Spring Security3可以处理来自form的登录,也可以处理来自外部提供的认证比如和CAS做集成。处理认证的流程是相同的,找了一张图贴出来
这张图标出了涉及到认证的主要接口:由AbstractAuthenticationProcessingFilter过滤器处理过滤认证请求,生成一个Authentication对象,交给AuthenticationManager,再交给AuthenticationProvider的provider获取认证结果,最终由AbstractAuthenticationProcessingFilter做认证成功或失败的后续工作。
本篇主要学习基于form的认证,详细的认证流程再上一张图:
我们根据这张图开始分析
过滤form登录的请求:
UsernamePasswordAuthenticationFilter继承了AbstractAuthenticationProcessingFilter,没有重写doFilter方法,看AbstractAuthenticationProcessingFilter的doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//检测是否是登录的url,在UsernamePasswordAuthenticationFilter中定义其为j_spring_security_check
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
......
Authentication authResult;
try {
//在此进行认证的,调用了子类UsernamePasswordAuthenticationFilter
authResult = attemptAuthentication(request, response);
if (authResult == null) {
// return immediately as subclass has indicated that it hasn't completed authentication
return;
}
//处理session策略中的认证信息
//当我们没有在http节点配置session-management时sessionStrategy是一个ConcurrentSessionControlStrategy实例,具体见HttpConfigurationBuilder.createSessionManagementFilters方法
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (AuthenticationException failed) {
// Authentication failed
//使用failureHandler处理认证失败信息
unsuccessfulAuthentication(request, response, failed);
return;
}
// Authentication success
//使用successHandler处理认证成功信息
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
successfulAuthentication(request, response, authResult);
}
生成UsernamePasswordAuthenticationToken:UsernamePasswordAuthenticationFilter的attemptAuthentication
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
//获取用户名参数j_username的值
String username = obtainUsername(request);
//获取密码参数j_password的值
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
//封装一个authenticationToken对象
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
// Place the last username attempted into HttpSession for views
HttpSession session = request.getSession(false);
if (session != null || getAllowSessionCreation()) {
//用户名放入session
request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username));
}
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
//调用authenticationManager进行认证
return this.getAuthenticationManager().authenticate(authRequest);
}
认证过程:
最终的认证流程在org.springframework.security.authentication.ProviderManager的doAuthentication方法进行
public Authentication doAuthentication(Authentication authentication) throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
Authentication result = null;
//provider在http>authentication-manager>authentication-provider节点配置,可以用ref自定义,默认是org.springframework.security.authentication.dao.DaoAuthenticationProvider
for (AuthenticationProvider provider : getProviders()) {
//去除不是它的子类的对象
if (!provider.supports(toTest)) {
continue;
}
logger.debug("Authentication attempt using " + provider.getClass().getName());
try {
//终于要认证了
result = provider.authenticate(authentication);
if (result != null) {
//将authentication对象的details赋给result
copyDetails(authentication, result);
break;
}
} catch (AccountStatusException e) {
// SEC-546: Avoid polling additional providers if auth failure is due to invalid account status
//增加监听事件
eventPublisher.publishAuthenticationFailure(e, authentication);
throw e;
} catch (AuthenticationException e) {
lastException = e;
}
}
if (result == null && parent != null) {
// Allow the parent to try.
try {
result = parent.authenticate(authentication);
} catch (ProviderNotFoundException e) {
// ignore as we will throw below if no other exception occurred prior to calling parent and the parent
// may throw ProviderNotFound even though a provider in the child already handled the request
} catch (AuthenticationException e) {
lastException = e;
}
}
if (result != null) {
if (eraseCredentialsAfterAuthentication && (result instanceof CredentialsContainer)) {
// Authentication is complete. Remove credentials and other secret data from authentication
//从认证对象中移除密码等敏感信息
((CredentialsContainer)result).eraseCredentials();
}
//认证成功事件
eventPublisher.publishAuthenticationSuccess(result);
return result;
}
// Parent was null, or didn't authenticate (or throw an exception).
if (lastException == null) {
lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound",
new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}"));
}
//认证失败事件
eventPublisher.publishAuthenticationFailure(lastException, authentication);
//如果认证不通过,抛出异常
throw lastException;
}
Provicder认证:
基于form的provider是DaoAuthenticationProvider,继承了AbstractUserDetailsAuthenticationProvider,看authenticate方法
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports",
"Only UsernamePasswordAuthenticationToken is supported"));
// Determine username
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
boolean cacheWasUsed = true;
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
//获取用户信息
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
}
try {
//检测用户状态-是否锁定、是否可用、是否过期、密码是否过期
preAuthenticationChecks.check(user);
//密码校验,根据指定的加密算法、是否有base64,盐值等进行校验
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
} catch (AuthenticationException exception) {
if (cacheWasUsed) {
// There was a problem, so try again after checking
// we're using latest data (i.e. not from the cache)
cacheWasUsed = false;
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
} else {
throw exception;
}
}
postAuthenticationChecks.check(user);
if (!cacheWasUsed) {
this.userCache.putUserInCache(user);
}
Object principalToReturn = user;
if (forcePrincipalAsString) {//如果要求principal是String类型的,那么将其赋值为用户名
principalToReturn = user.getUsername();
}
//返回认证成功的Authentication对象
return createSuccessAuthentication(principalToReturn, authentication, user);
}
有几个地方再详细说下
1.retrieveUser方法
protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
UserDetails loadedUser;
try {
//获取用户信息
loadedUser = this.getUserDetailsService().loadUserByUsername(username);
}
catch (DataAccessException repositoryProblem) {
throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);
}
if (loadedUser == null) {
throw new AuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
}
这里面getUserDetailsService()就是获取我们在spring-security.xml自定义的userDetailService:http>authentication-manager>authentication-provider>user-service-ref,根据实现的loadUserByUsername方法获取UserDetails对象
2.createSuccessAuthentication方法:
protected Authentication createSuccessAuthentication(Object principal, Authentication authentication,
UserDetails user) {
// Ensure we return the original credentials the user supplied,
// so subsequent attempts are successful even with encoded passwords.
// Also ensure we return the original getDetails(), so that future
// authentication events after cache expiry contain the details
//new了一个新的authentication对象
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal,
authentication.getCredentials(), user.getAuthorities());
result.setDetails(authentication.getDetails());
return result;
}
new一个新的authentication对象还是挺有意义的,UsernamePasswordAuthenticationToken的构造方法:
public UsernamePasswordAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
//将其设置为true,在其他地方要用到,比如在进行权限校验的时候会检查这个属性,如果不为true会再次校验,详细内容后面再说。
super.setAuthenticated(true); // must use super, as we override
}