一、基本流程

rest_framework框架是基于CBV基础开发的(VPIView(View)),所以基本流程与CBV流程相似

当我们的请求发来后,会走as_views,执行view里面的方法,最开始都要执行dispatch方法

urls.py
url(r'^books/$', views.BookViews.as_view())
views.py
class BookViews(APIView):

    def get(self,request,*args,**kwargs):
    passdef post(self,request,*args,**kwargs):
    pass

当请求进来时首先进入as_view()

APIView类中的as_view(),

class APIView(View):

    @classmethod
    def as_view(cls, **initkwargs):
        """
        Store the original class on the view function.

        This allows us to discover information about the view when we do URL
        reverse lookups.  Used for breadcrumb generation.
        """
        if isinstance(getattr(cls, 'queryset', None), models.query.QuerySet):
            def force_evaluation():
                raise RuntimeError(
                    'Do not evaluate the `.queryset` attribute directly, '
                    'as the result will be cached and reused between requests. '
                    'Use `.all()` or call `.get_queryset()` instead.'
                )
            cls.queryset._fetch_all = force_evaluation

        view = super(APIView, cls).as_view(**initkwargs)    #执行父类(view)的as_view()
        view.cls = cls
        view.initkwargs = initkwargs

        # Note: session based authentication is explicitly CSRF validated,
        # all other authentication is CSRF exempt.
        return csrf_exempt(view)

进入原生View类中

class View(object):

    http_method_names = ['get', 'post', 'put', 'patch', 'delete', 'head', 'options', 'trace']

    def __init__(self, **kwargs):
        for key, value in six.iteritems(kwargs):
            setattr(self, key, value)

    @classonlymethod
    def as_view(cls, **initkwargs):
        def view(request, *args, **kwargs):
            self = cls(**initkwargs)
            if hasattr(self, 'get') and not hasattr(self, 'head'):
                self.head = self.get
            self.request = request
            self.args = args
            self.kwargs = kwargs
            return self.dispatch(request, *args, **kwargs)  #执行dispatch()(走APIView中的dispatch())
        view.view_class = cls
        view.view_initkwargs = initkwargs

        # take name and docstring from class
        update_wrapper(view, cls, updated=())

        # and possible attributes set by decorators
        # like csrf_exempt from dispatch
        update_wrapper(view, cls.dispatch, assigned=())
        return view

所以访问views中的类是先执行dispatch方法(如果自己定义了则走自己的dispatch()),然后再用调用 其他方法

APIView中的dispatch():

def dispatch(self, request, *args, **kwargs):
    """
    `.dispatch()` is pretty much the same as Django's regular dispatch,
    but with extra hooks for startup, finalize, and exception handling.
    """
    self.args = args
    self.kwargs = kwargs
  1.#执行此方法
    request = self.initialize_request(request, *args, **kwargs)   
    def initialize_request(self, request, *args, **kwargs):

        """

        Returns the initial request object.

        """

        parser_context = self.get_parser_context(request)

     #对request进行二次封装,增加了一些功能,放入到rest_framerwork中Request中
        # 原来request对象,django.core.handlers.wsgi.WSGIRequest
         # 现在的request对象,rest_framework.request.Request

        return Request(

            request,

            parsers=self.get_parsers(),

            authenticators=self.get_authenticators(),#用于用户认证,为一个列表
    negotiator=self.get_content_negotiator(), parser_context=parser_context )

将这些东西前部都封装在rest_framework的Resquest中,并返回她的对象request,从这以后我们调用的request对象不再是Django提供的request对象了,而是APIView的Resquest的对象,
    self.request = request
    self.headers = self.default_response_headers  # deprecate?

    try:
     #2.处理版本信息 处理认证信息 处理权限信息 对用户的访问频率进行限制
        self.initial(request, *args, **kwargs)
    def initial(self, request, *args, **kwargs):

        """

        Runs anything that needs to occur prior to calling the method handler.

        """

        self.format_kwarg = self.get_format_suffix(**kwargs)

        # Perform content negotiation and store the accepted info on the request

        neg = self.perform_content_negotiation(request)

        request.accepted_renderer, request.accepted_media_type = neg

        # Determine the API version, if versioning is in use.
     #版本

        version, scheme = self.determine_version(request, *args, **kwargs)

        request.version, request.versioning_scheme = version, scheme

        # Ensure that the incoming request is permitted

    #认证        
    self.perform_authentication(request)
    #权限

        self.check_permissions(request)
    #访问频率

        self.check_throttles(request)
        # Get the appropriate handler method
    #3 根据用户提交的请求方法利用反射得到请求方式
        if request.method.lower() in self.http_method_names:
            handler = getattr(self, request.method.lower(),
                              self.http_method_not_allowed)
        else:
            handler = self.http_method_not_allowed
     #调用具体的方法做具体的操作
        response = handler(request, *args, **kwargs)

    except Exception as exc:
        response = self.handle_exception(exc)
  
  #4.将处理后的response包装
    self.response = self.finalize_response(request, response, *args, **kwargs)
    return self.response

二、处理认证的具体分析

当diapatch方法进行到第一步时,我们调用了initialize_request方法将request等封装在Request中顶返回其对象,

def dispatch(self, request, *args, **kwargs):
    """
    `.dispatch()` is pretty much the same as Django's regular dispatch,
    but with extra hooks for startup, finalize, and exception handling.
    """
    self.args = args
    self.kwargs = kwargs
    request = self.initialize_request(request, *args, **kwargs)
    self.request = request
    self.headers = self.default_response_headers  # deprecate?

    try:
        self.initial(request, *args, **kwargs)

        # Get the appropriate handler method
        if request.method.lower() in self.http_method_names:
            handler = getattr(self, request.method.lower(),
                              self.http_method_not_allowed)
        else:
            handler = self.http_method_not_allowed

        response = handler(request, *args, **kwargs)

    except Exception as exc:
        response = self.handle_exception(exc)

    self.response = self.finalize_response(request, response, *args, **kwargs)
    return self.response

authenticators=self.get_authenticators() #用于用户认证 是一个由authentication对象组成的列表

    def get_authenticators(self):

        """

        Instantiates and returns the list of authenticators that this view can use.

        """

        return [auth() for auth in self.authentication_classes]
authentication_classes为一个authentication类组成的列表,他默认是调用
authentication_classes = api_settings.DEFAULT_AUTHENTICATION_CLASSES

当然我们一般是自己定义或者配置到settings中,至此我们的得到authentication对象的列表,其封装在Request对象中,

接的执行第二步

#2.处理版本信息 处理认证信息 处理权限信息 对用户的访问频率进行限制

self.initial(request, *args, **kwargs)
 #2.2处理认证信息

        self.perform_authentication(request)

查看perform_authentication的源码如下

    def perform_authentication(self, request):

        """

        Perform authentication on the incoming request.

        Note that if you override this and simply 'pass', then authentication

        will instead be performed lazily, the first time either

        `request.user` or `request.auth` is accessed.

        """

        request.user

其调用了rest_framework中Request的user方法(这个方法肯定别@property装饰(静态方法),不然的话不可能直接不加括号的调用)

from rest_framework.request import Request

Request类中的user方法

 @property

    def user(self):

        """

        Returns the user associated with the current request, as authenticated

        by the authentication classes provided to the request.

        """

        #判断当前类中是否有已经认证过的user

        if not hasattr(self, '_user'):

            #没有认证则去认证

            self._authenticate()

        #认证过了直接返回

        return self._user

注意:user中的self代表的是request对象

没认证的话执行 调用Request类中的_authenticate()方法

 def _authenticate(self):

        """

        Attempt to authenticate the request using each authentication instance

        in turn.

        """

        #遍历request对象中封装的Authentication对象

        for authenticator in self.authenticators:

            try:

                #调用Authentication对象中的authenticate方法,必须要有这个方法不然抛出异常

                #当然Authentication类一般有我们自己定义,实现这个方法就可以了

                user_auth_tuple = authenticator.authenticate(self)

            except exceptions.APIException:

                self._not_authenticated()

                raise

            if user_auth_tuple is not None:

                self._authenticator = authenticator

                self.user, self.auth = user_auth_tuple

                return

        self._not_authenticated()

局部认证

auth.py

# 局部认证

from ..models import *

from rest_framework.authentication import BaseAuthentication

from rest_framework import exceptions

class MyAuthenticate(BaseAuthentication):

    def authenticate(self,request):

        token=request._request.GET.get("token")

        print("token",token)

        user_token_obj=UserToken.objects.filter(token=token).first()

        if user_token_obj:

            # 必须返回元祖request.user=user_token_obj, request.auth=token

            return user_token_obj,token

        else:

            raise exceptions.AuthenticationFailed("校验失败")

view.py

class BookViewsSet(viewsets.ModelViewSet):

    # 认证

    authentication_classes=[MyAuthenticate]

    queryset = Book.objects.all()

    serializer_class = BookModelSerializer(序列化)

全局认证

settings.py

REST_FRAMEWORK={

    "DEFAULT_AUTHENTICATION_CLASSES": ["api.servise.auth.MyAuthenticate"],

}

auth.py

# 局部认证

from ..models import *

from rest_framework.authentication import BaseAuthentication

from rest_framework import exceptions

class MyAuthenticate(BaseAuthentication):

    def authenticate(self,request):

        token=request._request.GET.get("token")

        print("token",token)

        user_token_obj=UserToken.objects.filter(token=token).first()

        if user_token_obj:

            # 必须返回元祖request.user=user_token_obj, request.auth=token

            return user_token_obj,token

        else:

            raise exceptions.AuthenticationFailed("校验失败")

待续

rest_framework 认证流程的更多相关文章

  1. 二、django rest_framework源码之认证流程剖析

    1 绪言 上一篇中讲了django rest_framework总体流程,整个流程中最关键的一步就是执行dispatch方法.在dispatch方法中,在调用了一个initial方法,所有的认证.权限 ...

  2. Django rest_framework 认证源码流程

    一.请求到来后,都要先执行dispatch方法 dispatch根据请求方式的不同触发get/post/put/delete等方法 注意,APIView中的dispatch方法有很多的功能 def d ...

  3. rest_framework 权限流程

    权限流程 权限流程与认证流程非常相似,只是后续操作稍有不同 当用户访问是 首先执行dispatch函数,当执行当第二部时: #2.处理版本信息 处理认证信息 处理权限信息 对用户的访问频率进行限制 s ...

  4. rest_framework 认证功能

    from django.views import View from rest_framework.views import APIView from rest_framework.authentic ...

  5. CWMP开源代码研究4——认证流程

    TR069 Http Digest 认证流程   一 流程及流程图 1.1盒端主动发起Http Digest认证流程  盒端CPE                                    ...

  6. Kerberos认证流程详解

    Kerberos是诞生于上个世纪90年代的计算机认证协议,被广泛应用于各大操作系统和Hadoop生态系统中.了解Kerberos认证的流程将有助于解决Hadoop集群中的安全配置过程中的问题.为此,本 ...

  7. Shiro第二篇【介绍Shiro、认证流程、自定义realm、自定义realm支持md5】

    什么是Shiro shiro是apache的一个开源框架,是一个权限管理的框架,实现 用户认证.用户授权. spring中有spring security (原名Acegi),是一个权限框架,它和sp ...

  8. 最简单易懂的Spring Security 身份认证流程讲解

    最简单易懂的Spring Security 身份认证流程讲解 导言 相信大伙对Spring Security这个框架又爱又恨,爱它的强大,恨它的繁琐,其实这是一个误区,Spring Security确 ...

  9. ASP.NET Forms 认证流程

    ASP.NET Forms 认证 Forms认证基础 HTTP是无状态的协议,也就是说用户的每次请求对服务器来说都是一次全新的请求,服务器不能识别这个请求是哪个用户发送的. 那服务器如何去判断一个用户 ...

随机推荐

  1. 牛客网(string::find()函数回忆一下)

    链接:https://www.nowcoder.com/acm/contest/109/B来源:牛客网 给出两个串s和x 定义s中的某一位i为好的位置,当且仅当存在s的子序列 满足y=x且存在j使得i ...

  2. 详细解析@Resource和@Autowired的区别 , 以及@Qualifier的作用

    (41)  (0) 首先 . @Resource是javax.annotation 包中的注解类 , 是jdk中封装的 . @AutoWired是spring的中注解,依赖于spring上下文. 相同 ...

  3. [POJ1784]Huffman's Greed

    题面在这里 题意 给出一棵\(n\)个节点的二叉查找树的中序遍历中每个节点的访问次数\(p[i]\),和相邻两节点\(i\)和\(i+1\)的访问次数\(q[i]\),构造一棵二叉查找树使得\(\su ...

  4. 导致SQL执行慢的原因

    索引对大数据的查询速度的提升是非常大的,Explain可以帮你分析SQL语句是否用到相关索引. 索引类似大学图书馆建书目索引,可以提高数据检索的效率,降低数据库的IO成本.MySQL在300万条记录左 ...

  5. [bzoj] 2694 Lcm || 莫比乌斯反演

    原题 定义整数a,b,求所有满足条件的lcm(a,b)的和: 1<=a<=A 1<=b<=B ∀n>1,n2†gcd(a,b)(即任意n>1,\(n^2\)不是gc ...

  6. java Collections.sort()实现List排序的默认方法和自定义方法【转】

    1.java提供的默认list排序方法 主要代码: List<String> list = new ArrayList();list.add("刘媛媛"); list. ...

  7. linux bash学习(一)

    1.请你以 read 指令的用途,撰写一个 script ,他可以让使用者输入:1. first name 与 2. last name, 最后并且在屏幕上显示:“Your full name is: ...

  8. JSOI2008 星球大战 [并查集]

    题目描述 很久以前,在一个遥远的星系,一个黑暗的帝国靠着它的超级武器统治者整个星系. 某一天,凭着一个偶然的机遇,一支反抗军摧毁了帝国的超级武器,并攻下了星系中几乎所有的星球.这些星球通过特殊的以太隧 ...

  9. JAX-WS 注解

    一.概述 “基于 XML 的 Web Service 的 Java API”(JAX-WS)通过使用注释来指定与 Web Service 实现相关联的元数据以及简化 Web Service 的开发.注 ...

  10. 批量添加公钥给server的bash

    Bash 脚本 #/bin/bash adduser vlmonitor mkdir -p /home/vlmonitor/.ssh chown -R vlmonitor.vlmonitor /hom ...