Spring Security3可以处理来自form的登录,也可以处理来自外部提供的认证比如和CAS做集成。处理认证的流程是相同的,找了一张图贴出来
这张图标出了涉及到认证的主要接口:由AbstractAuthenticationProcessingFilter过滤器处理过滤认证请求,生成一个Authentication对象,交给AuthenticationManager,再交给AuthenticationProvider的provider获取认证结果,最终由AbstractAuthenticationProcessingFilter做认证成功或失败的后续工作。
本篇主要学习基于form的认证,详细的认证流程再上一张图:
我们根据这张图开始分析
过滤form登录的请求:
UsernamePasswordAuthenticationFilter继承了AbstractAuthenticationProcessingFilter,没有重写doFilter方法,看AbstractAuthenticationProcessingFilter的doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//检测是否是登录的url,在UsernamePasswordAuthenticationFilter中定义其为j_spring_security_check
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
......
Authentication authResult;
try {
//在此进行认证的,调用了子类UsernamePasswordAuthenticationFilter
authResult = attemptAuthentication(request, response);
if (authResult == null) {
// return immediately as subclass has indicated that it hasn't completed authentication
return;
}
//处理session策略中的认证信息
//当我们没有在http节点配置session-management时sessionStrategy是一个ConcurrentSessionControlStrategy实例,具体见HttpConfigurationBuilder.createSessionManagementFilters方法
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (AuthenticationException failed) {
// Authentication failed
//使用failureHandler处理认证失败信息
unsuccessfulAuthentication(request, response, failed);
return;
}
// Authentication success
//使用successHandler处理认证成功信息
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
successfulAuthentication(request, response, authResult);
}
生成UsernamePasswordAuthenticationToken:UsernamePasswordAuthenticationFilter的attemptAuthentication
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { if (postOnly && !request.getMethod().equals("POST")) { throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod()); } //获取用户名参数j_username的值 String username = obtainUsername(request); //获取密码参数j_password的值 String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); //封装一个authenticationToken对象 UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); // Place the last username attempted into HttpSession for views HttpSession session = request.getSession(false); if (session != null || getAllowSessionCreation()) { //用户名放入session request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username)); } // Allow subclasses to set the "details" property setDetails(request, authRequest); //调用authenticationManager进行认证 return this.getAuthenticationManager().authenticate(authRequest); }
认证过程:
最终的认证流程在org.springframework.security.authentication.ProviderManager的doAuthentication方法进行
public Authentication doAuthentication(Authentication authentication) throws AuthenticationException { Class<? extends Authentication> toTest = authentication.getClass(); AuthenticationException lastException = null; Authentication result = null; //provider在http>authentication-manager>authentication-provider节点配置,可以用ref自定义,默认是org.springframework.security.authentication.dao.DaoAuthenticationProvider for (AuthenticationProvider provider : getProviders()) { //去除不是它的子类的对象 if (!provider.supports(toTest)) { continue; } logger.debug("Authentication attempt using " + provider.getClass().getName()); try { //终于要认证了 result = provider.authenticate(authentication); if (result != null) { //将authentication对象的details赋给result copyDetails(authentication, result); break; } } catch (AccountStatusException e) { // SEC-546: Avoid polling additional providers if auth failure is due to invalid account status //增加监听事件 eventPublisher.publishAuthenticationFailure(e, authentication); throw e; } catch (AuthenticationException e) { lastException = e; } } if (result == null && parent != null) { // Allow the parent to try. try { result = parent.authenticate(authentication); } catch (ProviderNotFoundException e) { // ignore as we will throw below if no other exception occurred prior to calling parent and the parent // may throw ProviderNotFound even though a provider in the child already handled the request } catch (AuthenticationException e) { lastException = e; } } if (result != null) { if (eraseCredentialsAfterAuthentication && (result instanceof CredentialsContainer)) { // Authentication is complete. Remove credentials and other secret data from authentication //从认证对象中移除密码等敏感信息 ((CredentialsContainer)result).eraseCredentials(); } //认证成功事件 eventPublisher.publishAuthenticationSuccess(result); return result; } // Parent was null, or didn't authenticate (or throw an exception). if (lastException == null) { lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound", new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}")); } //认证失败事件 eventPublisher.publishAuthenticationFailure(lastException, authentication); //如果认证不通过,抛出异常 throw lastException; }
Provicder认证:
基于form的provider是DaoAuthenticationProvider,继承了AbstractUserDetailsAuthenticationProvider,看authenticate方法
public Authentication authenticate(Authentication authentication) throws AuthenticationException { Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication, messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports", "Only UsernamePasswordAuthenticationToken is supported")); // Determine username String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName(); boolean cacheWasUsed = true; UserDetails user = this.userCache.getUserFromCache(username); if (user == null) { cacheWasUsed = false; try { //获取用户信息 user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication); } catch (UsernameNotFoundException notFound) { logger.debug("User '" + username + "' not found"); if (hideUserNotFoundExceptions) { throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } else { throw notFound; } } Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract"); } try { //检测用户状态-是否锁定、是否可用、是否过期、密码是否过期 preAuthenticationChecks.check(user); //密码校验,根据指定的加密算法、是否有base64,盐值等进行校验 additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication); } catch (AuthenticationException exception) { if (cacheWasUsed) { // There was a problem, so try again after checking // we're using latest data (i.e. not from the cache) cacheWasUsed = false; user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication); preAuthenticationChecks.check(user); additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication); } else { throw exception; } } postAuthenticationChecks.check(user); if (!cacheWasUsed) { this.userCache.putUserInCache(user); } Object principalToReturn = user; if (forcePrincipalAsString) {//如果要求principal是String类型的,那么将其赋值为用户名 principalToReturn = user.getUsername(); } //返回认证成功的Authentication对象 return createSuccessAuthentication(principalToReturn, authentication, user); }
有几个地方再详细说下
1.retrieveUser方法
protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { UserDetails loadedUser; try { //获取用户信息 loadedUser = this.getUserDetailsService().loadUserByUsername(username); } catch (DataAccessException repositoryProblem) { throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem); } if (loadedUser == null) { throw new AuthenticationServiceException( "UserDetailsService returned null, which is an interface contract violation"); } return loadedUser; }
这里面getUserDetailsService()就是获取我们在spring-security.xml自定义的userDetailService:http>authentication-manager>authentication-provider>user-service-ref,根据实现的loadUserByUsername方法获取UserDetails对象
2.createSuccessAuthentication方法:
protected Authentication createSuccessAuthentication(Object principal, Authentication authentication, UserDetails user) { // Ensure we return the original credentials the user supplied, // so subsequent attempts are successful even with encoded passwords. // Also ensure we return the original getDetails(), so that future // authentication events after cache expiry contain the details //new了一个新的authentication对象 UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal, authentication.getCredentials(), user.getAuthorities()); result.setDetails(authentication.getDetails()); return result; }
new一个新的authentication对象还是挺有意义的,UsernamePasswordAuthenticationToken的构造方法:
public UsernamePasswordAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) { super(authorities); this.principal = principal; this.credentials = credentials; //将其设置为true,在其他地方要用到,比如在进行权限校验的时候会检查这个属性,如果不为true会再次校验,详细内容后面再说。 super.setAuthenticated(true); // must use super, as we override }
相关推荐
在XML配置中,我们可以定义访问控制规则、认证提供者、以及定制的安全过滤器链。 5. **用户认证**: 认证过程是验证用户的身份,Spring Security提供了多种认证方式,如内存中的用户信息、数据库查询、甚至是外部...
在"SpringSecurity笔记2-SpringSecurity命名空间"的学习中,还会涉及到如何自定义过滤器链,以及如何通过`<custom-filter>`元素插入自定义的SpringSecurity过滤器。同时,理解`<access-denied-handler>`和`...
- **配置 web.xml**:在 web.xml 文件中配置 Spring Security 的过滤器链。 - **最小 `<http>` 配置**:使用 `<http>` 元素可以轻松地配置 HTTP 认证和授权规则。 - **自动配置**:`auto-config` 属性可以自动配置...
这份《Spring-Security-3中文官方文档》是学习这个框架的宝贵资源,尤其对于中文阅读者来说,它消除了语言障碍,使理解更加便捷。 首先,Spring Security 的核心概念包括Security Context(安全上下文)、...
1. **Filter Security Interceptor**:这是SpringSecurity的主要过滤器,负责检查请求并决定是否允许访问。它会根据预定义的访问控制规则进行判断。 2. **Authentication Manager**:处理用户认证的组件,可以使用...
**Spring Security**是一种广泛应用于Java企业级项目中的安全框架,它基于Spring AOP(面向切面编程)和Servlet过滤器来提供全面的安全解决方案。该框架能够在Web请求级别以及方法调用级别处理身份验证...
在 web.xml 文件中添加 Spring Security 3 的配置,以便激活安全过滤器。下面是一个基本的 web.xml 配置示例: ```xml <!-- spring security --> <context-param> <param-name>contextConfigLocation</param-name>...
1. **Filter Chain**: Spring Security 的核心在于其过滤器链。它通过一系列的Servlet过滤器来处理HTTP请求,执行身份验证、授权等安全操作。在2.0.5版本中,这些过滤器包括了如`DelegatingFilterProxy`,`...
3. **过滤器链(Filter Chain)**:Spring Security的核心是过滤器链,它拦截HTTP请求并应用安全策略。4.2.0版本中的过滤器链包括了如`DelegatingFilterProxy`、`ChannelProcessingFilter`、`...
- **Filter Chain**: Spring Security的核心在于其过滤器链,它处理HTTP请求,执行认证和授权过程。这些过滤器包括`DelegatingFilterProxy`、`ChannelProcessingFilter`、`SecurityContextPersistenceFilter`、`...
- `thymeleaf-extras-springsecurity4-3.0.0.RELEASE.jar`: 使得Thymeleaf模板引擎能够与Spring Security无缝协作,方便地在页面上展示权限相关的控制。 10. **消息安全** - `spring-security-messaging-4.0.0....
例如,`AbstractAuthenticationProcessingFilter`是处理用户提交的认证信息的过滤器,而`AuthenticationManager`负责处理认证请求。`AuthorizationManager`和`AccessDecisionManager`则涉及授权逻辑。通过阅读源码,...
4. 弹性安全策略:Spring Security的Filter Chain机制允许开发者自定义过滤器链,实现复杂的安全策略。 四、学习资源与实践 提供的"Spring Security 3.1.pdf"文档是英文版的学习资料,对于深入理解Spring Security...
- Spring Security 3支持多种认证方式,如Basic认证、Form认证等。在`http`元素内,通过`form-login`或`http-basic`子元素来配置这些认证方式。 - `password-encoder`: 用于加密和比较用户输入的密码。Spring ...
- **Filter Chain**: Spring Security的核心是基于过滤器的HTTP请求处理链。它拦截每个HTTP请求,并根据预定义的安全策略进行处理,如身份验证、授权等。 - **AuthenticationManager**: 负责处理用户身份验证,...
SpringSecurity的核心是其过滤器链,其中包含了多个预定义的安全过滤器,如HTTP Basic Authentication Filter、Form Login Filter和Remember Me Filter等。这些过滤器处理HTTP请求,进行身份验证和授权,确保只有...
1. **web.xml**:这是Servlet配置文件,通常用于配置Spring Security的过滤器链。在这里,会看到`<filter>`和`<filter-mapping>`元素,它们指定了Spring Security的DispatcherServlet拦截器。 2. **spring-security...
为了使Spring Security能够在Web环境中正常工作,需要在`web.xml`中配置一个名为`springSecurityFilterChain`的过滤器,该过滤器是Spring Security的核心组件之一,用于处理所有的HTTP请求。 ```xml <filter-name...
- **Filter Security Interceptor**:基于HTTP请求过滤器的安全拦截器,检查每个请求是否允许访问。 3. **配置** - **XML配置**:Spring Security可以通过XML配置文件来定制安全规则,如定义访问控制列表(ACLs)...