Spring Security系列-Spring Security运行机制分析(四)

前言

前面三篇写的关于Spring Security是如何进行用户认证,本篇来看看我们输入的用户名和密码是如何传给AuthenticationManager的。

Filter

Spring Security有一个FilterChain,它包含由多个Filter组成的集合。当用户输入用户密码,并提交HttpRequest后,Spring Security通过一系列的Filter对HttpRequest进行处理和筛选。下面的图可以看出,Spring Security Filter Chain 作为Servlet Filter中的一个,但它包含了多个Filter。
Spring Security系列-Spring Security运行机制分析(四)_第1张图片

Configurer

在org.springframework.security.config.annotation.web.configurers包下有许多configurer类。这些configurer类,都实现了configurer方法。当Spring Security初始化时,会根据代码中定义的Configurer配置或者properties文件中的配置,得到一个Configurer集合。集合中的每个Configurer类中的configurer方法被调用时,就可往SecurityFilterChain中添加相应的Filter。

之前在Spring Security系列-Spring Security简单身份认证配置(二)中配置了的身份认证,它所使用的Configure以及生成的Filter如下:

Filters Configurers
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter WebSecurityConfigurerAdapter直接添加
org.springframework.security.web.context.SecurityContextPersistenceFilter SecurityContextConfigurer
org.springframework.security.web.header.HeaderWriterFilter HeadersConfigurer
org.springframework.security.web.csrf.CsrfFilter CsrfConfigurer
org.springframework.security.web.authentication.logout.LogoutFilter LogoutConfigurer
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter FormLoginConfigurer
org.springframework.security.web.savedrequest.RequestCacheAwareFilter RequestCacheConfigurer
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter ServletApiConfigurer
org.springframework.security.web.authentication.AnonymousAuthenticationFilter AnonymousConfigurer
org.springframework.security.web.session.SessionManagementFilter CsrfCoSessionManagementConfigurerfigurer
org.springframework.security.web.access.ExceptionTranslationFilter ExceptionHandlingConfigurer
org.springframework.security.web.access.intercept.FilterSecurityInterceptor ExpressionUrlAuthorizationConfigurer

Configurer中添加Filter

下面是调用每个Configurer中的configure方法

public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>>
		extends AbstractSecurityBuilder<O> {
	private void configure() throws Exception {
		Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();

		for (SecurityConfigurer<O, B> configurer : configurers) {
			configurer.configure((B) this);
		}
	}
}

下面是类WebSecurityConfigurerAdapter中,加载默认的配置

http = new HttpSecurity(objectPostProcessor, authenticationBuilder,
		sharedObjects);
if (!disableDefaults) {
	// @formatter:off
	http
		.csrf().and()
		.addFilter(new WebAsyncManagerIntegrationFilter())
		.exceptionHandling().and()
		.headers().and()
		.sessionManagement().and()
		.securityContext().and()
		.requestCache().and()
		.anonymous().and()
		.servletApi().and()
		.apply(new DefaultLoginPageConfigurer<>()).and()
		.logout();
	// @formatter:on
	ClassLoader classLoader = this.context.getClassLoader();
	List<AbstractHttpConfigurer> defaultHttpConfigurers =
			SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);

	for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
		http.apply(configurer);
	}
}

UsernamePasswordAuthenticationFilter

从UsernamePasswordAuthenticationFilter类中的,attemptAuthentication方法可以看到使用了AuthenticationManager的authenticate方法来验证HttpRequest中的username和password。看过上篇的读者应该记得,上篇我们的通过控制台输入的用户密码,然后进行验证,也是通过这种方式运行的。

public Authentication attemptAuthentication(HttpServletRequest request,
		HttpServletResponse response) throws AuthenticationException {
	if (postOnly && !request.getMethod().equals("POST")) {
		throw new AuthenticationServiceException(
				"Authentication method not supported: " + request.getMethod());
	}

	String username = obtainUsername(request);
	String password = obtainPassword(request);

	if (username == null) {
		username = "";
	}

	if (password == null) {
		password = "";
	}

	username = username.trim();

	UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
			username, password);

	// Allow subclasses to set the "details" property
	setDetails(request, authRequest);

	return this.getAuthenticationManager().authenticate(authRequest);
}

你可能感兴趣的:(java,spring,security,Spring,Security,java)