前言

Spring Security介绍中,我们分析到了根据请求获取匹配的SecurityFilterChain,这个类中包含了一组Filter

接下来我们从这些Filter开始探究之旅

Spring Security Filter简介

AuthenticationFilter中的attemptAuthentication方法调用AuthenticationManager(interface)的authenticate方法,AuthenticationManager的实际是现实ProvideManager

ProviderManager 有一个配置好的认证提供者列表(AuthenticationProvider), ProviderManager 会把收到的 UsernamePasswordAuthenticationToken 对象传递给列表中的每一个 AuthenticationProvider 进行认证.

认证过程

AuthenticationProvider接口

public interface AuthenticationProvider {

	// ~ Methods

	// ========================================================================================================

	/**

	 * Performs authentication with the same contract as

	 * {@link org.springframework.security.authentication.AuthenticationManager#authenticate(Authentication)}

	 * .

	 *

	 * @param authentication the authentication request object.

	 *

	 * @return a fully authenticated object including credentials. May return

	 * <code>null</code> if the <code>AuthenticationProvider</code> is unable to support

	 * authentication of the passed <code>Authentication</code> object. In such a case,

	 * the next <code>AuthenticationProvider</code> that supports the presented

	 * <code>Authentication</code> class will be tried.

	 *

	 * @throws AuthenticationException if authentication fails.

	 */

	Authentication authenticate(Authentication authentication)

			throws AuthenticationException;

	/**

	 * Returns <code>true</code> if this <Code>AuthenticationProvider</code> supports the

	 * indicated <Code>Authentication</code> object.

	 * <p>

	 * Returning <code>true</code> does not guarantee an

	 * <code>AuthenticationProvider</code> will be able to authenticate the presented

	 * instance of the <code>Authentication</code> class. It simply indicates it can

	 * support closer evaluation of it. An <code>AuthenticationProvider</code> can still

	 * return <code>null</code> from the {@link #authenticate(Authentication)} method to

	 * indicate another <code>AuthenticationProvider</code> should be tried.

	 * </p>

	 * <p>

	 * Selection of an <code>AuthenticationProvider</code> capable of performing

	 * authentication is conducted at runtime the <code>ProviderManager</code>.

	 * </p>

	 *

	 * @param authentication

	 *

	 * @return <code>true</code> if the implementation can more closely evaluate the

	 * <code>Authentication</code> class presented

	 */

    // 支持的Authentication(interface)

    /**

    |-Authentication

      |--UsernamePassowrdAuthentication

      |--CasAuthentication

      |-- ...........

    **/

	boolean supports(Class<?> authentication);

}

ProviderManager的authencate方法:

// 依次调用AuthencationProvider

public Authentication authenticate(Authentication authentication)

			throws AuthenticationException {

		Class<? extends Authentication> toTest = authentication.getClass();

		AuthenticationException lastException = null;

		Authentication result = null;

		boolean debug = logger.isDebugEnabled();

    	// 遍历 AuthenticationProvider

		for (AuthenticationProvider provider : getProviders()) {

            // 当前的AuthenticationProvider是否支持Authentication

			if (!provider.supports(toTest)) {

				continue;

			}

			if (debug) {

				logger.debug("Authentication attempt using "

						+ provider.getClass().getName());

			}

			try {

				result = provider.authenticate(authentication);

                // 认证结果中如果不为null(验证成功),则遍历结束,拷贝认证后的结果到authentication对象

				if (result != null) {

					copyDetails(authentication, result);

					break;

				}

			}

			catch (AccountStatusException e) {

				prepareException(e, authentication);

				// SEC-546: Avoid polling additional providers if auth failure is due to

				// invalid account status

				throw e;

			}

			catch (InternalAuthenticationServiceException e) {

				prepareException(e, authentication);

				throw e;

			}

			catch (AuthenticationException e) {

				lastException = e;

			}

		}

		if (result == null && parent != null) {

			// Allow the parent to try.

			try {

				result = parent.authenticate(authentication);

			}

			catch (ProviderNotFoundException e) {

				// ignore as we will throw below if no other exception occurred prior to

				// calling parent and the parent

				// may throw ProviderNotFound even though a provider in the child already

				// handled the request

			}

			catch (AuthenticationException e) {

				lastException = e;

			}

		}

		if (result != null) {

			if (eraseCredentialsAfterAuthentication

					&& (result instanceof CredentialsContainer)) {

				// Authentication is complete. Remove credentials and other secret data

				// from authentication

				((CredentialsContainer) result).eraseCredentials();

			}

			eventPublisher.publishAuthenticationSuccess(result);

			return result;

		}

		// Parent was null, or didn't authenticate (or throw an exception).

		if (lastException == null) {

			lastException = new ProviderNotFoundException(messages.getMessage(

					"ProviderManager.providerNotFound",

					new Object[] { toTest.getName() },

					"No AuthenticationProvider found for {0}"));

		}

		prepareException(lastException, authentication);

		throw lastException;

	}

授权

前面有filter处理了登录问题,接下来是否可访问指定资源的问题就由FilterSecurityInterceptor来处理了。而FilterSecurityInterceptor是用了AccessDecisionManager来进行鉴权。

来看看他干了什么

/**

	 * Method that is actually called by the filter chain. Simply delegates to the

	 * {@link #invoke(FilterInvocation)} method.

	 *

	 * @param request the servlet request

	 * @param response the servlet response

	 * @param chain the filter chain

	 *

	 * @throws IOException if the filter chain fails

	 * @throws ServletException if the filter chain fails

	 */

public void doFilter(ServletRequest request, ServletResponse response,

                     FilterChain chain) throws IOException, ServletException {

    FilterInvocation fi = new FilterInvocation(request, response, chain);

    invoke(fi);

}

public void invoke(FilterInvocation fi) throws IOException, ServletException {

    if ((fi.getRequest() != null)

        && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)

        && observeOncePerRequest) {

        // filter already applied to this request and user wants us to observe

        // once-per-request handling, so don't re-do security checking

        fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

    }

    else {

        // first time this request being called, so perform security checking

        if (fi.getRequest() != null && observeOncePerRequest) {

            fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);

        }

        // 调用前

        // 该过程中会调用 AccessDecisionManager 来验证当前已认证成功的用户是否有权限访问该资源

        InterceptorStatusToken token = super.beforeInvocation(fi);

        try {

            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

        }

        finally {

            super.finallyInvocation(token);

        }

        // 调用后

        super.afterInvocation(token, null);

    }

}

Spring Security探究之路之开始的更多相关文章

  1. spring security 关于 http.sessionManagement().maximumSessions(1);的探究

    1.前言 spring security 支持对session的管理 , http.sessionManagement().maximumSessions(1);的意思的开启session管理,ses ...

  2. spring security 4 filter 顺序及作用

    Spring Security 有两个作用:认证和授权 一.Srping security 4 filter 别名及顺序 spring security 4 标准filter别名和顺序,因为经常要用就 ...

  3. 从源码看Spring Security之采坑笔记(Spring Boot篇)

    一:唠嗑 鼓捣了两天的Spring Security,踩了不少坑.如果你在学Spring Security,恰好又是使用的Spring Boot,那么给我点个赞吧!这篇博客将会让你了解Spring S ...

  4. Spring Security OAuth2实现单点登录

    1.概述 在本教程中,我们将讨论如何使用 Spring Security OAuth 和 Spring Boot 实现 SSO(单点登录). 本示例将使用到三个独立应用 一个授权服务器(中央认证机制) ...

  5. Spring Security +Oauth2 +Spring boot 动态定义权限

    Oauth2介绍:Oauth2是为用户资源的授权定义了一个安全.开放及简单的标准,第三方无需知道用户的账号及密码,就可获取到用户的授权信息,并且这是安全的. 简单的来说,当用户登陆网站的时候,需要账号 ...

  6. Spring Security 入门原理及实战

    目录 从一个Spring Security的例子开始 创建不受保护的应用 加入spring security 保护应用 关闭security.basic ,使用form表单页面登录 角色-资源 访问控 ...

  7. Ajax登陆,使用Spring Security缓存跳转到登陆前的链接

    Spring Security缓存的应用之登陆后跳转到登录前源地址 什么意思? 用户访问网站,打开了一个链接:(origin url)起源链接 请求发送给服务器,服务器判断用户请求了受保护的资源. 由 ...

  8. 笔记43 Spring Security简介

    基于Spittr应用 一.Spring Security简介 Spring Security是为基于Spring的应用程序提供声明式安全保护的安全 性框架.Spring Security提供了完整的安 ...

  9. Spring Security原理篇(一) 启动原理

    1.概述 spring security有参考的中文翻译文档https://springcloud.cc/spring-security-zhcn.html 在学习spring security的时候 ...

随机推荐

  1. Nginx_全局命令设置

    刚安装好的Nginx, 命令需要去sbin目录执行,比较麻烦,设置下全局命令,就无需进入nginx的sbin目录执行nginx命令了 1.创建文件 vim /etc/init.d/nginx 把下面代 ...

  2. Spark案例练习-PV的统计

    关注公众号:分享电脑学习回复"百度云盘" 可以免费获取所有学习文档的代码(不定期更新) 云盘目录说明: tools目录是安装包res   目录是每一个课件对应的代码和资源等doc  ...

  3. vue3.0+vite项目搭建

    npm init vite-app <project-name> cd <project-name> 根据控制台的提示执行: npm install / yarn npm ru ...

  4. vue中另一种路由写法

    一个项目中一级菜单是固定的,二级及其以下的菜单是动态的,直接根据文件夹结构写路由 import Vue from 'vue' import Router from 'vue-router' impor ...

  5. HDU-2032.杨辉三角(C语言描述)

    Problem Description 还记得中学时候学过的杨辉三角吗?具体的定义这里不再描述,你可以参考以下的图形: 1 1 1 1 2 1 1 3 3 1 1 4 6 4 1 1 5 10 10 ...

  6. 【代码优化】Bean映射之MapStruct

    [代码优化]Bean映射之MapStruct 一.背景 领域模型相互转换就只能靠手工的 get()/set()? 普遍的做法有以下几种: 手工 get()/set(): 构造器: BeanUtils ...

  7. 使用jadx反编译 调试“XX值得买”APP获取接口签名key(一)

    闲来无事,想抓取一下"XX值得买"上排行榜的即时数据,按照通用方法 安装夜神模拟器 新增android 5.0版模拟器 安装xposed框架 安装JustTrustMe.apk 打 ...

  8. jQuery ajax get与post后台交互中的奥秘

    这两天在做关注功能模块(类似于Instagram).多处页面都需要通过一个"关注"按钮进行关注或者取消该好友的操作.一个页面对应的放一个按钮,进行操作.效率低维护性差.因此想通过j ...

  9. AOP-底层原理(JDK动态代理实现)

    AOP(JDK动态代理) 1,使用JDK动态代理,使用Proxy类里面的方法创建代理对象 (1)调用 newProxyInstance 方法 方法有三个参数 第一参数,类加载器 第二参数,增强方法所在 ...

  10. (3)puppet清单定义资源的语法

    1.先看两个例子: a.创建一个文件 file{"/tmp/12567.txt": content => aaaaababbau, ensure => present ...