1.认证
几个重要的类:
UsernamePasswordAuthenticationFilter
从名字上看,就知道,这是一个验证username 和 password的过滤器,通过 filter获取request,从request获取username 和 password 来进行验证,最后生成一个UsernamePasswordAuthenticationToken ,这个类继承自Authentication,保存一个用户信息,然后交由后面来进行验证
Authentication
public interface Authentication extends Principal, Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
Object getCredentials();
Object getDetails();
Object getPrincipal();
boolean isAuthenticated();
void setAuthenticated(boolean var1) throws IllegalArgumentException;
}
这个接口表示用户的登陆信息,登陆后包装结果
AuthenticationManager
public interface AuthenticationManager {
Authentication authenticate(Authentication var1) throws AuthenticationException;
}
这个是认证的主要管理类,主要实现类是ProviderManager,它也只是负责管理,实现认证的并不是这个类,它委托给了多个AuthenticationProvider,只要有一个通过了认证,AuthenticationManager就算认证成功
AuthenticationProvider
public interface AuthenticationProvider {
Authentication authenticate(Authentication var1) throws AuthenticationException;
boolean supports(Class<?> var1);
}
真正实现认证的类,主要实现是DaoAuthenticationProvider,主要目的是想通过查询数据来实现认证,自己不查询数据,交UserDetailsService来完成查询数据的任务,supports 判断是否支持认证
UserDetailsService
public interface UserDetailsService {
UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
}
通过过username 来获取用户的各种信息,包括权限,密码,为之后验证做准备,返回一个UserDetails
UserDetails
public interface UserDetails extends Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
String getPassword();
String getUsername();
boolean isAccountNonExpired();
boolean isAccountNonLocked();
boolean isCredentialsNonExpired();
boolean isEnabled();
}
用户的具体信息,登陆是未经过包装的用户信息,是最原始的信息
查询完成后 在 AuthenticationProvider 中,进行密码检验对比
protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
if (authentication.getCredentials() == null) {
this.logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
String presentedPassword = authentication.getCredentials().toString();
if (!this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
this.logger.debug("Authentication failed: password does not match stored value");
throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
}
}
}
下面是一些辅助类:
GrantedAuthority
public interface GrantedAuthority extends Serializable {
String getAuthority();
}
权限实体类,获取主要权限标识,和 所需权限做对比,一般在投票器中使用,在后面授权在做介绍
PasswordEncoder
public interface PasswordEncoder {
String encode(CharSequence var1);
boolean matches(CharSequence var1, String var2);
}
密码编译器,具有编码功能,可以重写,也可以用现成的,这个不做介绍
AuthenticationFailureHandler
public interface AuthenticationFailureHandler {
void onAuthenticationFailure(HttpServletRequest var1, HttpServletResponse var2, AuthenticationException var3) throws IOException, ServletException;
}
认证失败处理器,有request,response,AuthenticationException ,自己定义,使用者是UsernamePasswordAuthenticationFilter
AuthenticationSuccessHandler
public interface AuthenticationSuccessHandler {
void onAuthenticationSuccess(HttpServletRequest var1, HttpServletResponse var2, Authentication var3) throws IOException, ServletException;
}
认证成功处理器,自己定义,可以用现成,不多说