一。org.springframework.security.ui.AbstractProcessingFilter 抽象类
包含 AuthenticationManager
exceptionMappings等参数
包含方法
1。abstract Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException;
2。doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException,
ServletException
2其中方法包含 去AuthenticationManager中验证 验证成功调用其中验证成功的放方法 失败调用失败的方法 这2个方法中放入3 4 5 其中的空方法 可以留给人复写的空间
3。protected void onPreAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException (无实现)
4。onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
Authentication authResult) throws IOException(无实现)
5。onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) throws IOException (无实现)
二。 org.springframework.security.AuthenticationManager
是个抽象接口 Authentication authenticate(Authentication authentication) throws AuthenticationException;
抽象实现为 org.springframework.security.AbstractAuthenticationManager
具体实现为 org.springframework.security.providers.ProviderManager
在其中初始化了 private static final Properties DEFAULT_EXCEPTION_MAPPINGS = new Properties();
举例 DEFAULT_EXCEPTION_MAPPINGS.put(BadCredentialsException.class.getName(),
AuthenticationFailureBadCredentialsEvent.class.getName());
实现了public Authentication doAuthentication(Authentication authentication) throws AuthenticationException
其中调用了Iterator iter = getProviders().iterator(); 遍历所有的provider调用了
provider.authenticate(authentication);其中org.springframework.security.providers.AuthenticationProvider 是个接口在配置文件中使用 <authentication-provider user-service-ref="userDetailsService"/>来使用一个默认的 user扩展
并且 publishEvent(new AuthenticationSuccessEvent(result));发送了事件。
*****配置AuthenticationProvider
其中包含接口 org.springframework.security.providers.AuthenticationProvider
抽象类 org.springframework.security.providers.dao.AbstractUserDetailsAuthenticationProvider
1)简单实现 通过简单提供用户名 密码
<authentication-provider> <user-service> <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" /> <user name="user" password="user" authorities="ROLE_USER" /> </user-service> </authentication-provider>
2)用一条SQL语句的简单实现
<beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <beans:property name="driverClassName" value="org.hsqldb.jdbcDriver"/> <beans:property name="url" value="jdbc:hsqldb:res:/hsqldb/test"/> <beans:property name="username" value="sa"/> <beans:property name="password" value=""/> </beans:bean>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
Spring Security默认情况下需要两张表,用户表和权限表。以下是hsqldb中的建表语句:
create table users(username varchar_ignorecase(50) not null primary key, password varchar_ignorecase(50) not null, enabled boolean not null ); create table authorities (
username varchar_ignorecase(50) not null, authority varchar_ignorecase(50) not null, constraint fk_authorities_users foreign key(username) references users(username) ); create unique index ix_auth_username on authorities (username,authority);
![]()
3)自定义表结构
<authentication-provider> <jdbc-user-service data-source-ref="dataSource"users-by-username-query="select username,password,status as enabled from user where username=?"
authorities-by-username-query="select u.username,r.name as authority from user u join user_role ur on u.id=ur.user_id join role r on r.id=ur.role_id where u.username=?"/> </authentication-provider>
users-by-username-query为根据用户名查找用户,系统通过传入的用户名查询当前用户的登录名,密码和是否被禁用这一状态。 | |
authorities-by-username-query为根据用户名查找权限,系统通过传入的用户名查询当前用户已被授予的所有权限。
4)扩展userdetails(推荐) <authentication-provider user-service-ref="userDetailsService"/>
|