spring security原理图及其解释(二)

What does auto-config do behind the scenes?

In Spring Security 3, auto-config is used solely for automatic provisioning of following three authentication-related functions:

HTTP basic authentication
Form login authentication
Logout


[size=large]The important interfaces related to authentication interact as shown in the following high-level diagram:[/size]


[img]http://dl.iteye.com/upload/attachment/0063/1025/6cde93b6-e218-305c-b219-f3ff18984781.png[/img]

At a high level, you can see that there are three major components that are responsible for much of the heavy lifting:


[img]http://dl.iteye.com/upload/attachment/0063/1027/1c8f254d-501c-3c16-9ae0-dd2b70ec6d71.png[/img]

[img]http://dl.iteye.com/upload/attachment/0063/1029/c2ae201d-a690-38a8-87bf-a6c21a47c993.png[/img]

[color=red]o.s.s.core.Authentication is an interface with which you will interact with frequently, because it stores details of the user's identifier (for example, username), credentials (for example, password), and one or more authorities (o.s.s.core.GrantedAuthority) which the user has been given. A developer will commonly use the Authentication object to retrieve details about the authenticated user, or in a custom authentication implementation he/she will augment the Authentication object with additional application-dependent information.[/color]

The following methods are available on the Authentication interface:

[img]http://dl.iteye.com/upload/attachment/0063/1033/eb687696-9d21-38fa-87de-45e42d16a670.png[/img]

[color=red]Take note that AuthenticationProvider isn't directly used or referenced by the AuthenticationManager interface. However, Spring Security ships with only one concrete implementation (plus a subclass) of AuthenticationManager, o.s.s.authentication.ProviderManager, which uses one or more AuthenticationProvider implementations as described. As the use of AuthenticationProvider is so prevalent and well-integrated into the ProviderManager, it's important to review how it works in the most common scenarios with basic configuration.[/color]

Let's get into a little more detail and look specifically at the classes involved in the processing of a web-based username and password authentication request:

[img]http://dl.iteye.com/upload/attachment/0063/1039/220ade8d-55ff-3cc8-9f1c-158cce9ed665.png[/img]

[color=red]Let's take the abstract workflow seen in the high-level diagram and mentally bring it forward to work through this concrete implementation of form-based authentication. You can see that the UsernamePasswordAuthenticationFilter is responsible (through delegation from its abstract superclass) for creating the UsernamePasswordAuthenticationToken (an implementation of the Authentication interface), and partially populating it based on information in the HttpServletRequest. But where does it get the username and password from?[/color]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值