项目场景:
延续上篇文章,在我们APP的应用场景仅依赖于是spring security是不够的,我们还需要扩展相关功能才能够满足我们的需求.
技术详解:
这里就插播一段技术讲解吧,主要是对于spring security的相关实现源码,这里借鉴了https://blog.csdn.net/qq_22172133/article/details/86503223的一些图片.
校验流程图:
spring security的拦截器,用户名和密码校验的流程简化如下AbstractAuthenticationProcessingFilter ->
UsernamePasswordAuthenticationFilter -> ProviderManager(根据UsernamePasswordAuthenticationToken找到provider) -> AbstractUserDetailsAuthenticationProvider -> DaoAuthenticationProvider.
源码分析:
AbstractAuthenticationProcessingFilter.java
public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean
implements ApplicationEventPublisherAware, MessageSourceAware {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// 判断是否是认证的请求
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
if (logger.isDebugEnabled()) {
logger.debug("Request is to process authentication");
}
Authentication authResult;
try {
// 具体的认证逻辑,实现类是UsernamePasswordAuthenticationFilter
authResult = attemptAuthentication(request, response);
if (authResult == null) {
// return immediately as subclass has indicated that it hasn't completed
// authentication
return;
}
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (InternalAuthenticationServiceException failed) {
logger.error(
"An internal error occurred while trying to authenticate the user.",
failed);
unsuccessfulAuthentication(request, response, failed);
return;
}
catch (AuthenticationException failed) {
// Authentication failed
unsuccessfulAuthentication(request, response, failed);
return;
}
// Authentication success
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
successfulAuthentication(request, response, chain, authResult);
}
}
AbstractAuthenticationProcessingFilter本身是一个抽象类,具体的实现类是UsernamePasswordAuthenticationFilter(spring security oauth2 后续新增了三个实现类,留到后面再慢慢讲解).而AbstractAuthenticationProcessingFilter拦截器里面实现的内容:地址是否是拦截请求,调用真正的认证方法attemptAuthentication.具体实现的逻辑如下:
UsernamePasswordAuthenticationFilter.java
public class UsernamePasswordAuthenticationFilter extends
AbstractAuthenticationProcessingFilter {
// ~ Static fields/initializers
// =====================================================================================
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
private boolean postOnly = true;
public UsernamePasswordAuthenticationFilter() {
// 默认拦截/login,可以通过配置变更登录拦截的匹配规则
super(new AntPathRequestMatcher("/login", "POST"));
}
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
}
代码很简单,就是从request获取到用户名和密码信息,然后再构建成UsernamePasswordAuthenticationToken,将请求委托给ProviderManager进行认证,哪么ProviderManager具体做了哪些事情呢?我们先上源码.
public class ProviderManager implements AuthenticationManager, MessageSourceAware,
InitializingBean {
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
Authentication result = null;
boolean debug = logger.isDebugEnabled();
for (AuthenticationProvider provider : getProviders()) {
if (!provider.supports(toTest)) {
continue;
}
if (debug) {
logger.debug("Authentication attempt using "
+ provider.getClass().getName());
}
try {
result = provider.authenticate(authentication);
if (result != null) {
copyDetails(authentication, result);
break;
}
}
catch (AccountStatusException e) {
prepareException(e, authentication);
// SEC-546: Avoid polling additional providers if auth failure is due to
// invalid account status
throw e;
}
catch (InternalAuthenticationServiceException e) {
prepareException(e, authentication);
throw e;
}
catch (AuthenticationException e) {
lastException = e;
}
}
<!-- 后续代码省略,自己去看源码吧.主要是认证通过之后的事件通知 -->
}
通过阅读源码,就可以很容易看出.providerManager里面做的事情是轮询所有的provider,然后通过supports判断出是否需要处理这个Token,跟着源码走下去我们发现处理UsernamePasswordAuthenticationToken的Provider是AbstractUserDetailsAuthenticationProvider,而AbstractUserDetailsAuthenticationProvider的实现类是DaoAuthenticationProvider,哪么我们看看他们具体是做了哪些事情.
AbstractUserDetailsAuthenticationProvider.java
public abstract class AbstractUserDetailsAuthenticationProvider implements
AuthenticationProvider, InitializingBean, MessageSourceAware {
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.onlySupports",
"Only UsernamePasswordAuthenticationToken is supported"));
// Determine username
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED"
: authentication.getName();
boolean cacheWasUsed = true;
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
}
catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
else {
throw notFound;
}
}
Assert.notNull(user,
"retrieveUser returned null - a violation of the interface contract");
}
try {
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user,
(UsernamePasswordAuthenticationToken) authentication);
}
catch (AuthenticationException exception) {
if (cacheWasUsed) {
// There was a problem, so try again after checking
// we're using latest data (i.e. not from the cache)
cacheWasUsed = false;
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user,
(UsernamePasswordAuthenticationToken) authentication);
}
else {
throw exception;
}
}
postAuthenticationChecks.check(user);
if (!cacheWasUsed) {
this.userCache.putUserInCache(user);
}
Object principalToReturn = user;
if (forcePrincipalAsString) {
principalToReturn = user.getUsername();
}
return createSuccessAuthentication(principalToReturn, authentication, user);
}
}
逻辑也很简单,先判断缓存里面是否有对应的用户信息,如果没有再调用UserDetailService进行查询。最后返回UserDetail.这里可以发现,没有校验密码的逻辑。其实这块逻辑的代码是在DaoAuthenticationProvider.additionalAuthenticationChecks里面。我们上代码吧
DaoAuthenticationProvider.java
public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
protected void additionalAuthenticationChecks(UserDetails userDetails,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
if (authentication.getCredentials() == null) {
logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
String presentedPassword = authentication.getCredentials().toString();
// 校验密码的逻辑在这里
if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
logger.debug("Authentication failed: password does not match stored value");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
}
}
从源码里面就可以看出来,校验密码的方法是 !passwordEncoder.matches(presentedPassword, userDetails.getPassword())。如果校验通过的话,哪么就正常执行;如果校验失败的话,哪么就抛出异常。
好了,spring security的用户名和密码登录的校验逻辑就已经结束了.看到这里我当时就有一个疑问,用户检验完了密码和账号,当时后续又是如何知道这个用户已经登录了,并且获取到当前登录的用户信息呢?这一块就放到下一篇文章来讲解吧.