1 spring security的session管理
spring security关于认证session的逻辑处理在接口SessionAuthenticationStrategy的onAuthentication方法中,先看看这个接口和其实现类。
1.1 SessionAuthenticationStrategy接口
public interface SessionAuthenticationStrategy {
/**
* 当一个认证生成之后处理session的逻辑
*
*/
void onAuthentication(Authentication authentication, HttpServletRequest request,
HttpServletResponse response) throws SessionAuthenticationException;
}
SessionAuthenticationStrategy只是一个接口,这个接口有很多实现类,但是spring security默认使用的是CompositeSessionAuthenticationStrategy,如下图所示:
1.2 CompositeSessionAuthenticationStrategy
直接看CompositeSessionAuthenticationStrategy的onAuthentication方法实现:
private final List<SessionAuthenticationStrategy> delegateStrategies;
public void onAuthentication(Authentication authentication,
HttpServletRequest request, HttpServletResponse response)
throws SessionAuthenticationException {
for (SessionAuthenticationStrategy delegate : this.delegateStrategies) {
if (this.logger.isDebugEnabled()) {
this.logger.debug("Delegating to " + delegate);
}
delegate.onAuthentication(authentication, request, response);
}
}
是不是很熟悉?CompositeSessionAuthenticationStrategy中有一个list集合存储着实现了SessionAuthenticationStrategy的类,然后遍历这个list,让它们去做正在的session逻辑操作。现在的问题是,这个delegateStrategies中到底存储的是那些实现类呢?如图所示:
1.3 onAuthentication的调用入口
前面说了spring security的认证流程是从AbstractAuthenticationProcessingFilter开始的,而认证相关的流程则是由其子类UsernamePasswordAuthenticationFilter来实现的。AbstractAuthenticationProcessingFilter中attemptAuthentication认证成功之后会调用SessionAuthenticationStrategy的onAuthentication方法来处理session相关逻辑。直接上代码
//session策略,默认的实现类是CompositeSessionAuthenticationStrategyprivate SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
Authentication authResult;
try {
authResult = a