前言

Spring Security介绍中,我们分析到了根据请求获取匹配的SecurityFilterChain,这个类中包含了一组Filter

接下来我们从这些Filter开始探究之旅

Spring Security Filter简介

AuthenticationFilter中的attemptAuthentication方法调用AuthenticationManager(interface)的authenticate方法,AuthenticationManager的实际是现实ProvideManager

ProviderManager 有一个配置好的认证提供者列表(AuthenticationProvider), ProviderManager 会把收到的 UsernamePasswordAuthenticationToken 对象传递给列表中的每一个 AuthenticationProvider 进行认证.

认证过程

AuthenticationProvider接口

public interface AuthenticationProvider {

	// ~ Methods

	// ========================================================================================================

	/**

	 * Performs authentication with the same contract as

	 * {@link org.springframework.security.authentication.AuthenticationManager#authenticate(Authentication)}

	 * .

	 *

	 * @param authentication the authentication request object.

	 *

	 * @return a fully authenticated object including credentials. May return

	 * <code>null</code> if the <code>AuthenticationProvider</code> is unable to support

	 * authentication of the passed <code>Authentication</code> object. In such a case,

	 * the next <code>AuthenticationProvider</code> that supports the presented

	 * <code>Authentication</code> class will be tried.

	 *

	 * @throws AuthenticationException if authentication fails.

	 */

	Authentication authenticate(Authentication authentication)

			throws AuthenticationException;

	/**

	 * Returns <code>true</code> if this <Code>AuthenticationProvider</code> supports the

	 * indicated <Code>Authentication</code> object.

	 * <p>

	 * Returning <code>true</code> does not guarantee an

	 * <code>AuthenticationProvider</code> will be able to authenticate the presented

	 * instance of the <code>Authentication</code> class. It simply indicates it can

	 * support closer evaluation of it. An <code>AuthenticationProvider</code> can still

	 * return <code>null</code> from the {@link #authenticate(Authentication)} method to

	 * indicate another <code>AuthenticationProvider</code> should be tried.

	 * </p>

	 * <p>

	 * Selection of an <code>AuthenticationProvider</code> capable of performing

	 * authentication is conducted at runtime the <code>ProviderManager</code>.

	 * </p>

	 *

	 * @param authentication

	 *

	 * @return <code>true</code> if the implementation can more closely evaluate the

	 * <code>Authentication</code> class presented

	 */

    // 支持的Authentication(interface)

    /**

    |-Authentication

      |--UsernamePassowrdAuthentication

      |--CasAuthentication

      |-- ...........

    **/

	boolean supports(Class<?> authentication);

}

ProviderManager的authencate方法:

// 依次调用AuthencationProvider

public Authentication authenticate(Authentication authentication)

			throws AuthenticationException {

		Class<? extends Authentication> toTest = authentication.getClass();

		AuthenticationException lastException = null;

		Authentication result = null;

		boolean debug = logger.isDebugEnabled();

    	// 遍历 AuthenticationProvider

		for (AuthenticationProvider provider : getProviders()) {

            // 当前的AuthenticationProvider是否支持Authentication

			if (!provider.supports(toTest)) {

				continue;

			}

			if (debug) {

				logger.debug("Authentication attempt using "

						+ provider.getClass().getName());

			}

			try {

				result = provider.authenticate(authentication);

                // 认证结果中如果不为null(验证成功),则遍历结束,拷贝认证后的结果到authentication对象

				if (result != null) {

					copyDetails(authentication, result);

					break;

				}

			}

			catch (AccountStatusException e) {

				prepareException(e, authentication);

				// SEC-546: Avoid polling additional providers if auth failure is due to

				// invalid account status

				throw e;

			}

			catch (InternalAuthenticationServiceException e) {

				prepareException(e, authentication);

				throw e;

			}

			catch (AuthenticationException e) {

				lastException = e;

			}

		}

		if (result == null && parent != null) {

			// Allow the parent to try.

			try {

				result = parent.authenticate(authentication);

			}

			catch (ProviderNotFoundException e) {

				// ignore as we will throw below if no other exception occurred prior to

				// calling parent and the parent

				// may throw ProviderNotFound even though a provider in the child already

				// handled the request

			}

			catch (AuthenticationException e) {

				lastException = e;

			}

		}

		if (result != null) {

			if (eraseCredentialsAfterAuthentication

					&& (result instanceof CredentialsContainer)) {

				// Authentication is complete. Remove credentials and other secret data

				// from authentication

				((CredentialsContainer) result).eraseCredentials();

			}

			eventPublisher.publishAuthenticationSuccess(result);

			return result;

		}

		// Parent was null, or didn't authenticate (or throw an exception).

		if (lastException == null) {

			lastException = new ProviderNotFoundException(messages.getMessage(

					"ProviderManager.providerNotFound",

					new Object[] { toTest.getName() },

					"No AuthenticationProvider found for {0}"));

		}

		prepareException(lastException, authentication);

		throw lastException;

	}

授权

前面有filter处理了登录问题,接下来是否可访问指定资源的问题就由FilterSecurityInterceptor来处理了。而FilterSecurityInterceptor是用了AccessDecisionManager来进行鉴权。

来看看他干了什么

/**

	 * Method that is actually called by the filter chain. Simply delegates to the

	 * {@link #invoke(FilterInvocation)} method.

	 *

	 * @param request the servlet request

	 * @param response the servlet response

	 * @param chain the filter chain

	 *

	 * @throws IOException if the filter chain fails

	 * @throws ServletException if the filter chain fails

	 */

public void doFilter(ServletRequest request, ServletResponse response,

                     FilterChain chain) throws IOException, ServletException {

    FilterInvocation fi = new FilterInvocation(request, response, chain);

    invoke(fi);

}

public void invoke(FilterInvocation fi) throws IOException, ServletException {

    if ((fi.getRequest() != null)

        && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)

        && observeOncePerRequest) {

        // filter already applied to this request and user wants us to observe

        // once-per-request handling, so don't re-do security checking

        fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

    }

    else {

        // first time this request being called, so perform security checking

        if (fi.getRequest() != null && observeOncePerRequest) {

            fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);

        }

        // 调用前

        // 该过程中会调用 AccessDecisionManager 来验证当前已认证成功的用户是否有权限访问该资源

        InterceptorStatusToken token = super.beforeInvocation(fi);

        try {

            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

        }

        finally {

            super.finallyInvocation(token);

        }

        // 调用后

        super.afterInvocation(token, null);

    }

}

Spring Security探究之路之开始的更多相关文章

  1. spring security 关于 http.sessionManagement().maximumSessions(1);的探究

    1.前言 spring security 支持对session的管理 , http.sessionManagement().maximumSessions(1);的意思的开启session管理,ses ...

  2. spring security 4 filter 顺序及作用

    Spring Security 有两个作用:认证和授权 一.Srping security 4 filter 别名及顺序 spring security 4 标准filter别名和顺序,因为经常要用就 ...

  3. 从源码看Spring Security之采坑笔记(Spring Boot篇)

    一:唠嗑 鼓捣了两天的Spring Security,踩了不少坑.如果你在学Spring Security,恰好又是使用的Spring Boot,那么给我点个赞吧!这篇博客将会让你了解Spring S ...

  4. Spring Security OAuth2实现单点登录

    1.概述 在本教程中,我们将讨论如何使用 Spring Security OAuth 和 Spring Boot 实现 SSO(单点登录). 本示例将使用到三个独立应用 一个授权服务器(中央认证机制) ...

  5. Spring Security +Oauth2 +Spring boot 动态定义权限

    Oauth2介绍:Oauth2是为用户资源的授权定义了一个安全.开放及简单的标准,第三方无需知道用户的账号及密码,就可获取到用户的授权信息,并且这是安全的. 简单的来说,当用户登陆网站的时候,需要账号 ...

  6. Spring Security 入门原理及实战

    目录 从一个Spring Security的例子开始 创建不受保护的应用 加入spring security 保护应用 关闭security.basic ,使用form表单页面登录 角色-资源 访问控 ...

  7. Ajax登陆,使用Spring Security缓存跳转到登陆前的链接

    Spring Security缓存的应用之登陆后跳转到登录前源地址 什么意思? 用户访问网站,打开了一个链接:(origin url)起源链接 请求发送给服务器,服务器判断用户请求了受保护的资源. 由 ...

  8. 笔记43 Spring Security简介

    基于Spittr应用 一.Spring Security简介 Spring Security是为基于Spring的应用程序提供声明式安全保护的安全 性框架.Spring Security提供了完整的安 ...

  9. Spring Security原理篇(一) 启动原理

    1.概述 spring security有参考的中文翻译文档https://springcloud.cc/spring-security-zhcn.html 在学习spring security的时候 ...

随机推荐

  1. Nginx_配置文件nginx.conf配置详解

    user nginx nginx ; # Nginx用户及组:用户 组.window下不指定 worker_processes 8; # 工作进程:数目.根据硬件调整,通常等于CPU数量或者2倍于CP ...

  2. docker部署logstash

    1.下载镜像 [root@vanje-dev01 ~]# docker pull logstash:7.0.1 2.安装部署 2.1  创建宿主映射目录 # mkdir /etc/logstash/ ...

  3. mongodb用户权限管理的CRUD

    https://blog.csdn.net/weixin_34332905/article/details/88759759?utm_medium=distribute.pc_relevant.non ...

  4. Java 递归 常见24道题目 总结

    1.N个台阶的走法递归[这里设为10个台阶] /** * N个台阶的走法递归 * <p> * 有个楼梯,台阶有10个,每次可以跳上1阶 或者 2阶 ,那么台阶的走法一共有多少种 */ @T ...

  5. 第10组 Alpha冲刺 (2/6)

    1.1基本情况 ·队名:今晚不睡觉 ·组长博客:https://www.cnblogs.com/cpandbb/ ·作业博客:https://edu.cnblogs.com/campus/fzu/FZ ...

  6. Word2010邮件合并制作成绩单

    原文链接: https://www.toutiao.com/i6488941003494392333/ 准备数据源: 选择"邮件"选项卡,"开始邮件合并"功能组 ...

  7. Servlet中分发器和重定向两兄弟

    注:图片如果损坏,点击文章链接:https://www.toutiao.com/i6513702111698485767/ 弄清这个两兄弟,我们还是从练习中去理解 先创建一个数据提交页面,注意路径 编 ...

  8. hyperf 如何对AMQP消息进行手动消费?

    转发自白狼栈:查看原文 在使用 hyperf 官方自带的 AMQP 队列时你会发现,不需要我们再额外启动进程对消息进行消费.这是因为默认情况下,使用 @Consumer 注解时,hyperf 会为我们 ...

  9. 5.12-jsp分页功能学习

    1.分页功能相关资料查询 分页须知知识点: (1)JDBC2.0的可滚动结果集. (2)HTTP GET请求. 一.可滚动结果集   Connection con  = DriverManager.g ...

  10. unity3d inputfield标签控制台打印object

    inputfield标签控制台打印object 这说明没有字符串给入 这是因为 inputfield下的text不能人为写入值,只能在game界面输入. 所以这个标签里的text做个默认值不好搞.