总的流程分为两部分，一是先用Map把configurer收集起来，然后再把maper中所有的configurer应用到HttpSecurity对象。

其中的map位于AbstractConfiguredSecurityBuilder这个类。

    private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers;

configurer添加分为两部分，都通过WebSecurityConfigurerAdapter的init方法来实现，

    public void init(WebSecurity web) throws Exception {
        HttpSecurity http = this.getHttp();
        web.addSecurityFilterChainBuilder(http).postBuildAction(() -> {
            FilterSecurityInterceptor securityInterceptor = (FilterSecurityInterceptor)http.getSharedObject(FilterSecurityInterceptor.class);
            web.securityInterceptor(securityInterceptor);
        });
    }

其中init方法会调用的 protected final HttpSecurity getHttp() throws Exception方法：

    protected final HttpSecurity getHttp() throws Exception {
        if (this.http != null) {
            return this.http;
        } else {
            AuthenticationEventPublisher eventPublisher = this.getAuthenticationEventPublisher();
            this.localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);
            AuthenticationManager authenticationManager = this.authenticationManager();
            this.authenticationBuilder.parentAuthenticationManager(authenticationManager);
            Map<Class<?>, Object> sharedObjects = this.createSharedObjects();
            this.http = new HttpSecurity(this.objectPostProcessor, this.authenticationBuilder, sharedObjects);
            if (!this.disableDefaults) {
                //添加第一部分configurer
                this.applyDefaultConfiguration(this.http);
                ClassLoader classLoader = this.context.getClassLoader();
                List<AbstractHttpConfigurer> defaultHttpConfigurers = SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);
                Iterator var6 = defaultHttpConfigurers.iterator();

                while(var6.hasNext()) {
                    AbstractHttpConfigurer configurer = (AbstractHttpConfigurer)var6.next();
                    this.http.apply(configurer);
                }
            }

            //这句代码调用本类中的configure方法继续添加configurer
            this.configure(this.http);
            return this.http;
        }
    }

该方法中执行了this.applyDefaultConfiguration(this.http)，其代码为：

   private void applyDefaultConfiguration(HttpSecurity http) throws Exception {
        http.csrf();
        http.addFilter(new WebAsyncManagerIntegrationFilter());
        http.exceptionHandling();
        http.headers();
        http.sessionManagement();
        http.securityContext();
        http.requestCache();
        http.anonymous();
        http.servletApi();
        http.apply(new DefaultLoginPageConfigurer());
        http.logout();
    }

另一部分是通过WebSecurityConfigurerAdapter的config方法添加的configurer

    protected void configure(HttpSecurity http) throws Exception {
        this.logger.debug("Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).");
        http.authorizeRequests((requests) -> {
            ((AuthorizedUrl)requests.anyRequest()).authenticated();
        });
        http.formLogin();
        http.httpBasic();
    }

至此，configurers填充完毕。

AbstractConfigedSecurityBuilder的private void configure() throws Exception
这个方法会遍历之前填充好的configurer,将其应用到HttpSecurity对象，也就是添加了Fliter

   private void configure() throws Exception {
        Collection<SecurityConfigurer<O, B>> configurers = this.getConfigurers();
        Iterator var2 = configurers.iterator();

        while(var2.hasNext()) {
            SecurityConfigurer<O, B> configurer = (SecurityConfigurer)var2.next();
            configurer.configure(this);
        }

    }

该方法的循环体执行完成后HttpSecurity对象就包含了15个过滤器。

以上是使用Spring Security5进行的分析。
Spring Security 6使用AuthorizationFilter取代了FilterSecurityInterceptor