AbstractAuthenticationProcessingFilter
1、doFilter->attemptAuthentication
UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter
2、attemptAuthentication-> authenticate
ProviderManager implements AuthenticationManager
3.authenticate->authenticate
AbstractUserDetailsAuthenticationProvider implements AuthenticationProvider
4。authenticate->retrieveUser
DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider
5。retrieveUser->UserDetailsServiceImp
UserDetailsServiceImp implements UserDetailsServiceder
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//判断form-login标签是否包含login-processing-url属性
//如果没有采用默认的url:j_spring_security_check
//如果拦截的url不需要认证,直接跳过
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
if (logger.isDebugEnabled()) {
logger.debug("Request is to process authentication");
}
Authentication authResult;
try {
//由子类完成认证
authResult = attemptAuthentication(request, response);
if (authResult == null) {
// return immediately as subclass has indicated that it hasn't completed authentication
return;
}
//session策略处理认证信息
//sessionStrategy是通过session-management标签中定义的
//session管理策略构造的SessionAuthenticationStrategy
//具体的session管理比较复杂,部分后面单个篇幅讲解
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (AuthenticationException failed) {
// Authentication failed
//认证失败处理
unsuccessfulAuthentication(request, response, failed);
return;
}
// Authentication success
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
//认证成功处理
//1.向SecurityContext中设置Authentication认证信息
//2.如果有remember me服务,则查找请求参数中是否包含_spring_security_remember_me,如果该参数值为true、yes、on、1则执行remember me功能:添加cookie、入库。为下次请求时自动登录做准备
//3.发布认证成功事件
//4.执行跳转
successfulAuthentication(request, response, authResult);
}
这里的authenticationManager变量也是通过解析form-login标签,构造bean时注入的,具体解析类为:org.springframework.security.config.http.AuthenticationConfigBuilder
代码片段为
void createFormLoginFilter(BeanReference sessionStrategy, BeanReference authManager) {
Element formLoginElt = DomUtils.getChildElementByTagName(httpElt, Elements.FORM_LOGIN);
if (formLoginElt != null || autoConfig) {
FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_security_check",
AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy);
parser.parse(formLoginElt, pc);
formFilter = parser.getFilterBean();
formEntryPoint = parser.getEntryPointBean();
}
if (formFilter != null) {
formFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation));
//设置authenticationManager的bean依赖
formFilter.getPropertyValues().addPropertyValue("authenticationManager", authManager);
// Id is required by login page filter
formFilterId = pc.getReaderContext().generateBeanName(formFilter);
pc.registerBeanComponent(new BeanComponentDefinition(formFilter, formFilterId));
injectRememberMeServicesRef(formFilter, rememberMeServicesId);
}
}
ProviderManager继承于AuthenticationManager。实际上authenticate方法由ProviderManager的定义,代码如下
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
Authentication result = null;
boolean debug = logger.isDebugEnabled();
for (AuthenticationProvider provider : getProviders()) {
if (!provider.supports(toTest)) {
continue;
}
if (debug) {
logger.debug("Authentication attempt using " + provider.getClass().getName());
}
try {
result = provider.authenticate(authentication);
if (result != null) {
copyDetails(authentication, result);
break;
}
} catch (AccountStatusException e) {
prepareException(e, authentication);
// SEC-546: Avoid polling additional providers if auth failure is due to invalid account status
throw e;
} catch (AuthenticationException e) {
lastException = e;
}
}
if (result == null && parent != null) {
// Allow the parent to try.
try {
result = parent.authenticate(authentication);
} catch (ProviderNotFoundException e) {
// ignore as we will throw below if no other exception occurred prior to calling parent and the parent
// may throw ProviderNotFound even though a provider in the child already handled the request
} catch (AuthenticationException e) {
lastException = e;
}
}
if (result != null) {
if (eraseCredentialsAfterAuthentication && (result instanceof CredentialsContainer)) {
// Authentication is complete. Remove credentials and other secret data from authentication
((CredentialsContainer)result).eraseCredentials();
}
eventPublisher.publishAuthenticationSuccess(result);
return result;
}
// Parent was null, or didn't authenticate (or throw an exception).
if (lastException == null) {
lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound",
new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}"));
}
prepareException(lastException, authentication);
throw lastException;
}
ProviderManager类中的providers由哪些provider呢?如果看完authentication-manager标签解析的讲解,应该知道注入到providers中的provider分别为:
org.springframework.security.authentication.dao.DaoAuthenticationProvider
org.springframework.security.authentication.AnonymousAuthenticationProvider
其他的provider根据特殊情况,再添加到providers中的,如remember me功能的provider
org.springframework.security.authentication.RememberMeAuthenticationProvider
可以看出来,ProviderManager仅仅是管理provider的,具体的authenticate认证任务由各自provider来完成。
现在来看DaoAuthenticationProvider的认证处理,实际上authenticate由父类AbstractUserDetailsAuthenticationProvider完成。代码如下
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
…………
//获取登录的用户名
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
boolean cacheWasUsed = true;
//如果配置了缓存,从缓存中获取UserDetails实例
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
//如果UserDetails为空,则由具体子类DaoAuthenticationProvider
//根据用户名、authentication获取UserDetails
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
}
try {
//一些认证检查(账号是否可用、是否过期、是否被锁定)
preAuthenticationChecks.check(user);
//额外的密码检查(salt、passwordEncoder)
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
} catch (AuthenticationException exception) {
if (cacheWasUsed) {
// There was a problem, so try again after checking
// we're using latest data (i.e. not from the cache)
cacheWasUsed = false;
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
} else {
throw exception;
}
}
//检查账号是否过期
postAuthenticationChecks.check(user);
//添加UserDetails到缓存中
if (!cacheWasUsed) {
this.userCache.putUserInCache(user);
}
Object principalToReturn = user;
if (forcePrincipalAsString) {
principalToReturn = user.getUsername();
}
//返回成功认证后的Authentication
return createSuccessAuthentication(principalToReturn, authentication, user);
}
继续看DaoAuthenticationProvider的retrieveUser方法
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
//根据username从数据库中查询User数据
List<UserDetails> users = loadUsersByUsername(username);
if (users.size() == 0) {
throw new UsernameNotFoundException(
messages.getMessage("JdbcDaoImpl.notFound", new Object[]{username}, "Username {0} not found"), username);
}
UserDetails user = users.get(0); // contains no GrantedAuthority[]
Set<GrantedAuthority> dbAuthsSet = new HashSet<GrantedAuthority>();
//添加授权信息
if (enableAuthorities) {
dbAuthsSet.addAll(loadUserAuthorities(user.getUsername()));
}
//是否使用了Group
if (enableGroups) {
dbAuthsSet.addAll(loadGroupAuthorities(user.getUsername()));
}
List<GrantedAuthority> dbAuths = new ArrayList<GrantedAuthority>(dbAuthsSet);
addCustomAuthorities(user.getUsername(), dbAuths);
if (dbAuths.size() == 0) {
throw new UsernameNotFoundException(
messages.getMessage("JdbcDaoImpl.noAuthority",
new Object[] {username}, "User {0} has no GrantedAuthority"), username);
}
return createUserDetails(username, user, dbAuths);
}
//usersByUsernameQuery查询语句可配置
//直接从数据库中查询该username对应的数据,并构造User对象
protected List<UserDetails> loadUsersByUsername(String username) {
return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
String username = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
}
});
}
……
protected UserDetails createUserDetails(String username, UserDetails userFromUserQuery,
List<GrantedAuthority> combinedAuthorities) {
String returnUsername = userFromUserQuery.getUsername();
if (!usernameBasedPrimaryKey) {
returnUsername = username;
}
//根据用户名、密码、enabled、授权列表构造UserDetails实例User
return new User(returnUsername, userFromUserQuery.getPassword(), userFromUserQuery.isEnabled(),
true, true, true, combinedAuthorities);
}
protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
UserDetails loadedUser;
try {
//最关键的部分登场了
//UserDetailService就是authentication-provider标签中定义的
//属性user-service-ref
loadedUser = this.getUserDetailsService().loadUserByUsername(username);
}
catch (DataAccessException repositoryProblem) {
throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);
}
if (loadedUser == null) {
throw new AuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
}
实际上,只要实现UserDetailsService接口的loadUserByUsername方法,就完成了登录认证的工作
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsManager"/>
</authentication-manager>
很多教程上说配置JdbcUserDetailsManager这个UserDetailsService,实际上该类的父类
JdbcDaoImpl方法loadUserByUsername代码如下:
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
//根据username从数据库中查询User数据
List<UserDetails> users = loadUsersByUsername(username);
if (users.size() == 0) {
throw new UsernameNotFoundException(
messages.getMessage("JdbcDaoImpl.notFound", new Object[]{username}, "Username {0} not found"), username);
}
UserDetails user = users.get(0); // contains no GrantedAuthority[]
Set<GrantedAuthority> dbAuthsSet = new HashSet<GrantedAuthority>();
//添加授权信息
if (enableAuthorities) {
dbAuthsSet.addAll(loadUserAuthorities(user.getUsername()));
}
//是否使用了Group
if (enableGroups) {
dbAuthsSet.addAll(loadGroupAuthorities(user.getUsername()));
}
List<GrantedAuthority> dbAuths = new ArrayList<GrantedAuthority>(dbAuthsSet);
addCustomAuthorities(user.getUsername(), dbAuths);
if (dbAuths.size() == 0) {
throw new UsernameNotFoundException(
messages.getMessage("JdbcDaoImpl.noAuthority",
new Object[] {username}, "User {0} has no GrantedAuthority"), username);
}
return createUserDetails(username, user, dbAuths);
}
//usersByUsernameQuery查询语句可配置
//直接从数据库中查询该username对应的数据,并构造User对象
protected List<UserDetails> loadUsersByUsername(String username) {
return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
String username = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
}
});
}
……
protected UserDetails createUserDetails(String username, UserDetails userFromUserQuery,
List<GrantedAuthority> combinedAuthorities) {
String returnUsername = userFromUserQuery.getUsername();
if (!usernameBasedPrimaryKey) {
returnUsername = username;
}
//根据用户名、密码、enabled、授权列表构造UserDetails实例User
return new User(returnUsername, userFromUserQuery.getPassword(), userFromUserQuery.isEnabled(),
true, true, true, combinedAuthorities);
}
其他的provider,如
RememberMeAuthenticationProvider、AnonymousAuthenticationProvider的认证处理都很简单,首先判断是否支持Authentication,不支持直接返回null,支持也不处理直接返回该Authentication
这里需要强调一下,DaoAuthenticationProvider只支持UsernamePasswordAuthenticationToken这个Authentication。如果对其他的Authentication,DaoAuthenticationProvider是不做处理的
分享到:
相关推荐
### Spring Security 源码分析知识点 #### 一、Spring Security 概述 Spring Security 是一个强大且可高度定制的身份验证和访问控制框架。它提供了许多功能,包括登录表单、记住密码、CSRF 保护等。为了更好地理解...
Spring Security 是一个强大的Java安全框架,用于...总的来说,Spring Security 3的学习笔记和源码分析对提升安全开发技能大有裨益,不仅可以加深理论理解,还能在实际项目中灵活运用,构建更加健壮、安全的应用系统。
在源码分析中,你可能会看到SpringSecurity如何利用过滤器链来处理HTTP请求,如`UsernamePasswordAuthenticationFilter`用于处理登录请求,`AnonymousAuthenticationFilter`确保未认证用户默认有一个匿名角色,还有`...
本篇文章将深入探讨Spring Security的核心概念和源码分析。 1. **核心组件** - `SecurityContextHolder`: 它是Spring Security的核心,存储当前请求的安全上下文,包含认证信息和权限。 - `Authentication`: 表示...
源码分析可以帮助我们更好地理解框架内部的工作流程: 1. **AuthenticationManager**:这是Spring Security的核心组件,负责处理认证请求。它通常由多个`AuthenticationProvider`组成,每个`AuthenticationProvider...
**Spring Security 源码分析** Spring Security 是一个强大的、高度可定制的访问控制和身份认证框架,广泛应用于Java EE应用程序的安全管理。它为开发者提供了丰富的功能,包括身份验证、授权、会话管理以及CSRF...
综上,Spring Security 3.1.3源码的分析和学习,可以帮助开发者深入理解Web安全原理,掌握如何利用这个强大的框架来保护应用程序免受攻击。通过对源码的研究,可以更清晰地了解其内部工作方式,从而更好地进行定制化...
1. **源码结构分析**:了解主要组件的类结构和它们之间的关系,如`Authentication`、`Authorization`、`FilterChainProxy`等。 2. **关键类的实现**:深入研究`AbstractAuthenticationProcessingFilter`、`...
源码分析可以帮助我们深入理解Spring Security的工作原理,包括它如何处理认证、授权、过滤请求、会话管理等。通过对源码的学习,开发者可以更有效地定制和优化Spring Security以满足特定的应用场景需求。例如,你...
Spring Security 是一个强大的安全框架,主要用于Java应用的安全管理,包括Web应用和...通过学习和分析这套源码,开发者可以深入理解Spring Security如何保护REST服务,从而在实际项目中更有效地应用和扩展这个框架。
在源码中,你可能会看到`UsernamePasswordAuthenticationFilter`的使用,这是处理表单登录的标准过滤器。用户提交的用户名和密码被验证,如果匹配,Spring Security将创建一个`Authentication`对象,表示用户已成功...
Spring Security 是一个强大的和高度可定制的身份验证和访问控制框架,用于Java应用...通过分析源码,我们可以学习如何实现自定义的身份验证提供者、授权策略,甚至构建自己的安全过滤器,以提高应用的安全性和可靠性。
**源码分析** 深入理解Spring Security的源码有助于定制和优化你的安全解决方案。你可以从以下几个方面入手: - 认证流程:研究`AuthenticationProvider`和`UserDetailsService`的实现。 - 权限控制:查看`...
源码分析对于深入理解Spring Security的工作原理至关重要。通过阅读源码,开发者可以了解每个组件如何协同工作,以及如何根据特定需求定制框架。例如,你可以研究`FilterSecurityInterceptor`如何调用`...
**源码分析**: 在`AuthenticationProcessingFilter`的实现中,可以关注以下几个关键方法: - `attemptAuthentication`: 这是执行身份验证的核心方法,它从请求中提取出用户名和密码,创建`Authentication`对象,...
在分析`spring-security 5.0`的源码时,我们可以深入理解其核心机制,帮助我们更好地使用和扩展该框架。 1. **模块结构**: Spring Security 5.0 的源码包含多个模块,如`core`、`config`、`web`等。`core`模块...
本篇文章将深入探讨Spring Security的核心概念、架构及其源码分析。 1. **核心组件** - **Filter Chain**: Spring Security 的核心是过滤器链,它处理HTTP请求,执行安全相关的操作,如认证和授权。 - **...