流程简单梳理

- 入口

from django.contrib.auth import authenticate

user = authenticate(username=cd['username'], password=cd['password'])

# If the given credentials are valid, return a User object.

	- 获取全部用于认证的backend

	settings.AUTHENTICATION_BACKENDS

	Default: ['django.contrib.auth.backends.ModelBackend']

	# https://docs.djangoproject.com/en/1.11/ref/settings/#auth

	- 遍历全部backend并执行认证操作

	user = _authenticate_with_backend(backend, backend_path, request, credentials)

	# credentials: { 'username':'xxx', 'password':'xxx' }

	默认只有ModelBackend这个backend,认证是通过调用这个类里的authenticate函数

		- 通过username查找出user对象

		- user.check_password(password)

		    # django.contrib.auth.base_user.AbstractBaseUser

			- AbstractBaseUser.check_password(self, raw_password)

				- django.contrib.auth.hashers.check_password(raw_password, self.password, setter)

					- 获取settings.PASSWORD_HASHERS里的第一个hash算法

					  默认是 django.contrib.auth.hashers.PBKDF2PasswordHasher

					- 根据self.password来找到当前用户的密码采用的hash算法

					- 判断用户密码采用的hash算法和当前默认的第一hash算法是否相同 (暂且只考虑相同的情况)

					- 把用户密码拆分成:algorithm, iterations, salt, hash,用iterations和hash算法的iterations做对比是否一致

					- 验证:hasher.verify(password, encoded)

						- 把用户输入的密码进行加密:先用hashlib.sha256,然后在用base64.b64encode最终计算出一个hash值

						- 然后把 self.algorithm, iterations, salt, hash 组合成一个字符串,记作encoded_2

						- 把用户真实密码和encoded_2作比较,看看是否相同

		- user_can_authenticate(user)

			- 判断当前用户的 is_active

from django.contrib.auth import authenticate

# 默认的第一个加密算法

class PBKDF2PasswordHasher(BasePasswordHasher):

    """

    Secure password hashing using the PBKDF2 algorithm (recommended)

    Configured to use PBKDF2 + HMAC + SHA256.

    The result is a 64 byte binary string.  Iterations may be changed

    safely but you must rename the algorithm if you change SHA256.

    """

    algorithm = "pbkdf2_sha256"

    iterations = 36000

    digest = hashlib.sha256

    def encode(self, password, salt, iterations=None):

        assert password is not None

        assert salt and '$' not in salt

        if not iterations:

            iterations = self.iterations

        hash = pbkdf2(password, salt, iterations, digest=self.digest)

        hash = base64.b64encode(hash).decode('ascii').strip()

        return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)

    def verify(self, password, encoded):

        algorithm, iterations, salt, hash = encoded.split('$', 3)

        assert algorithm == self.algorithm

        encoded_2 = self.encode(password, salt, int(iterations))

        return constant_time_compare(encoded, encoded_2)

    def safe_summary(self, encoded):

        algorithm, iterations, salt, hash = encoded.split('$', 3)

        assert algorithm == self.algorithm

        return OrderedDict([

            (_('algorithm'), algorithm),

            (_('iterations'), iterations),

            (_('salt'), mask_hash(salt)),

            (_('hash'), mask_hash(hash)),

        ])

    def must_update(self, encoded):

        algorithm, iterations, salt, hash = encoded.split('$', 3)

        return int(iterations) != self.iterations

    def harden_runtime(self, password, encoded):

        algorithm, iterations, salt, hash = encoded.split('$', 3)

        extra_iterations = self.iterations - int(iterations)

        if extra_iterations > 0:

            self.encode(password, salt, extra_iterations)

from django.contrib.auth.hashers import make_password

def make_password(password, salt=None, hasher='default'):

    """

    Turn a plain-text password into a hash for database storage

    Same as encode() but generates a new random salt.

    If password is None then a concatenation of

    UNUSABLE_PASSWORD_PREFIX and a random string will be returned

    which disallows logins. Additional random string reduces chances

    of gaining access to staff or superuser accounts.

    See ticket #20079 for more info.

    """

    if password is None:

        return UNUSABLE_PASSWORD_PREFIX + get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH)

    hasher = get_hasher(hasher)

    if not salt:

        salt = hasher.salt()

    return hasher.encode(password, salt)

from django.contrib.auth.hashers import check_password

def check_password(password, encoded, setter=None, preferred='default'):

    """

    Returns a boolean of whether the raw password matches the three

    part encoded digest.

    If setter is specified, it'll be called when you need to

    regenerate the password.

    """

    if password is None or not is_password_usable(encoded):

        return False

    preferred = get_hasher(preferred)

    hasher = identify_hasher(encoded)

    hasher_changed = hasher.algorithm != preferred.algorithm

    must_update = hasher_changed or preferred.must_update(encoded)

    is_correct = hasher.verify(password, encoded)

    # If the hasher didn't change (we don't protect against enumeration if it

    # does) and the password should get updated, try to close the timing gap

    # between the work factor of the current encoded password and the default

    # work factor.

    if not is_correct and not hasher_changed and must_update:

        hasher.harden_runtime(password, encoded)

    if setter and is_correct and must_update:

        setter(password)

    return is_correct

authenticate在处理用户登录验证时候的过程

import os

os.environ.setdefault('DJANGO_SETTINGS_MODULE','django_auth.settings')

from django.contrib.auth.hashers import (

    check_password, is_password_usable, make_password,

)

if __name__ == '__main__':

    raw_password = 'Qr3!JQc9bU@hrs2qjdqaE'

    password = make_password(raw_password)

    print(password)

    from django.conf import settings

    # print(settings.AUTHENTICATION_BACKENDS) # django.contrib.auth.backends.ModelBackend

    from django.utils.module_loading import import_string

    # for backend_path in settings.AUTHENTICATION_BACKENDS:

    #     backend = import_string(backend_path)()

    #     print(backend_path,backend)

    hashers_lst = settings.PASSWORD_HASHERS

    '''

    [

        'django.contrib.auth.hashers.PBKDF2PasswordHasher',

        'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',

        'django.contrib.auth.hashers.Argon2PasswordHasher',

        'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',

        'django.contrib.auth.hashers.BCryptPasswordHasher']

    '''

    preferred = import_string(hashers_lst[0])()

    # <django.contrib.auth.hashers.PBKDF2PasswordHasher object at 0x0000000000B3BAC8>

    print(preferred.algorithm)

    from django.contrib.auth import hashers

    encoded = 'pbkdf2_sha256$36000$0EDgzLtVVT7o$nWQ4t3+iWKzv9p6MUfNIQPazaasadhYUtKt2ubLRCTA='

    hasher = hashers.identify_hasher(encoded)

    # <django.contrib.auth.hashers.PBKDF2PasswordHasher object at 0x0000000000BB8978>

    print(hasher.algorithm)  # pbkdf2_sha256

    hasher_changed = hasher.algorithm != preferred.algorithm

    print(hasher_changed) # False

    is_correct = hasher.verify(raw_password, encoded)

    print(is_correct)

    algorithm, iterations, salt, hash = encoded.split('$', 3)

    print(algorithm, iterations, salt, hash)

    encoded2 = hasher.encode(raw_password, salt, int(iterations))

    print(encoded2)

看源码,打印输出,是接近真相最便捷的途径。  

authenticate验证的流程的更多相关文章

  1. https申请证书并部署到网站流程,浏览器验证证书流程

    https申请证书并部署到网站流程: 1.生成一对秘钥,设公钥为pubk1,私钥为prik12.假设发布的网站地址为https://www.example.com3.生成一个CSR文件(Cerific ...

  2. Token验证的流程及如何准确的判断一个数据的类型

    Token验证的流程: 1,客户端使用用户名跟密码请求登录:2,服务端收到请求,去验证用户名与密码:3,验证成功后,服务端会签发一个 Token,再把这个 Token 发送给客户端:4,客户端收到 T ...

  3. authenticate的执行流程与重写

    流程 1.authenticate调用的是_get_backends函数 def authenticate(request=None, **credentials): for backend, bac ...

  4. springcloud +spring security多种验证方式之第三方token生成自己的token通过校验和自己的表单验证大体流程

    步骤: 1.继承 WebSecurityConfigurerAdapter.class,其中使用两个过滤器,一个spring scurity自带的UsernamePasswordAuthenticat ...

  5. Shiro -- (二) 身份验证基本流程

    简介: 在 shiro 中,用户需要提供 principals (身份)和 credentials(证明)给 shiro,从而应用能验证用户身份: principals:身份,即主体的标识属性,可以是 ...

  6. Apache shiro之身份验证(登陆)流程

    从张开涛blog学习后整理:http://jinnianshilongnian.iteye.com/blog/2018398 上图中的类和接口都可以继承和实现来个性化自己的实现. 其中重点看一下Mod ...

  7. SharePoint2010 Form验证配置流程

    1.修改管理中心的Web.config文件,位置:C:\inetpub\wwwroot\wss\VirtualDirectories\42903 2.修改应用程序的Web.config文件,位置:C: ...

  8. 【ASP.NET】编程点滴 :ASP.NET身份验证

    ASP.NET实际开发中身份验证 是一个不可回避的问题.在相当一段长的时间内,由于不求甚解,我对这个话题似懂非懂.今天就对它做个简单的小结. Authentication and Authorizat ...

  9. ASP.NET Forms身份验证概述

    表单身份验证允许您使用自己的代码对用户进行身份验证,然后在cookie或页面URL中维护身份验证令牌.表单身份验证通过FormsAuthenticationModule类参与ASP.NET页面生命周期 ...

随机推荐

  1. Centos7 Install Kubernetes

    环境搭建配置官方 k8s yum 源: cat <<EOF > /etc/yum.repos.d/virt7-docker-common-release.repo [virt7-do ...

  2. 用Python爬取"王者农药"英雄皮肤 原

    padding: 10px; border-bottom: 1px solid #d3d3d3; background-color: #2e8b57; } .second-menu-item { pa ...

  3. 转----------数据库常见笔试面试题 - Hectorhua的专栏 - CSDN博客

    数据库基础(面试常见题) 一.数据库基础 1. 数据抽象:物理抽象.概念抽象.视图级抽象,内模式.模式.外模式 2. SQL语言包括数据定义.数据操纵(Data Manipulation),数据控制( ...

  4. cf1088E Ehab and a component choosing problem (树形dp)

    题意(考试时看错了对着样例wa了好久..):从树上选k个连通块,使得权值的平均值最大的基础上,选的块数最多 如果不考虑块数最多的限制,肯定是只选一个权值最大的块是最好的 然后只要看这个权值最大的块有多 ...

  5. luogu4159 迷路 (矩阵加速)

    考虑如果只有距离为1的边,那我用在时间i到达某个点的状态数矩阵 乘上转移矩阵(就是边的邻接矩阵),就能得到i+1时间的 然后又考虑到边权只有1~9,那可以把边拆成只有距离为1的 具体做法是一个点拆成9 ...

  6. Baker Vai LightOJ - 1071 (MCMF)

    在个给出的矩阵从,从左上角走到右下角,然后再从右下角走到左上角,两次不能经过想同的点,每个点都有一个价值,问最大的价值是多少. 可以把原来的问题化简成从左上角走两条路到右下角,然后把价值加起来,然是这 ...

  7. [WC2008]游览计划(状压dp)

    题面太鬼畜不粘了. 题意就是给一张n*m的网格图,每个点有点权,有k个关键点,让你把这k个关键点连成一个联通快的最小代价. 题解 这题nmk都非常小,解法肯定是状压,比较一般的解法插头dp,但不太好写 ...

  8. Typescript学习笔记(四)class 类

    typescript的类,与c#,java等语言的类类似.也是包含了一大部分的es6的实现.我会用最通俗的语言讲一下对coding有用的地方. class Greeter { greeting: st ...

  9. The 2018 ACM-ICPC Asia Qingdao Regional Contest

    The 2018 ACM-ICPC Asia Qingdao Regional Contest 青岛总体来说只会3题 C #include<bits/stdc++.h> using nam ...

  10. ssh整合hibernate 使用spring管理hibernate二级缓存,配置hibernate4.0以上二级缓存

    ssh整合hibernate 使用spring管理hibernate二级缓存,配置hibernate4.0以上二级缓存 hibernate  : Hibernate是一个持久层框架,经常访问物理数据库 ...