`
c04s31602
  • 浏览: 46339 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

Spring Security3学习-Form认证过滤器

 
阅读更多

Spring Security3可以处理来自form的登录,也可以处理来自外部提供的认证比如和CAS做集成。处理认证的流程是相同的,找了一张图贴出来

 这张图标出了涉及到认证的主要接口:由AbstractAuthenticationProcessingFilter过滤器处理过滤认证请求,生成一个Authentication对象,交给AuthenticationManager,再交给AuthenticationProvider的provider获取认证结果,最终由AbstractAuthenticationProcessingFilter做认证成功或失败的后续工作。

本篇主要学习基于form的认证,详细的认证流程再上一张图:



 我们根据这张图开始分析

过滤form登录的请求

UsernamePasswordAuthenticationFilter继承了AbstractAuthenticationProcessingFilter,没有重写doFilter方法,看AbstractAuthenticationProcessingFilter的doFilter

 

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        //检测是否是登录的url,在UsernamePasswordAuthenticationFilter中定义其为j_spring_security_check
        if (!requiresAuthentication(request, response)) {
            chain.doFilter(request, response);
            return;
        }
        ......
        Authentication authResult;
        try {
            //在此进行认证的,调用了子类UsernamePasswordAuthenticationFilter 
            authResult = attemptAuthentication(request, response);
            if (authResult == null) {
                // return immediately as subclass has indicated that it hasn't completed authentication
                return;
            }
            //处理session策略中的认证信息
            //当我们没有在http节点配置session-management时sessionStrategy是一个ConcurrentSessionControlStrategy实例,具体见HttpConfigurationBuilder.createSessionManagementFilters方法
            sessionStrategy.onAuthentication(authResult, request, response);
        }
        catch (AuthenticationException failed) {
            // Authentication failed
            //使用failureHandler处理认证失败信息
            unsuccessfulAuthentication(request, response, failed);

            return;
        }

        // Authentication success
        //使用successHandler处理认证成功信息
        if (continueChainBeforeSuccessfulAuthentication) {
            chain.doFilter(request, response);
        }

        successfulAuthentication(request, response, authResult);
    }

 生成UsernamePasswordAuthenticationToken:UsernamePasswordAuthenticationFilter的attemptAuthentication

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }
        //获取用户名参数j_username的值
        String username = obtainUsername(request);
        //获取密码参数j_password的值
        String password = obtainPassword(request);

        if (username == null) {
            username = "";
        }

        if (password == null) {
            password = "";
        }

        username = username.trim();
        //封装一个authenticationToken对象
        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

        // Place the last username attempted into HttpSession for views
        HttpSession session = request.getSession(false);

        if (session != null || getAllowSessionCreation()) {
//用户名放入session            
request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username));
        }

        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);
        //调用authenticationManager进行认证
        return this.getAuthenticationManager().authenticate(authRequest);
    }

 认证过程

 

最终的认证流程在org.springframework.security.authentication.ProviderManager的doAuthentication方法进行

    public Authentication doAuthentication(Authentication authentication) throws AuthenticationException {
        Class<? extends Authentication> toTest = authentication.getClass();
        AuthenticationException lastException = null;
        Authentication result = null;
        //provider在http>authentication-manager>authentication-provider节点配置,可以用ref自定义,默认是org.springframework.security.authentication.dao.DaoAuthenticationProvider
        for (AuthenticationProvider provider : getProviders()) {
            //去除不是它的子类的对象
            if (!provider.supports(toTest)) {
                continue;
            }

            logger.debug("Authentication attempt using " + provider.getClass().getName());

            try {
                //终于要认证了
                result = provider.authenticate(authentication);

                if (result != null) {
                    //将authentication对象的details赋给result
                    copyDetails(authentication, result);
                    break;
                }
            } catch (AccountStatusException e) {
                // SEC-546: Avoid polling additional providers if auth failure is due to invalid account status
                //增加监听事件
                eventPublisher.publishAuthenticationFailure(e, authentication);
                throw e;
            } catch (AuthenticationException e) {
                lastException = e;
            }
        }

        if (result == null && parent != null) {
            // Allow the parent to try.
            try {
                result = parent.authenticate(authentication);
            } catch (ProviderNotFoundException e) {
                // ignore as we will throw below if no other exception occurred prior to calling parent and the parent
                // may throw ProviderNotFound even though a provider in the child already handled the request
            } catch (AuthenticationException e) {
                lastException = e;
            }
        }

        if (result != null) {
            if (eraseCredentialsAfterAuthentication && (result instanceof CredentialsContainer)) {
                // Authentication is complete. Remove credentials and other secret data from authentication
                //从认证对象中移除密码等敏感信息
                ((CredentialsContainer)result).eraseCredentials();
            }
            //认证成功事件
            eventPublisher.publishAuthenticationSuccess(result);
            return result;
        }

        // Parent was null, or didn't authenticate (or throw an exception).

        if (lastException == null) {
            lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound",
                        new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}"));
        }
        //认证失败事件
        eventPublisher.publishAuthenticationFailure(lastException, authentication);
       //如果认证不通过,抛出异常
        throw lastException;
    }

 Provicder认证

 

基于form的provider是DaoAuthenticationProvider,继承了AbstractUserDetailsAuthenticationProvider,看authenticate方法

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
            messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports",
                "Only UsernamePasswordAuthenticationToken is supported"));

        // Determine username
        String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();

        boolean cacheWasUsed = true;
        UserDetails user = this.userCache.getUserFromCache(username);

        if (user == null) {
            cacheWasUsed = false;

            try {
                //获取用户信息
                user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
            } catch (UsernameNotFoundException notFound) {
                logger.debug("User '" + username + "' not found");

                if (hideUserNotFoundExceptions) {
                    throw new BadCredentialsException(messages.getMessage(
                            "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
                } else {
                    throw notFound;
                }
            }

            Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
        }

        try {
            //检测用户状态-是否锁定、是否可用、是否过期、密码是否过期
            preAuthenticationChecks.check(user);
            //密码校验,根据指定的加密算法、是否有base64,盐值等进行校验
            additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
        } catch (AuthenticationException exception) {
            if (cacheWasUsed) {
                // There was a problem, so try again after checking
                // we're using latest data (i.e. not from the cache)
                cacheWasUsed = false;
                user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
                preAuthenticationChecks.check(user);
                additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
            } else {
                throw exception;
            }
        }

        postAuthenticationChecks.check(user);

        if (!cacheWasUsed) {
            this.userCache.putUserInCache(user);
        }

        Object principalToReturn = user;

        if (forcePrincipalAsString) {//如果要求principal是String类型的,那么将其赋值为用户名
            principalToReturn = user.getUsername();
        }
        //返回认证成功的Authentication对象
        return createSuccessAuthentication(principalToReturn, authentication, user);
    }

 有几个地方再详细说下

 

1.retrieveUser方法

    protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
            throws AuthenticationException {
        UserDetails loadedUser;

        try {
            //获取用户信息
            loadedUser = this.getUserDetailsService().loadUserByUsername(username);
        }
        catch (DataAccessException repositoryProblem) {
            throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);
        }

        if (loadedUser == null) {
            throw new AuthenticationServiceException(
                    "UserDetailsService returned null, which is an interface contract violation");
        }
        return loadedUser;
    }

 这里面getUserDetailsService()就是获取我们在spring-security.xml自定义的userDetailService:http>authentication-manager>authentication-provider>user-service-ref,根据实现的loadUserByUsername方法获取UserDetails对象

2.createSuccessAuthentication方法:

    protected Authentication createSuccessAuthentication(Object principal, Authentication authentication,
            UserDetails user) {
        // Ensure we return the original credentials the user supplied,
        // so subsequent attempts are successful even with encoded passwords.
        // Also ensure we return the original getDetails(), so that future
        // authentication events after cache expiry contain the details
        //new了一个新的authentication对象
        UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal,
                authentication.getCredentials(), user.getAuthorities());
        result.setDetails(authentication.getDetails());

        return result;
    }

 new一个新的authentication对象还是挺有意义的,UsernamePasswordAuthenticationToken的构造方法:

    public UsernamePasswordAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        this.credentials = credentials;
        //将其设置为true,在其他地方要用到,比如在进行权限校验的时候会检查这个属性,如果不为true会再次校验,详细内容后面再说。
        super.setAuthenticated(true); // must use super, as we override
    }

 

  • 大小: 82.5 KB
  • 大小: 80.1 KB
分享到:
评论

相关推荐

    spring-security-login-form-database-xml.zip_java security

    在XML配置中,我们可以定义访问控制规则、认证提供者、以及定制的安全过滤器链。 5. **用户认证**: 认证过程是验证用户的身份,Spring Security提供了多种认证方式,如内存中的用户信息、数据库查询、甚至是外部...

    SpringSecurity笔记2-SpringSecurity命名空间

    在"SpringSecurity笔记2-SpringSecurity命名空间"的学习中,还会涉及到如何自定义过滤器链,以及如何通过`&lt;custom-filter&gt;`元素插入自定义的SpringSecurity过滤器。同时,理解`&lt;access-denied-handler&gt;`和`...

    spring security3 中文版本

    - **配置 web.xml**:在 web.xml 文件中配置 Spring Security 的过滤器链。 - **最小 `&lt;http&gt;` 配置**:使用 `&lt;http&gt;` 元素可以轻松地配置 HTTP 认证和授权规则。 - **自动配置**:`auto-config` 属性可以自动配置...

    Spring-Security-3中文官方文档.pdf

    这份《Spring-Security-3中文官方文档》是学习这个框架的宝贵资源,尤其对于中文阅读者来说,它消除了语言障碍,使理解更加便捷。 首先,Spring Security 的核心概念包括Security Context(安全上下文)、...

    SpringSecurity学习总结源代码

    1. **Filter Security Interceptor**:这是SpringSecurity的主要过滤器,负责检查请求并决定是否允许访问。它会根据预定义的访问控制规则进行判断。 2. **Authentication Manager**:处理用户认证的组件,可以使用...

    初识 Spring Security - v1.1.pdf

    **Spring Security**是一种广泛应用于Java企业级项目中的安全框架,它基于Spring AOP(面向切面编程)和Servlet过滤器来提供全面的安全解决方案。该框架能够在Web请求级别以及方法调用级别处理身份验证...

    spring-security3 配置和使用

    在 web.xml 文件中添加 Spring Security 3 的配置,以便激活安全过滤器。下面是一个基本的 web.xml 配置示例: ```xml &lt;!-- spring security --&gt; &lt;context-param&gt; &lt;param-name&gt;contextConfigLocation&lt;/param-name&gt;...

    SpringSecurity2.0.5

    1. **Filter Chain**: Spring Security 的核心在于其过滤器链。它通过一系列的Servlet过滤器来处理HTTP请求,执行身份验证、授权等安全操作。在2.0.5版本中,这些过滤器包括了如`DelegatingFilterProxy`,`...

    spring-security-4.2.0.RELEASE-dist

    3. **过滤器链(Filter Chain)**:Spring Security的核心是过滤器链,它拦截HTTP请求并应用安全策略。4.2.0版本中的过滤器链包括了如`DelegatingFilterProxy`、`ChannelProcessingFilter`、`...

    springSecurity3例子

    - **Filter Chain**: Spring Security的核心在于其过滤器链,它处理HTTP请求,执行认证和授权过程。这些过滤器包括`DelegatingFilterProxy`、`ChannelProcessingFilter`、`SecurityContextPersistenceFilter`、`...

    spring-security4.0.zip

    - `thymeleaf-extras-springsecurity4-3.0.0.RELEASE.jar`: 使得Thymeleaf模板引擎能够与Spring Security无缝协作,方便地在页面上展示权限相关的控制。 10. **消息安全** - `spring-security-messaging-4.0.0....

    Spring Security 学习总结1_3

    例如,`AbstractAuthenticationProcessingFilter`是处理用户提交的认证信息的过滤器,而`AuthenticationManager`负责处理认证请求。`AuthorizationManager`和`AccessDecisionManager`则涉及授权逻辑。通过阅读源码,...

    spring security 3.1学习资料 及 附件下载

    4. 弹性安全策略:Spring Security的Filter Chain机制允许开发者自定义过滤器链,实现复杂的安全策略。 四、学习资源与实践 提供的"Spring Security 3.1.pdf"文档是英文版的学习资料,对于深入理解Spring Security...

    SpringSecurity 3配置文件

    - Spring Security 3支持多种认证方式,如Basic认证、Form认证等。在`http`元素内,通过`form-login`或`http-basic`子元素来配置这些认证方式。 - `password-encoder`: 用于加密和比较用户输入的密码。Spring ...

    spring-security-3.1.0.RELEASE.zip

    - **Filter Chain**: Spring Security的核心是基于过滤器的HTTP请求处理链。它拦截每个HTTP请求,并根据预定义的安全策略进行处理,如身份验证、授权等。 - **AuthenticationManager**: 负责处理用户身份验证,...

    SpringSecurity学习

    SpringSecurity的核心是其过滤器链,其中包含了多个预定义的安全过滤器,如HTTP Basic Authentication Filter、Form Login Filter和Remember Me Filter等。这些过滤器处理HTTP请求,进行身份验证和授权,确保只有...

    spring-security-login-form:本文中使用的源代码-Form source code

    1. **web.xml**:这是Servlet配置文件,通常用于配置Spring Security的过滤器链。在这里,会看到`&lt;filter&gt;`和`&lt;filter-mapping&gt;`元素,它们指定了Spring Security的DispatcherServlet拦截器。 2. **spring-security...

    spring security3配置

    为了使Spring Security能够在Web环境中正常工作,需要在`web.xml`中配置一个名为`springSecurityFilterChain`的过滤器,该过滤器是Spring Security的核心组件之一,用于处理所有的HTTP请求。 ```xml &lt;filter-name...

    spring security3笔记

    - **Filter Security Interceptor**:基于HTTP请求过滤器的安全拦截器,检查每个请求是否允许访问。 3. **配置** - **XML配置**:Spring Security可以通过XML配置文件来定制安全规则,如定义访问控制列表(ACLs)...

Global site tag (gtag.js) - Google Analytics