Spring Security3可以处理来自form的登录,也可以处理来自外部提供的认证比如和CAS做集成。处理认证的流程是相同的,找了一张图贴出来
这张图标出了涉及到认证的主要接口:由AbstractAuthenticationProcessingFilter过滤器处理过滤认证请求,生成一个Authentication对象,交给AuthenticationManager,再交给AuthenticationProvider的provider获取认证结果,最终由AbstractAuthenticationProcessingFilter做认证成功或失败的后续工作。
本篇主要学习基于form的认证,详细的认证流程再上一张图:
我们根据这张图开始分析
过滤form登录的请求:
UsernamePasswordAuthenticationFilter继承了AbstractAuthenticationProcessingFilter,没有重写doFilter方法,看AbstractAuthenticationProcessingFilter的doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//检测是否是登录的url,在UsernamePasswordAuthenticationFilter中定义其为j_spring_security_check
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
......
Authentication authResult;
try {
//在此进行认证的,调用了子类UsernamePasswordAuthenticationFilter
authResult = attemptAuthentication(request, response);
if (authResult == null) {
// return immediately as subclass has indicated that it hasn't completed authentication
return;
}
//处理session策略中的认证信息
//当我们没有在http节点配置session-management时sessionStrategy是一个ConcurrentSessionControlStrategy实例,具体见HttpConfigurationBuilder.createSessionManagementFilters方法
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (AuthenticationException failed) {
// Authentication failed
//使用failureHandler处理认证失败信息
unsuccessfulAuthentication(request, response, failed);
return;
}
// Authentication success
//使用successHandler处理认证成功信息
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
successfulAuthentication(request, response, authResult);
}
生成UsernamePasswordAuthenticationToken:UsernamePasswordAuthenticationFilter的attemptAuthentication
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
//获取用户名参数j_username的值
String username = obtainUsername(request);
//获取密码参数j_password的值
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
//封装一个authenticationToken对象
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
// Place the last username attempted into HttpSession for views
HttpSession session = request.getSession(false);
if (session != null || getAllowSessionCreation()) {
//用户名放入session
request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username));
}
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
//调用authenticationManager进行认证
return this.getAuthenticationManager().authenticate(authRequest);
}
认证过程:
最终的认证流程在org.springframework.security.authentication.ProviderManager的doAuthentication方法进行
public Authentication doAuthentication(Authentication authentication) throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
Authentication result = null;
//provider在http>authentication-manager>authentication-provider节点配置,可以用ref自定义,默认是org.springframework.security.authentication.dao.DaoAuthenticationProvider
for (AuthenticationProvider provider : getProviders()) {
//去除不是它的子类的对象
if (!provider.supports(toTest)) {
continue;
}
logger.debug("Authentication attempt using " + provider.getClass().getName());
try {
//终于要认证了
result = provider.authenticate(authentication);
if (result != null) {
//将authentication对象的details赋给result
copyDetails(authentication, result);
break;
}
} catch (AccountStatusException e) {
// SEC-546: Avoid polling additional providers if auth failure is due to invalid account status
//增加监听事件
eventPublisher.publishAuthenticationFailure(e, authentication);
throw e;
} catch (AuthenticationException e) {
lastException = e;
}
}
if (result == null && parent != null) {
// Allow the parent to try.
try {
result = parent.authenticate(authentication);
} catch (ProviderNotFoundException e) {
// ignore as we will throw below if no other exception occurred prior to calling parent and the parent
// may throw ProviderNotFound even though a provider in the child already handled the request
} catch (AuthenticationException e) {
lastException = e;
}
}
if (result != null) {
if (eraseCredentialsAfterAuthentication && (result instanceof CredentialsContainer)) {
// Authentication is complete. Remove credentials and other secret data from authentication
//从认证对象中移除密码等敏感信息
((CredentialsContainer)result).eraseCredentials();
}
//认证成功事件
eventPublisher.publishAuthenticationSuccess(result);
return result;
}
// Parent was null, or didn't authenticate (or throw an exception).
if (lastException == null) {
lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound",
new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}"));
}
//认证失败事件
eventPublisher.publishAuthenticationFailure(lastException, authentication);
//如果认证不通过,抛出异常
throw lastException;
}
Provicder认证:
基于form的provider是DaoAuthenticationProvider,继承了AbstractUserDetailsAuthenticationProvider,看authenticate方法
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports",
"Only UsernamePasswordAuthenticationToken is supported"));
// Determine username
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
boolean cacheWasUsed = true;
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
//获取用户信息
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
}
try {
//检测用户状态-是否锁定、是否可用、是否过期、密码是否过期
preAuthenticationChecks.check(user);
//密码校验,根据指定的加密算法、是否有base64,盐值等进行校验
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
} catch (AuthenticationException exception) {
if (cacheWasUsed) {
// There was a problem, so try again after checking
// we're using latest data (i.e. not from the cache)
cacheWasUsed = false;
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
} else {
throw exception;
}
}
postAuthenticationChecks.check(user);
if (!cacheWasUsed) {
this.userCache.putUserInCache(user);
}
Object principalToReturn = user;
if (forcePrincipalAsString) {//如果要求principal是String类型的,那么将其赋值为用户名
principalToReturn = user.getUsername();
}
//返回认证成功的Authentication对象
return createSuccessAuthentication(principalToReturn, authentication, user);
}
有几个地方再详细说下
1.retrieveUser方法
protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
UserDetails loadedUser;
try {
//获取用户信息
loadedUser = this.getUserDetailsService().loadUserByUsername(username);
}
catch (DataAccessException repositoryProblem) {
throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);
}
if (loadedUser == null) {
throw new AuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
}
这里面getUserDetailsService()就是获取我们在spring-security.xml自定义的userDetailService:http>authentication-manager>authentication-provider>user-service-ref,根据实现的loadUserByUsername方法获取UserDetails对象
2.createSuccessAuthentication方法:
protected Authentication createSuccessAuthentication(Object principal, Authentication authentication,
UserDetails user) {
// Ensure we return the original credentials the user supplied,
// so subsequent attempts are successful even with encoded passwords.
// Also ensure we return the original getDetails(), so that future
// authentication events after cache expiry contain the details
//new了一个新的authentication对象
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal,
authentication.getCredentials(), user.getAuthorities());
result.setDetails(authentication.getDetails());
return result;
}
new一个新的authentication对象还是挺有意义的,UsernamePasswordAuthenticationToken的构造方法:
public UsernamePasswordAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
//将其设置为true,在其他地方要用到,比如在进行权限校验的时候会检查这个属性,如果不为true会再次校验,详细内容后面再说。
super.setAuthenticated(true); // must use super, as we override
}
相关推荐
在XML配置中,我们可以定义访问控制规则、认证提供者、以及定制的安全过滤器链。 5. **用户认证**: 认证过程是验证用户的身份,Spring Security提供了多种认证方式,如内存中的用户信息、数据库查询、甚至是外部...
在"SpringSecurity笔记2-SpringSecurity命名空间"的学习中,还会涉及到如何自定义过滤器链,以及如何通过`<custom-filter>`元素插入自定义的SpringSecurity过滤器。同时,理解`<access-denied-handler>`和`...
- **配置 web.xml**:在 web.xml 文件中配置 Spring Security 的过滤器链。 - **最小 `<http>` 配置**:使用 `<http>` 元素可以轻松地配置 HTTP 认证和授权规则。 - **自动配置**:`auto-config` 属性可以自动配置...
这份《Spring-Security-3中文官方文档》是学习这个框架的宝贵资源,尤其对于中文阅读者来说,它消除了语言障碍,使理解更加便捷。 首先,Spring Security 的核心概念包括Security Context(安全上下文)、...
1. **Filter Security Interceptor**:这是SpringSecurity的主要过滤器,负责检查请求并决定是否允许访问。它会根据预定义的访问控制规则进行判断。 2. **Authentication Manager**:处理用户认证的组件,可以使用...
**Spring Security**是一种广泛应用于Java企业级项目中的安全框架,它基于Spring AOP(面向切面编程)和Servlet过滤器来提供全面的安全解决方案。该框架能够在Web请求级别以及方法调用级别处理身份验证...
在 web.xml 文件中添加 Spring Security 3 的配置,以便激活安全过滤器。下面是一个基本的 web.xml 配置示例: ```xml <!-- spring security --> <context-param> <param-name>contextConfigLocation</param-name>...
1. **Filter Chain**: Spring Security 的核心在于其过滤器链。它通过一系列的Servlet过滤器来处理HTTP请求,执行身份验证、授权等安全操作。在2.0.5版本中,这些过滤器包括了如`DelegatingFilterProxy`,`...
3. **过滤器链(Filter Chain)**:Spring Security的核心是过滤器链,它拦截HTTP请求并应用安全策略。4.2.0版本中的过滤器链包括了如`DelegatingFilterProxy`、`ChannelProcessingFilter`、`...
- **Filter Chain**: Spring Security的核心在于其过滤器链,它处理HTTP请求,执行认证和授权过程。这些过滤器包括`DelegatingFilterProxy`、`ChannelProcessingFilter`、`SecurityContextPersistenceFilter`、`...
- `thymeleaf-extras-springsecurity4-3.0.0.RELEASE.jar`: 使得Thymeleaf模板引擎能够与Spring Security无缝协作,方便地在页面上展示权限相关的控制。 10. **消息安全** - `spring-security-messaging-4.0.0....
例如,`AbstractAuthenticationProcessingFilter`是处理用户提交的认证信息的过滤器,而`AuthenticationManager`负责处理认证请求。`AuthorizationManager`和`AccessDecisionManager`则涉及授权逻辑。通过阅读源码,...
4. 弹性安全策略:Spring Security的Filter Chain机制允许开发者自定义过滤器链,实现复杂的安全策略。 四、学习资源与实践 提供的"Spring Security 3.1.pdf"文档是英文版的学习资料,对于深入理解Spring Security...
- Spring Security 3支持多种认证方式,如Basic认证、Form认证等。在`http`元素内,通过`form-login`或`http-basic`子元素来配置这些认证方式。 - `password-encoder`: 用于加密和比较用户输入的密码。Spring ...
- **Filter Chain**: Spring Security的核心是基于过滤器的HTTP请求处理链。它拦截每个HTTP请求,并根据预定义的安全策略进行处理,如身份验证、授权等。 - **AuthenticationManager**: 负责处理用户身份验证,...
SpringSecurity的核心是其过滤器链,其中包含了多个预定义的安全过滤器,如HTTP Basic Authentication Filter、Form Login Filter和Remember Me Filter等。这些过滤器处理HTTP请求,进行身份验证和授权,确保只有...
1. **web.xml**:这是Servlet配置文件,通常用于配置Spring Security的过滤器链。在这里,会看到`<filter>`和`<filter-mapping>`元素,它们指定了Spring Security的DispatcherServlet拦截器。 2. **spring-security...
为了使Spring Security能够在Web环境中正常工作,需要在`web.xml`中配置一个名为`springSecurityFilterChain`的过滤器,该过滤器是Spring Security的核心组件之一,用于处理所有的HTTP请求。 ```xml <filter-name...
- **Filter Security Interceptor**:基于HTTP请求过滤器的安全拦截器,检查每个请求是否允许访问。 3. **配置** - **XML配置**:Spring Security可以通过XML配置文件来定制安全规则,如定义访问控制列表(ACLs)...