前言

Spring Security介绍中,我们分析到了根据请求获取匹配的SecurityFilterChain,这个类中包含了一组Filter

接下来我们从这些Filter开始探究之旅

Spring Security Filter简介

AuthenticationFilter中的attemptAuthentication方法调用AuthenticationManager(interface)的authenticate方法,AuthenticationManager的实际是现实ProvideManager

ProviderManager 有一个配置好的认证提供者列表(AuthenticationProvider), ProviderManager 会把收到的 UsernamePasswordAuthenticationToken 对象传递给列表中的每一个 AuthenticationProvider 进行认证.

认证过程

AuthenticationProvider接口

public interface AuthenticationProvider {

	// ~ Methods

	// ========================================================================================================

	/**

	 * Performs authentication with the same contract as

	 * {@link org.springframework.security.authentication.AuthenticationManager#authenticate(Authentication)}

	 * .

	 *

	 * @param authentication the authentication request object.

	 *

	 * @return a fully authenticated object including credentials. May return

	 * <code>null</code> if the <code>AuthenticationProvider</code> is unable to support

	 * authentication of the passed <code>Authentication</code> object. In such a case,

	 * the next <code>AuthenticationProvider</code> that supports the presented

	 * <code>Authentication</code> class will be tried.

	 *

	 * @throws AuthenticationException if authentication fails.

	 */

	Authentication authenticate(Authentication authentication)

			throws AuthenticationException;

	/**

	 * Returns <code>true</code> if this <Code>AuthenticationProvider</code> supports the

	 * indicated <Code>Authentication</code> object.

	 * <p>

	 * Returning <code>true</code> does not guarantee an

	 * <code>AuthenticationProvider</code> will be able to authenticate the presented

	 * instance of the <code>Authentication</code> class. It simply indicates it can

	 * support closer evaluation of it. An <code>AuthenticationProvider</code> can still

	 * return <code>null</code> from the {@link #authenticate(Authentication)} method to

	 * indicate another <code>AuthenticationProvider</code> should be tried.

	 * </p>

	 * <p>

	 * Selection of an <code>AuthenticationProvider</code> capable of performing

	 * authentication is conducted at runtime the <code>ProviderManager</code>.

	 * </p>

	 *

	 * @param authentication

	 *

	 * @return <code>true</code> if the implementation can more closely evaluate the

	 * <code>Authentication</code> class presented

	 */

    // 支持的Authentication(interface)

    /**

    |-Authentication

      |--UsernamePassowrdAuthentication

      |--CasAuthentication

      |-- ...........

    **/

	boolean supports(Class<?> authentication);

}

ProviderManager的authencate方法:

// 依次调用AuthencationProvider

public Authentication authenticate(Authentication authentication)

			throws AuthenticationException {

		Class<? extends Authentication> toTest = authentication.getClass();

		AuthenticationException lastException = null;

		Authentication result = null;

		boolean debug = logger.isDebugEnabled();

    	// 遍历 AuthenticationProvider

		for (AuthenticationProvider provider : getProviders()) {

            // 当前的AuthenticationProvider是否支持Authentication

			if (!provider.supports(toTest)) {

				continue;

			}

			if (debug) {

				logger.debug("Authentication attempt using "

						+ provider.getClass().getName());

			}

			try {

				result = provider.authenticate(authentication);

                // 认证结果中如果不为null(验证成功),则遍历结束,拷贝认证后的结果到authentication对象

				if (result != null) {

					copyDetails(authentication, result);

					break;

				}

			}

			catch (AccountStatusException e) {

				prepareException(e, authentication);

				// SEC-546: Avoid polling additional providers if auth failure is due to

				// invalid account status

				throw e;

			}

			catch (InternalAuthenticationServiceException e) {

				prepareException(e, authentication);

				throw e;

			}

			catch (AuthenticationException e) {

				lastException = e;

			}

		}

		if (result == null && parent != null) {

			// Allow the parent to try.

			try {

				result = parent.authenticate(authentication);

			}

			catch (ProviderNotFoundException e) {

				// ignore as we will throw below if no other exception occurred prior to

				// calling parent and the parent

				// may throw ProviderNotFound even though a provider in the child already

				// handled the request

			}

			catch (AuthenticationException e) {

				lastException = e;

			}

		}

		if (result != null) {

			if (eraseCredentialsAfterAuthentication

					&& (result instanceof CredentialsContainer)) {

				// Authentication is complete. Remove credentials and other secret data

				// from authentication

				((CredentialsContainer) result).eraseCredentials();

			}

			eventPublisher.publishAuthenticationSuccess(result);

			return result;

		}

		// Parent was null, or didn't authenticate (or throw an exception).

		if (lastException == null) {

			lastException = new ProviderNotFoundException(messages.getMessage(

					"ProviderManager.providerNotFound",

					new Object[] { toTest.getName() },

					"No AuthenticationProvider found for {0}"));

		}

		prepareException(lastException, authentication);

		throw lastException;

	}

授权

前面有filter处理了登录问题,接下来是否可访问指定资源的问题就由FilterSecurityInterceptor来处理了。而FilterSecurityInterceptor是用了AccessDecisionManager来进行鉴权。

来看看他干了什么

/**

	 * Method that is actually called by the filter chain. Simply delegates to the

	 * {@link #invoke(FilterInvocation)} method.

	 *

	 * @param request the servlet request

	 * @param response the servlet response

	 * @param chain the filter chain

	 *

	 * @throws IOException if the filter chain fails

	 * @throws ServletException if the filter chain fails

	 */

public void doFilter(ServletRequest request, ServletResponse response,

                     FilterChain chain) throws IOException, ServletException {

    FilterInvocation fi = new FilterInvocation(request, response, chain);

    invoke(fi);

}

public void invoke(FilterInvocation fi) throws IOException, ServletException {

    if ((fi.getRequest() != null)

        && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)

        && observeOncePerRequest) {

        // filter already applied to this request and user wants us to observe

        // once-per-request handling, so don't re-do security checking

        fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

    }

    else {

        // first time this request being called, so perform security checking

        if (fi.getRequest() != null && observeOncePerRequest) {

            fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);

        }

        // 调用前

        // 该过程中会调用 AccessDecisionManager 来验证当前已认证成功的用户是否有权限访问该资源

        InterceptorStatusToken token = super.beforeInvocation(fi);

        try {

            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

        }

        finally {

            super.finallyInvocation(token);

        }

        // 调用后

        super.afterInvocation(token, null);

    }

}

Spring Security探究之路之开始的更多相关文章

  1. spring security 关于 http.sessionManagement().maximumSessions(1);的探究

    1.前言 spring security 支持对session的管理 , http.sessionManagement().maximumSessions(1);的意思的开启session管理,ses ...

  2. spring security 4 filter 顺序及作用

    Spring Security 有两个作用:认证和授权 一.Srping security 4 filter 别名及顺序 spring security 4 标准filter别名和顺序,因为经常要用就 ...

  3. 从源码看Spring Security之采坑笔记(Spring Boot篇)

    一:唠嗑 鼓捣了两天的Spring Security,踩了不少坑.如果你在学Spring Security,恰好又是使用的Spring Boot,那么给我点个赞吧!这篇博客将会让你了解Spring S ...

  4. Spring Security OAuth2实现单点登录

    1.概述 在本教程中,我们将讨论如何使用 Spring Security OAuth 和 Spring Boot 实现 SSO(单点登录). 本示例将使用到三个独立应用 一个授权服务器(中央认证机制) ...

  5. Spring Security +Oauth2 +Spring boot 动态定义权限

    Oauth2介绍:Oauth2是为用户资源的授权定义了一个安全.开放及简单的标准,第三方无需知道用户的账号及密码,就可获取到用户的授权信息,并且这是安全的. 简单的来说,当用户登陆网站的时候,需要账号 ...

  6. Spring Security 入门原理及实战

    目录 从一个Spring Security的例子开始 创建不受保护的应用 加入spring security 保护应用 关闭security.basic ,使用form表单页面登录 角色-资源 访问控 ...

  7. Ajax登陆,使用Spring Security缓存跳转到登陆前的链接

    Spring Security缓存的应用之登陆后跳转到登录前源地址 什么意思? 用户访问网站,打开了一个链接:(origin url)起源链接 请求发送给服务器,服务器判断用户请求了受保护的资源. 由 ...

  8. 笔记43 Spring Security简介

    基于Spittr应用 一.Spring Security简介 Spring Security是为基于Spring的应用程序提供声明式安全保护的安全 性框架.Spring Security提供了完整的安 ...

  9. Spring Security原理篇(一) 启动原理

    1.概述 spring security有参考的中文翻译文档https://springcloud.cc/spring-security-zhcn.html 在学习spring security的时候 ...

随机推荐

  1. Python_闭包

    闭包并不只是一个python中的概念,在函数式编程语言中应用较为广泛.理解python中的闭包一方面是能够正确的使用闭包,另一方面可以好好体会和思考闭包的设计思想. 1.概念介绍 首先看一下维基上对闭 ...

  2. Ubuntu 18.04 server安装+搭建Seacms v10.1网站

    0x00 写在前面 以前我天真的认为,ubuntu Desktop会安装了,server就无所谓了,其实完全不然,server还是有一些坑点的. 之所以选择Seacms搭建网站,是因为这个SeaCMS ...

  3. Selenium2+python自动化65-js定位几种方法总结

    Selenium2+python自动化65-js定位几种方法总结   前言 本篇总结了几种js常用的定位元素方法,并用js点击按钮,对input输入框输入文本 一.以下总结了5种js定位的方法 除了i ...

  4. vue2如何根据不同的环境配置不同的baseUrl

    在正常的开发中,通常我们需要在线上的测试环境中运行代码来检查是否有些线上才会出现的bug或者是问题.每次去特意的修改我们的baseUrl显然是不现实的,而且说不定哪天忘记了估计会被大佬喷死 首先,这是 ...

  5. rocketmq之延迟队列(按照18个等级来发送)

    1 启动消费者等待传入的订阅消息 import org.apache.rocketmq.client.consumer.DefaultMQPushConsumer; import org.apache ...

  6. 【vps】教你写一个属于自己的随机图API

    [vps]教你写一个自己的随机图API 前言 刚刚开始使用halo博客的时候,我就发现halo博客系统是可以使用随机图当背景的,所以也是使用了网上一些比较火的随机图API. 在上次发现了各种图片API ...

  7. Java打印空心菱形

    使用Java打印空心菱形 public static void main(String[] args) { int n = 5; //这里输出菱形的上半部分 for (int i = 1; i < ...

  8. TextBox,RichTextBox设置行高

    /// <summary> /// 设置行距 /// </summary> /// <param name="ctl">控件</param ...

  9. golang中为何在同一个goroutine中使用无缓冲通道会导致死锁

    package main import "fmt" func main() { /* 以下程序会导致死锁 c := make(chan int) c <- 10 n1 := ...

  10. hashmap 实现 相同的key值时,value值叠加效果。

    一,了解一些基础 package com.ohs.demo; /** * * 一.需求是:停止相同的key值,覆盖效果,将重复的value值,叠加起来. * * 二.hash? 什么是hash? * ...