SecurityContextHolder, SecurityContext and Authentication Objects这三个是security的核心组件
以下笔记全部出自于springsecurity官方文档:https://docs.spring.io/spring-security/site/docs/5.2.1.BUILD-SNAPSHOT/reference/htmlsingle/#tech-userdetailsservice
1.SecurityContextHolder:The most fundamental object,This is where we store details of the present security context of the application, which includes details of the principal currently using the application(我们存放当应用的前安全上下文的详情,这个详情包括这个应用的当前主体对象的详情)。
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2.Authentication:Spring Security uses an Authentication object to represent this informationspring security(使用这个对象,来呈现上面说的主体,并且这个身份验证对象不用自己去创建只需要通过)。
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String username = ((UserDetails)principal).getUsername();即可以获取
这个代码需要注意的:
1 The object returned by the call to getContext() is an instance of the SecurityContext interface. This is the object that is kept in thread-local storage. As we’ll see below, most authentication mechanisms within Spring Security return an instance of UserDetails as the principal.
调用getContext()返回一个SecurityContext接口的对象,这个对象是保存在本地线程里的,大多数身份验证都是返回一个UserDetails接口对象作为主体。
2,从Authentication对象可以获得一个主体,并且这个主体基本上都可以转化成UserDetails对象。
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
4.UserDetailsService:UserDetails是连接你的数据库对象和springsecurity的SecurityContext的适配器,那么什么时候去提供UserDetails;
我们使用UserDetailsService接口的loadUserByUsername方法去加载用户信息。
UserDetails loadUserByUsername(String username)throwsUsernameNotFoundException;
只要需要用户信息,提供username,springsecurity就可以自动验证密码是否正确,然后加载这个用户。
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
5.GrantedAuthority:授权
通过Authentication 的 getAuthorities()方法获取当前用户的角色权限,返回几个collection包含GrantedAuthority对象,
GrantedAuthority objects are usually loaded by the UserDetailsService.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
6总结
SecurityContextHolder, to provide access to the SecurityContext. 提供对SecurityContext的访问
SecurityContext, to hold the Authentication and possibly request-specific security information. 持有一个身份认证对象并且可能请求特定的安全信息
Authentication, to represent the principal in a Spring Security-specific manner. 提供一个在Spring特定安全方式中的主体
GrantedAuthority, to reflect the application-wide permissions granted to a principal. 去反射应用程序对一个主体授予的权限
UserDetails, to provide the necessary information to build an Authentication object from your application’s DAOs or other source of security data. 提供构建一个Authentication对象的必要信息从你的应用框架DAO或者其他安全源。
UserDetailsService, to create a UserDetails when passed in a String-based username (or certificate ID or the like).