Spring Security3源码分析（11）-BasicAuthenticationFilter分析

BasicAuthenticationFilter过滤器对应的类路径为 
org.springframework.security.web.authentication.www.BasicAuthenticationFilter 

Basic验证方式相比较而言用的不是太多。spring security也支持basic的方式，配置如下 

 <security:http auto-config="true">

     <security:http-basic/>
     <security:logout logout-success-url="/login.jsp" invalidate-session="true"/>
     <security:intercept-url pattern="/login.jsp*" filters="none"/>
     <security:intercept-url pattern="/admin.jsp*" access="ROLE_ADMIN"/>
     <security:intercept-url pattern="/index.jsp*" access="ROLE_USER,ROLE_ADMIN"/>
     <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/>
 security:http>

如果选择basic方式，需要把form-login标签的定义给注释掉。 

接下来看BasicAuthenticationFilter的执行过程 

 public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
         throws IOException, ServletException {
     final boolean debug = logger.isDebugEnabled();
     final HttpServletRequest request = (HttpServletRequest) req;
     final HttpServletResponse response = (HttpServletResponse) res;
     //basic登录时，会产生Authorization的header信息
      //Authorization的值是Basic eXVxaW5nc29uZzox
     //eXVxaW5nc29uZzox是经过base编码的一串字符
     String header = request.getHeader("Authorization");
     if ((header != null) && header.startsWith("Basic ")) {
         byte[] base64Token = header.substring(6).getBytes("UTF-8");
         //经过base解码后，token值为username:password这种方式
         String token = new String(Base64.decode(base64Token), getCredentialsCharset(request));
         String username = "";
         String password = "";
         int delim = token.indexOf(":");

         if (delim != -1) {
             username = token.substring(0, delim);
             password = token.substring(delim + 1);
         }

         if (debug) {
             logger.debug("Basic Authentication Authorization header found for user '" + username + "'");
         }
         //下面的执行过程基本和login方式一样，认证、授权等过程
         if (authenticationIsRequired(username)) {
             UsernamePasswordAuthenticationToken authRequest =
                     new UsernamePasswordAuthenticationToken(username, password);
             authRequest.setDetails(authenticationDetailsSource.buildDetails(request));

             Authentication authResult;

             try {
                 authResult = authenticationManager.authenticate(authRequest);
             } catch (AuthenticationException failed) {
                 // Authentication failed
                 if (debug) {
                     logger.debug("Authentication request for user: " + username + " failed: " + failed.toString());
                 }

                 SecurityContextHolder.getContext().setAuthentication(null);

                 rememberMeServices.loginFail(request, response);

                 onUnsuccessfulAuthentication(request, response, failed);

                 if (ignoreFailure) {
                     chain.doFilter(request, response);
                 } else {
                     authenticationEntryPoint.commence(request, response, failed);
                 }

                 return;
             }

             // Authentication success
             if (debug) {
                 logger.debug("Authentication success: " + authResult.toString());
             }

             SecurityContextHolder.getContext().setAuthentication(authResult);

             rememberMeServices.loginSuccess(request, response, authResult);

             onSuccessfulAuthentication(request, response, authResult);
         }
     }

     chain.doFilter(request, response);
 }