目录
首先,进入AbstractAuthenticationProcessingFilter:
之后,调用AuthenticationManager的authenticate方法进行验证
调用AuthenticationManager的authenticate方法进行验证的流程—
调用DaoAuthenticationProvider的authenticate方法进行验证的流程—
从登陆认证的过程中我们可以大致了解SpringSecurity的工作原理——
框架原理
springsecurity本质上使用的时Java中的Filter,通过Spring框架的特性将诸多的过滤器作为bean配置在Spring框架中,用户信息的获取通过认证管理器AuthenticationManager实现——authenticamanager调用相应的认证实现类provider去完成用户的认证功能;
详见文章:http://www.blogjava.net/youxia/archive/2008/12/07/244883.html
登陆认证的详细执行流程
具体如下——
首先,进入AbstractAuthenticationProcessingFilter:
public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean
implements ApplicationEventPublisherAware, MessageSourceAware {
// 过滤器doFilter方法
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
/*
* 判断当前filter是否可以处理当前请求,若不行,则交给下一个filter去处理。
*/
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
if (logger.isDebugEnabled()) {
logger.debug("Request is to process authentication");
}
Authentication authResult;
try {
// 很关键!!!调用了子类(UsernamePasswordAuthenticationFilter)的方法
authResult = attemptAuthentication(request, response);
if (authResult == null) {
// return immediately as subclass has indicated that it hasn't completed
// authentication
return;
}
// 最终认证成功后,会处理一些与session相关的方法(比如将认证信息存到session等操作)。
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (InternalAuthenticationServiceException failed) {
logger.error(
"An internal error occurred while trying to authenticate the user.",
failed);
// 认证失败后的一些处理。
unsuccessfulAuthentication(request, response, failed);
return;
}
catch (AuthenticationException failed) {
// Authentication failed
unsuccessfulAuthentication(request, response, failed);
return;
}
// 认证成功
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
/*
* 最终认证成功后的相关回调方法,主要将当前的认证信息放到SecurityContextHolder中
* 并调用成功处理器做相应的操作。
*/
successfulAuthentication(request, response, chain, authResult);
}
}
AbstractAuthenticationProcessingFilter的""authResult = attemptAuthentication(request, response)""
触发UsernamePasswordAuthenticationFilter——
// 继承了AbstractAuthenticationProcessingFilter