Spring Security 授权体系结构_authorizationmanager-CSDN博客

本文链接：https://blog.csdn.net/swadian2008/article/details/131914330

1、Authorities 授权（AuthorizationFilter 过滤器）

通过 Authentication.getAuthorities() 可获取已通过验证的用户授权信息（GrantedAuthority），GrantedAuthority 对象由 AuthenticationManager 插入到 Authentication 对象中，然后在做出授权决策时由 AuthorizationManager 实例读取。

AuthenticationManager 的常用实现为 ProviderManager，ProviderManager.authenticate 在进行身份验证完成后，会填充 Authentication 对象，其中就包括对象的授权信息（GrantedAuthority）。

//具体授权的Provider列表
private List<AuthenticationProvider> providers;

//授权方法
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        //省略...

        //1-定义身份验证对象
        Authentication result = null;
        Authentication parentResult = null;
        int currentPosition = 0;
        int size = this.providers.size();
        Iterator var9 = this.getProviders().iterator();

        while(var9.hasNext()) {
            AuthenticationProvider provider = (AuthenticationProvider)var9.next();
            if (provider.supports(toTest)) {
                //省略...

                try {

                    //2-通过用户验证后，在这里返回填充好的Authentication对象
                    result = provider.authenticate(authentication);

                    if (result != null) {
                        this.copyDetails(authentication, result);
                        break;
                    }
                } catch (InternalAuthenticationServiceException | AccountStatusException var14) {
                    this.prepareException(var14, authentication);
                    throw var14;
                } catch (AuthenticationException var15) {
                    lastException = var15;
                }
            }
        }

        //省略...

        if (result != null) {
            if (this.eraseCredentialsAfterAuthentication && result instanceof CredentialsContainer) {
                ((CredentialsContainer)result).eraseCredentials();
            }

            if (parentResult == null) {
                this.eventPublisher.publishAuthenticationSuccess(result);
            }
            //3-在这里将封装的对象返回
            return result;
        } else {
            if (lastException == null) {
                lastException = new ProviderNotFoundException(this.messages.getMessage("ProviderManager.providerNotFound", new Object[]{toTest.getName()}, "No AuthenticationProvider found for {0}"));
            }

            if (parentException == null) {
                this.prepareException((AuthenticationException)lastException, authentication);
            }
            throw lastException;
        }
    }

AuthenticationProvider 的实现有很多，这里使用常用的 AbstractUserDetailsAuthenticationProvider 来看一下用户权限的填充步骤。

    //AbstractUserDetailsAuthenticationProvi