前言
前面三篇写的关于Spring Security是如何进行用户认证,本篇来看看我们输入的用户名和密码是如何传给AuthenticationManager的。
Filter
Spring Security有一个FilterChain,它包含由多个Filter组成的集合。当用户输入用户密码,并提交HttpRequest后,Spring Security通过一系列的Filter对HttpRequest进行处理和筛选。下面的图可以看出,Spring Security Filter Chain 作为Servlet Filter中的一个,但它包含了多个Filter。
Configurer
在org.springframework.security.config.annotation.web.configurers包下有许多configurer类。这些configurer类,都实现了configurer方法。当Spring Security初始化时,会根据代码中定义的Configurer配置或者properties文件中的配置,得到一个Configurer集合。集合中的每个Configurer类中的configurer方法被调用时,就可往SecurityFilterChain中添加相应的Filter。
之前在Spring Security系列-Spring Security简单身份认证配置(二)中配置了的身份认证,它所使用的Configure以及生成的Filter如下:
Filters | Configurers |
---|---|
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter | WebSecurityConfigurerAdapter直接添加 |
org.springframework.security.web.context.SecurityContextPersistenceFilter | SecurityContextConfigurer |
org.springframework.security.web.header.HeaderWriterFilter | HeadersConfigurer |
org.springframework.security.web.csrf.CsrfFilter | CsrfConfigurer |
org.springframework.security.web.authentication.logout.LogoutFilter | LogoutConfigurer |
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter | FormLoginConfigurer |
org.springframework.security.web.savedrequest.RequestCacheAwareFilter | RequestCacheConfigurer |
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter | ServletApiConfigurer |
org.springframework.security.web.authentication.AnonymousAuthenticationFilter | AnonymousConfigurer |
org.springframework.security.web.session.SessionManagementFilter | CsrfCoSessionManagementConfigurerfigurer |
org.springframework.security.web.access.ExceptionTranslationFilter | ExceptionHandlingConfigurer |
org.springframework.security.web.access.intercept.FilterSecurityInterceptor | ExpressionUrlAuthorizationConfigurer |
Configurer中添加Filter
下面是调用每个Configurer中的configure方法
public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>>
extends AbstractSecurityBuilder<O> {
private void configure() throws Exception {
Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();
for (SecurityConfigurer<O, B> configurer : configurers) {
configurer.configure((B) this);
}
}
}
下面是类WebSecurityConfigurerAdapter中,加载默认的配置
http = new HttpSecurity(objectPostProcessor, authenticationBuilder,
sharedObjects);
if (!disableDefaults) {
// @formatter:off
http
.csrf().and()
.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and()
.headers().and()
.sessionManagement().and()
.securityContext().and()
.requestCache().and()
.anonymous().and()
.servletApi().and()
.apply(new DefaultLoginPageConfigurer<>()).and()
.logout();
// @formatter:on
ClassLoader classLoader = this.context.getClassLoader();
List<AbstractHttpConfigurer> defaultHttpConfigurers =
SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);
for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
http.apply(configurer);
}
}
UsernamePasswordAuthenticationFilter
从UsernamePasswordAuthenticationFilter类中的,attemptAuthentication方法可以看到使用了AuthenticationManager的authenticate方法来验证HttpRequest中的username和password。看过上篇的读者应该记得,上篇我们的通过控制台输入的用户密码,然后进行验证,也是通过这种方式运行的。
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}