您是谁？）和授权（您可以做什么？）。有时候人们会说“访问控制”而不是“授权”，这会让人感到困惑，但是因为“授权”在其他地方过载会有所帮助。 Spring Security的架构旨在将身份验证与授权分开，并为两者提供策略和扩展点。

Authentication

The main strategy interface for authentication is AuthenticationManager which only has one method:

身份验证的主要策略接口是 AuthenticationManager ，它只有一个方法：

public interface AuthenticationManager {
  Authentication authenticate(Authentication authentication)
    throws AuthenticationException;
}

An AuthenticationManager can do one of 3 things in its authenticate()method:

AuthenticationManager可以在authenticate（）方法中执行以下三种操作之一：

1、return an Authentication (normally with authenticated=true) if it can verify that the input represents a valid principal.

1、如果它可以验证输入是否代表有效的主体，则返回身份验证（通常使用authenticated = true）。

2、throw an AuthenticationException if it believes that the input represents an invalid principal.

2、如果它认为输入表示无效的主体，则抛出AuthenticationException。

3、return  null  if it can’t decide.

3、如果无法决定，则返回null。

AuthenticationException is a runtime exception. It is usually handled by an application in a generic way, depending on the style or purpose of the application. In other words user code is not normally expected to catch and handle it. For example, a web UI will render a page that says that the authentication failed, and a backend HTTP service will send a 401 response, with or without a WWW-Authenticate header depending on the context.

AuthenticationException是运行时异常。它通常由应用程序以通用方式处理，具体取决于应用程序的样式或目的。换句话说，通常不希望用户代码捕获并处理它。例如，Web UI将呈现一个页面，表明身份验证失败，后端HTTP服务将发送401响应，具有或不具有WWW-Authenticate标头，具体取决于上下文。

The most commonly used implementation of AuthenticationManager is ProviderManager, which delegates to a chain of AuthenticationProvider instances. An AuthenticationProvider is a bit like an AuthenticationManager but it has an extra method to allow the caller to query if it supports a given Authentication type:

AuthenticationManager最常用的实现是ProviderManager，它委托一系列AuthenticationProvider实例。 AuthenticationProvider有点像AuthenticationManager，但它有一个额外的方法允许调用者查询它是否支持给定的身份验证类型：

public interface AuthenticationProvider {

	Authentication authenticate(Authentication authentication)
			throws AuthenticationException;

	boolean supports(Class<?> authentication);

}

The Class<?> argument in the supports() method is really Class<? extends Authentication> (it will only ever be asked if it supports something that will be passed into the authenticate() method). A ProviderManager can support multiple different authentication mechanisms in the same application by delegating to a chain of AuthenticationProviders. If a ProviderManager doesn’t recognise a particular Authentication instance type it will be skipped.

supports（）方法中的Class <？>参数实际上是Class <？扩展身份验证>（只会询问它是否支持将传递给authenticate（）方法的内容）。通过委派给AuthenticationProviders链，ProviderManager可以在同一个应用程序中支持多种不同的身份验证机制。如果ProviderManager无法识别特定的身份验证实例类型，则会跳过它。

A ProviderManager has an optional parent, which it can consult if all providers return null. If the parent is not available then a null Authentication results in an AuthenticationException.

ProviderManager有一个可选的父级，如果所有提供者都返回null，它可以查询。如果父级不可用，则null验证会导致AuthenticationException。

Sometimes an application has logical groups of protected resources (e.g. all web resources that match a path pattern /api/**), and each group can have its own dedicated AuthenticationManager. Often, each of those is a ProviderManager, and they share a parent. The parent is then a kind of "global" resource, acting as a fallback for all providers.

有时，应用程序具有受保护资源的逻辑组（例如，与路径模式/ api / **匹配的所有Web资源），并且每个组可以具有其自己的专用AuthenticationManager。通常，每个都是ProviderManager，并且它们共享父级。然后，父母就是一种“全球”资源，充当所有提供者的后备资源。

Figure 1. An AuthenticationManager hierarchy using ProviderManager

图1.使用ProviderManager的AuthenticationManager层次结构

Customizing Authentication Managers（自定义身份验证管理器）

Spring Security provides some configuration helpers to quickly get common authentication manager features set up in your application. The most commonly used helper is the AuthenticationManagerBuilder which is great for setting up in-memory, JDBC or LDAP user details, or for adding a custom UserDetailsService. Here’s an example of an application configuring the global (parent)

Spring Security提供了一些配置帮助程序，可以快速获取应用程序中设置的常见身份验证管理器功能。最常用的帮助程序是AuthenticationManagerBuilder，它非常适合设置内存，JDBC或LDAP用户详细信息，或者用于添加自定义UserDetailsS??ervice。这是配置全局（父）的应用程序的示例

@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

   ... // web stuff here

  @Autowired
  public initialize(AuthenticationManagerBuilder builder, DataSource dataSource) {
    builder.jdbcAuthentication().dataSource(dataSource).withUser("dave")
      .password("secret").roles("USER");
  }

}

This example relates to a web application, but the usage of AuthenticationManagerBuilder is more widely applicable (see below for more detail on how web application security is implemented). Note that the AuthenticationManagerBuilder is @Autowired into a method in a @Bean - that is what makes it build the global (parent) AuthenticationManager. In contrast if we had done it this way:

此示例涉及Web应用程序，但AuthenticationManagerBuilder的使用范围更广泛（有关如何实现Web应用程序安全性的更多详细信息，请参阅下文）。请注意，AuthenticationManagerBuilder是@Autowired到@Bean中的方法 - 这使得它构建全局（父）AuthenticationManager。相反，如果我们这样做：

@Configuration
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

  @Autowired
  DataSource dataSource;

   ... // web stuff here

  @Override
  public configure(AuthenticationManagerBuilder builder) {
    builder.jdbcAuthentication().dataSource(dataSource).withUser("dave")
      .password("secret").roles("USER");
  }

}

(using an @Override of a method in the configurer) then the AuthenticationManagerBuilder is only used to build a "local" AuthenticationManager, which is a child of the global one. In a Spring Boot application you can @Autowired the global one into another bean, but you can’t do that with the local one unless you explicitly expose it yourself.

（使用配置程序中的方法的@Override），然后AuthenticationManagerBuilder仅用于构建“本地”AuthenticationManager，它是全局的AuthenticationManager。在Spring Boot应用程序中，你可以@Autowired全局的bean到另一个bean，但除非你自己明确地公开它，否则你不能用本地bean。

Spring Boot provides a default global AuthenticationManager (with just one user) unless you pre-empt it by providing your own bean of type AuthenticationManager. The default is secure enough on its own for you not to have to worry about it much, unless you actively need a custom global AuthenticationManager. If you do any configuration that builds an AuthenticationManager you can often do it locally to the resources that you are protecting and not worry about the global default.

Spring Boot提供了一个默认的全局AuthenticationManager（只有一个用户），除非您通过提供自己的AuthenticationManager类型的bean来抢占它。除非您主动需要自定义全局AuthenticationManager，否则默认设置足够安全，您不必担心它。如果您执行构建AuthenticationManager的任何配置，您通常可以在本地执行您正在保护的资源，而不必担心全局默认值。

Authorization or Access Control（授权或访问控制）

原文地址：https://www.cnblogs.com/shuaiandjun/p/10116662.html