Spring Security登陆流程讲解

Shun

本文主要介绍了Spring Security登陆流程讲解，文中通过示例代码介绍的非常详细，具有一定的参考价值，感兴趣的小伙伴们可以参考一下
在Spring Security中，认证授权都是通过过滤器来实现的。
当开始登陆的时候，有一个关键的过滤器UsernamePasswordAuthenticationFilter，该类继承抽象类AbstractAuthenticationProcessingFilter，在AbstractAuthenticationProcessingFilter里有一个doFilter方法，一切先从这里说起。

3. private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
4.       throws IOException, ServletException {
5.    if (!requiresAuthentication(request, response)) {
6.       chain.doFilter(request, response);
7.       return;
8.    }
9.    try {
10.       Authentication authenticationResult = attemptAuthentication(request, response);
11.       if (authenticationResult == null) {
12.          // return immediately as subclass has indicated that it hasn't completed
13.          return;
14.       }
15.       this.sessionStrategy.onAuthentication(authenticationResult, request, response);
16.       // Authentication success
17.       if (this.continueChainBeforeSuccessfulAuthentication) {
18.          chain.doFilter(request, response);
19.       }
20.       successfulAuthentication(request, response, chain, authenticationResult);
21.    }
22.    catch (InternalAuthenticationServiceException failed) {
23.       this.logger.error("An internal error occurred while trying to authenticate the user.", failed);
24.       unsuccessfulAuthentication(request, response, failed);
25.    }
26.    catch (AuthenticationException ex) {
27.       // Authentication failed
28.       unsuccessfulAuthentication(request, response, ex);
29.    }
30. }

复制代码

首先requiresAuthentication先判断是否尝试校验，通过后调用attemptAuthentication方法，这个方法也就是UsernamePasswordAuthenticationFilter 中的attemptAuthentication方法。

3. public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
4.       throws AuthenticationException {
5.    if (this.postOnly && !request.getMethod().equals("POST")) {
6.       throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
7.    }
8.    String username = obtainUsername(request);
9.    username = (username != null) ? username : "";
10.    username = username.trim();
11.    String password = obtainPassword(request);
12.    password = (password != null) ? password : "";
13.    UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
14.    // Allow subclasses to set the "details" property
15.    setDetails(request, authRequest);
16.    return this.getAuthenticationManager().authenticate(authRequest);
17. }

复制代码

1.在UsernamePasswordAuthenticationFilter 的attemptAuthentication方法中，先是验证请求的类型，是否是POST请求，如果不是的话，抛出异常。(PS：登陆肯定要用POST方法了)
2.然后拿到username和password。这里使用的是obtainUsername方法，也就是get方法。

3. @Nullable
4. protected String obtainPassword(HttpServletRequest request) {
5.    return request.getParameter(this.passwordParameter);
6. }
8. @Nullable
9. protected String obtainUsername(HttpServletRequest request) {
10.    return request.getParameter(this.usernameParameter);
11. }

复制代码

由此我们知道了Spring Security中是通过get方法来拿到参数，所以在进行前后端分离的时候是无法接受JSON数据，处理方法就是自定义一个Filter来继承UsernamePasswordAuthenticationFilter，重写attemptAuthentication方法，然后创建一个Filter实例写好登陆成功和失败的逻辑处理，在HttpSecurity参数的configure中通过addFilterAt来替换Spring Security官方提供的过滤器。
3.创建一个UsernamePasswordAuthenticationToken 实例。
4.设置Details，在这里关键的是在WebAuthenticationDetails类中记录了用户的remoteAddress和sessionId。

3. public WebAuthenticationDetails(HttpServletRequest request) {
4.    this.remoteAddress = request.getRemoteAddr();
5.    HttpSession session = request.getSession(false);
6.    this.sessionId = (session != null) ? session.getId() : null;
7. }

复制代码

5.拿到一个AuthenticationManager通过authenticate方法进行校验，这里以实现类ProviderManager为例。

3. @Override
4. public Authentication authenticate(Authentication authentication) throws AuthenticationException {
5.    //获取Authentication的运行时类
6.    Class<? extends Authentication> toTest = authentication.getClass();
7.    AuthenticationException lastException = null;
8.    AuthenticationException parentException = null;
9.    Authentication result = null;
10.    Authentication parentResult = null;
11.    int currentPosition = 0;
12.    int size = this.providers.size();
13.    
14.    for (AuthenticationProvider provider : getProviders()) {
15.        //判断是否支持处理该类别的provider
16.       if (!provider.supports(toTest)) {
17.          continue;
18.       }
19.       if (logger.isTraceEnabled()) {
20.          logger.trace(LogMessage.format("Authenticating request with %s (%d/%d)",
21.                provider.getClass().getSimpleName(), ++currentPosition, size));
22.       }
23.       try {
24.           //获取用户的信息
25.          result = provider.authenticate(authentication);
26.          if (result != null) {
27.             copyDetails(authentication, result);
28.             break;
29.          }
30.       }
31.       catch (AccountStatusException | InternalAuthenticationServiceException ex) {
32.          prepareException(ex, authentication);
33.          // SEC-546: Avoid polling additional providers if auth failure is due to
34.          // invalid account status
35.          throw ex;
36.       }
37.       catch (AuthenticationException ex) {
38.          lastException = ex;
39.       }
40.    }
41.    //不支持的话跳出循环再次执行
42.    if (result == null && this.parent != null) {
43.       // Allow the parent to try.
44.       try {
45.          parentResult = this.parent.authenticate(authentication);
46.          result = parentResult;
47.       }
48.       catch (ProviderNotFoundException ex) {
49.          // ignore as we will throw below if no other exception occurred prior to
50.          // calling parent and the parent
51.          // may throw ProviderNotFound even though a provider in the child already
52.          // handled the request
53.       }
54.       catch (AuthenticationException ex) {
55.          parentException = ex;
56.          lastException = ex;
57.       }
58.    }
59.    if (result != null) {
60.        //擦除用户的凭证 也就是密码
61.       if (this.eraseCredentialsAfterAuthentication && (result instanceof CredentialsContainer)) {
62.          // Authentication is complete. Remove credentials and other secret data
63.          // from authentication
64.          ((CredentialsContainer) result).eraseCredentials();
65.       }
66.       // If the parent AuthenticationManager was attempted and successful then it
67.       // will publish an AuthenticationSuccessEvent
68.       // This check prevents a duplicate AuthenticationSuccessEvent if the parent
69.       // AuthenticationManager already published it
70.       if (parentResult == null) {
71.           //公示登陆成功
72.          this.eventPublisher.publishAuthenticationSuccess(result);
73.       }
75.       return result;
76.    }
78.    // Parent was null, or didn't authenticate (or throw an exception).
79.    if (lastException == null) {
80.       lastException = new ProviderNotFoundException(this.messages.getMessage("ProviderManager.providerNotFound",
81.             new Object[] { toTest.getName() }, "No AuthenticationProvider found for {0}"));
82.    }
83.    // If the parent AuthenticationManager was attempted and failed then it will
84.    // publish an AbstractAuthenticationFailureEvent
85.    // This check prevents a duplicate AbstractAuthenticationFailureEvent if the
86.    // parent AuthenticationManager already published it
87.    if (parentException == null) {
88.       prepareException(lastException, authentication);
89.    }
90.    throw lastException;
91. }

复制代码

6.经过一系列校验，此时登陆校验基本完成，当验证通过后会执行doFilter中的successfulAuthentication方法，跳转到我们设置的登陆成功界面，验证失败会执行unsuccessfulAuthentication方法，跳转到我们设置的登陆失败界面。
到此这篇关于Spring Security登陆流程讲解的文章就介绍到这了,更多相关Spring Security登陆内容请搜索OPEN开发家园以前的文章或继续浏览下面的相关文章希望大家以后多多支持OPEN开发家园！
原文链接：https://blog.csdn.net/MAKEJAVAMAN/article/details/121021287

[occ]文档来源：网络转载 http://www.zzvips.com/article/231024.html[/occ]