Spring Security3学习-Form认证过滤器

c04s31602

浏览: 44859 次
性别:
来自: 北京

最近访客更多访客>>

alanliurong

xiaofeng525

231864163

subenkun

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

Spring Security3

Spring Security3可以处理来自form的登录，也可以处理来自外部提供的认证比如和CAS做集成。处理认证的流程是相同的，找了一张图贴出来

这张图标出了涉及到认证的主要接口：由AbstractAuthenticationProcessingFilter过滤器处理过滤认证请求，生成一个Authentication对象，交给AuthenticationManager，再交给AuthenticationProvider的provider获取认证结果，最终由AbstractAuthenticationProcessingFilter做认证成功或失败的后续工作。

本篇主要学习基于form的认证，详细的认证流程再上一张图：

我们根据这张图开始分析

过滤form登录的请求：

UsernamePasswordAuthenticationFilter继承了AbstractAuthenticationProcessingFilter，没有重写doFilter方法，看AbstractAuthenticationProcessingFilter的doFilter

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        //检测是否是登录的url，在UsernamePasswordAuthenticationFilter中定义其为j_spring_security_check
        if (!requiresAuthentication(request, response)) {
            chain.doFilter(request, response);
            return;
        }
        ......
        Authentication authResult;
        try {
            //在此进行认证的，调用了子类UsernamePasswordAuthenticationFilter 
            authResult = attemptAuthentication(request, response);
            if (authResult == null) {
                // return immediately as subclass has indicated that it hasn't completed authentication
                return;
            }
            //处理session策略中的认证信息
            //当我们没有在http节点配置session-management时sessionStrategy是一个ConcurrentSessionControlStrategy实例，具体见HttpConfigurationBuilder.createSessionManagementFilters方法
            sessionStrategy.onAuthentication(authResult, request, response);
        }
        catch (AuthenticationException failed) {
            // Authentication failed
            //使用failureHandler处理认证失败信息
            unsuccessfulAuthentication(request, response, failed);

            return;
        }

        // Authentication success
        //使用successHandler处理认证成功信息
        if (continueChainBeforeSuccessfulAuthentication) {
            chain.doFilter(request, response);
        }

        successfulAuthentication(request, response, authResult);
    }

生成UsernamePasswordAuthenticationToken：UsernamePasswordAuthenticationFilter的attemptAuthentication

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }
        //获取用户名参数j_username的值
        String username = obtainUsername(request);
        //获取密码参数j_password的值
        String password = obtainPassword(request);

        if (username == null) {
            username = "";
        }

        if (password == null) {
            password = "";
        }

        username = username.trim();
        //封装一个authenticationToken对象
        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

        // Place the last username attempted into HttpSession for views
        HttpSession session = request.getSession(false);

        if (session != null || getAllowSessionCreation()) {
//用户名放入session            
request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username));
        }

        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);
        //调用authenticationManager进行认证
        return this.getAuthenticationManager().authenticate(authRequest);
    }

认证过程：

最终的认证流程在org.springframework.security.authentication.ProviderManager的doAuthentication方法进行

    public Authentication doAuthentication(Authentication authentication) throws AuthenticationException {
        Class<? extends Authentication> toTest = authentication.getClass();
        AuthenticationException lastException = null;
        Authentication result = null;
        //provider在http>authentication-manager>authentication-provider节点配置，可以用ref自定义，默认是org.springframework.security.authentication.dao.DaoAuthenticationProvider
        for (AuthenticationProvider provider : getProviders()) {
            //去除不是它的子类的对象
            if (!provider.supports(toTest)) {
                continue;
            }

            logger.debug("Authentication attempt using " + provider.getClass().getName());

            try {
                //终于要认证了
                result = provider.authenticate(authentication);

                if (result != null) {
                    //将authentication对象的details赋给result
                    copyDetails(authentication, result);
                    break;
                }
            } catch (AccountStatusException e) {
                // SEC-546: Avoid polling additional providers if auth failure is due to invalid account status
                //增加监听事件
                eventPublisher.publishAuthenticationFailure(e, authentication);
                throw e;
            } catch (AuthenticationException e) {
                lastException = e;
            }
        }

        if (result == null && parent != null) {
            // Allow the parent to try.
            try {
                result = parent.authenticate(authentication);
            } catch (ProviderNotFoundException e) {
                // ignore as we will throw below if no other exception occurred prior to calling parent and the parent
                // may throw ProviderNotFound even though a provider in the child already handled the request
            } catch (AuthenticationException e) {
                lastException = e;
            }
        }

        if (result != null) {
            if (eraseCredentialsAfterAuthentication && (result instanceof CredentialsContainer)) {
                // Authentication is complete. Remove credentials and other secret data from authentication
                //从认证对象中移除密码等敏感信息
                ((CredentialsContainer)result).eraseCredentials();
            }
            //认证成功事件
            eventPublisher.publishAuthenticationSuccess(result);
            return result;
        }

        // Parent was null, or didn't authenticate (or throw an exception).

        if (lastException == null) {
            lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound",
                        new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}"));
        }
        //认证失败事件
        eventPublisher.publishAuthenticationFailure(lastException, authentication);
       //如果认证不通过，抛出异常
        throw lastException;
    }

Provicder认证：

基于form的provider是DaoAuthenticationProvider，继承了AbstractUserDetailsAuthenticationProvider，看authenticate方法

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
            messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports",
                "Only UsernamePasswordAuthenticationToken is supported"));

        // Determine username
        String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();

        boolean cacheWasUsed = true;
        UserDetails user = this.userCache.getUserFromCache(username);

        if (user == null) {
            cacheWasUsed = false;

            try {
                //获取用户信息
                user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
            } catch (UsernameNotFoundException notFound) {
                logger.debug("User '" + username + "' not found");

                if (hideUserNotFoundExceptions) {
                    throw new BadCredentialsException(messages.getMessage(
                            "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
                } else {
                    throw notFound;
                }
            }

            Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
        }

        try {
            //检测用户状态-是否锁定、是否可用、是否过期、密码是否过期
            preAuthenticationChecks.check(user);
            //密码校验，根据指定的加密算法、是否有base64，盐值等进行校验
            additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
        } catch (AuthenticationException exception) {
            if (cacheWasUsed) {
                // There was a problem, so try again after checking
                // we're using latest data (i.e. not from the cache)
                cacheWasUsed = false;
                user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
                preAuthenticationChecks.check(user);
                additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
            } else {
                throw exception;
            }
        }

        postAuthenticationChecks.check(user);

        if (!cacheWasUsed) {
            this.userCache.putUserInCache(user);
        }

        Object principalToReturn = user;

        if (forcePrincipalAsString) {//如果要求principal是String类型的，那么将其赋值为用户名
            principalToReturn = user.getUsername();
        }
        //返回认证成功的Authentication对象
        return createSuccessAuthentication(principalToReturn, authentication, user);
    }

有几个地方再详细说下

1.retrieveUser方法

    protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
            throws AuthenticationException {
        UserDetails loadedUser;

        try {
            //获取用户信息
            loadedUser = this.getUserDetailsService().loadUserByUsername(username);
        }
        catch (DataAccessException repositoryProblem) {
            throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);
        }

        if (loadedUser == null) {
            throw new AuthenticationServiceException(
                    "UserDetailsService returned null, which is an interface contract violation");
        }
        return loadedUser;
    }

这里面getUserDetailsService()就是获取我们在spring-security.xml自定义的userDetailService：http>authentication-manager>authentication-provider>user-service-ref，根据实现的loadUserByUsername方法获取UserDetails对象

2.createSuccessAuthentication方法：

    protected Authentication createSuccessAuthentication(Object principal, Authentication authentication,
            UserDetails user) {
        // Ensure we return the original credentials the user supplied,
        // so subsequent attempts are successful even with encoded passwords.
        // Also ensure we return the original getDetails(), so that future
        // authentication events after cache expiry contain the details
        //new了一个新的authentication对象
        UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal,
                authentication.getCredentials(), user.getAuthorities());
        result.setDetails(authentication.getDetails());

        return result;
    }

new一个新的authentication对象还是挺有意义的，UsernamePasswordAuthenticationToken的构造方法：

    public UsernamePasswordAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        this.credentials = credentials;
        //将其设置为true，在其他地方要用到，比如在进行权限校验的时候会检查这个属性，如果不为true会再次校验，详细内容后面再说。
        super.setAuthenticated(true); // must use super, as we override
    }