1.AbstractAuthenticationProcessingFilter
从HttpServletRequest
中创建Authentication
Authentication
的类型根据AbstractAuthenticationProcessingFilter
的子类决定,比如:
1)UsernamePasswordAuthenticationFilter
创建一个UsernamePasswordAuthenticationToken
所以如果遇到不能认证的Token就会抛出异常
2.Authentication
传入AuthenticationManager
认证
3.如果认证失败:
1)清空上下文
2)调用RememberMeServices.loginFail
2)调用AuthenticationFailureHandler
4.如果成功
1)SessionAuthenticationStrategy
注意新的登录
2)SecurityContextHolder
中保存Authentication
,接下来还会保存到HttpSession
中
3)调用RememberMeServices.loginSuccess
4)调用ApplicationEventPublisher
5)调用AuthenticationSuccessHandler
参考:
https://docs.spring.io/spring-security/site/docs/5.4.5/reference/html5/#servlet-authentication-abstractprocessingfilter