spring-security认证过程的分析及自定义登录

首先spring-security配置认证过滤器，它是spring-security处理业务的入口。用户如果不重写过滤器，使用默认的过滤器UsernamePasswordAuthenticationFilter。它继承了抽象类AbstractAuthenticationProcessingFilter，该类注入了authenticationManager属性，配置security的认证管理器。

<beans:bean id="myLoginFilter" class="com.yinhai.modules.security.spring.app.filter.Ta3AuthenticationFilter">          <!--认证管理器-->    <beans:property name="authenticationManager" ref="myAuthenticationManager" />      <!-- 验证成功后执行扩展的处理 -->    <beans:property name="authenticationSuccessHandler" ref="taOnAuthenticationSuccessHandler" />    <!-- 验证失败后执行扩展的处理 -->    <beans:property name="authenticationFailureHandler" ref="taAuthenticationFailureHandler" />    <beans:property name="filterProcessesUrl" value="/j_spring_security_check" />    <beans:property name="userBpo" ref="userBpo" />    <beans:property name="sessionAuthenticationStrategy" ref="sas"></beans:property></beans:bean>

过滤器UsernamePasswordAuthenticationFilter拿到用户名密码创建一个UsernamePasswordAuthenticationToken，通过认证管理器进行认证代码如下

public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {    if (this.postOnly && !request.getMethod().equals("POST")) {        throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());    } else {        String username = this.obtainUsername(request);        String password = this.obtainPassword(request);        if (username == null) {            username = "";        }        if (password == null) {            password = "";        }        username = username.trim();        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);        this.setDetails(request, authRequest);        return this.getAuthenticationManager().authenticate(authRequest);    }}

认证管理器配置如下

<authentication-manager alias="myAuthenticationManager">      <authentication-provider user-service-ref="taUserDetailsService">          <password-encoder ref="md5Encoder">           <salt-source ref="saltSource"/>            </password-encoder>      </authentication-provider>  </authentication-manager>

认证管理器是通过接口AuthenticationManager处理的

public interface AuthenticationManager {    Authentication authenticate(Authentication var1) throws AuthenticationException;}

ProviderManager类实现了这个接口，它的认证代码如下

public Authentication authenticate(Authentication authentication) throws AuthenticationException {        Class<? extends Authentication> toTest = authentication.getClass();        AuthenticationException lastException = null;        Authentication result = null;        boolean debug = logger.isDebugEnabled();        Iterator var6 = this.getProviders().iterator();        while(var6.hasNext()) {            AuthenticationProvider provider = (AuthenticationProvider)var6.next();            if (provider.supports(toTest)) {                if (debug) {                    logger.debug("Authentication attempt using " + provider.getClass().getName());                }                try {                    result = provider.authenticate(authentication);                    if (result != null) {                        this.copyDetails(authentication, result);                        break;                    }                } catch (AccountStatusException var11) {                    this.prepareException(var11, authentication);                    throw var11;                } catch (InternalAuthenticationServiceException var12) {                    this.prepareException(var12, authentication);                    throw var12;                } catch (AuthenticationException var13) {                    lastException = var13;                }            }        }        if (result == null && this.parent != null) {            try {                result = this.parent.authenticate(authentication);            } catch (ProviderNotFoundException var9) {                ;            } catch (AuthenticationException var10) {                lastException = var10;            }        }        if (result != null) {            if (this.eraseCredentialsAfterAuthentication && result instanceof CredentialsContainer) {                ((CredentialsContainer)result).eraseCredentials();            }            this.eventPublisher.publishAuthenticationSuccess(result);            return result;        } else {            if (lastException == null) {                lastException = new ProviderNotFoundException(this.messages.getMessage("ProviderManager.providerNotFound", new Object[]{toTest.getName()}, "No AuthenticationProvider found for {0}"));            }            this.prepareException((AuthenticationException)lastException, authentication);            throw lastException;        }    }

AuthenticationProvider provider = (AuthenticationProvider)var6.next();result = provider.authenticate(authentication);

看以上代码，认证过程继续调用AuthenticationProvider，它是一个接口，调用抽象类AbstractUserDetailsAuthenticationProvider进行认证。

user = this.retrieveUser(username, (UsernamePasswordAuthenticationToken)authentication);

DaoAuthenticationProvider类继承了抽象类AbstractUserDetailsAuthenticationProvider，重写了获取用户的方法，通过配置中的user-service-ref，调用获取UserDetails的方法。

loadedUser = this.getUserDetailsService().loadUserByUsername(username);

接下来对用户进行验证如果没有配置password-encoder，默认调用PlaintextPasswordEncoder进行密码的对比。否则调用用户配置的密码加密类进行密码比对。

protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {        Object salt = null;        if (this.saltSource != null) {            salt = this.saltSource.getSalt(userDetails);        }        if (authentication.getCredentials() == null) {            this.logger.debug("Authentication failed: no credentials provided");            throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));        } else {            String presentedPassword = authentication.getCredentials().toString();            if (!this.passwordEncoder.isPasswordValid(userDetails.getPassword(), presentedPassword, salt)) {                this.logger.debug("Authentication failed: password does not match stored value");                throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));            }        }    }

基于上述分析，现我们有如下业务需求，通过qq等第三方登录，绑定系统的账号，通过绑定账号直接进行security的登录，那么我们该怎么做呢？主要代码如下

String userName = request.getParameter("userName");String pwd = request.getParameter("pwd");userName = userName.trim();UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(userName, pwd);Authentication authentication = authenticationManager.authenticate(authRequest);             //调用loadUserByUsername  SecurityContextHolder.getContext().setAuthentication(authentication);HttpSession session = request.getSession();session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());// 这个非常重要，否则验证后将无法登陆

通过绑定用户查询数据库，获取用户密码，手动创建一个UsernamePasswordAuthenticationToken，调用配置的认证管理器，返回一个认证令牌，注册到security容器中。即可。

这里有一个问题，如果user-service-ref配置了密码加密方式，那么数据库中存入的用户密码为加密后的密码，调用认证管理器会把数据库查询的密码再使用加密方式加密一次,这样密码比对就会失败。

解决这个问题，重写认证管理器。

public Authentication authenticate(Authentication auth)                throws AuthenticationException {            String username = auth.getName();            UserDetails userDetails = taUserDetailsService.loadUserByUsername(username);            Object principal = userDetails;            UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal, auth.getCredentials(), this.authoritiesMapper.mapAuthorities(userDetails.getAuthorities()));            result.setDetails(auth.getDetails());            return result;        }

UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(loginId, password);        Authentication authentication = simpleAuthenticationManager.authenticate(authRequest);        SecurityContextHolder.getContext().setAuthentication(authentication);

这样，就不会使用配置的认证管理器，进行加密验证了。