Sring Security3登录权限认证解析

来源：互联网发布：新手淘宝卖家论坛社区编辑：程序博客网时间：2024/06/06 09:51

1、UsernamePasswordAuthenticationFilter过滤器对应的类路径为
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
实际上这个Filter类的doFilter是父类AbstractAuthenticationProcessingFilter的

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)

throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//判断form-login标签是否包含login-processing-url属性
//如果没有采用默认的url：j_spring_security_check
//如果拦截的url不需要认证，直接跳过
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);

return;
}

if (logger.isDebugEnabled()) {
logger.debug("Request is to process authentication");
}

Authentication authResult;

try {
//由子类完成认证
authResult = attemptAuthentication(request, response);
if (authResult == null) {
// return immediately as subclass has indicated that it hasn't completed authentication
return;
}
//session策略处理认证信息
//sessionStrategy是通过session-management标签中定义的
//session管理策略构造的SessionAuthenticationStrategy
//具体的session管理比较复杂，部分后面单个篇幅讲解
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (AuthenticationException failed) {
// Authentication failed
//认证失败处理
unsuccessfulAuthentication(request, response, failed);

return;
}

// Authentication success
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
//认证成功处理
//1.向SecurityContext中设置Authentication认证信息
//2.如果有remember me服务，则查找请求参数中是否包含_spring_security_remember_me，如果该参数值为true、yes、on、1则执行remember me功能:添加cookie、入库。为下次请求时自动登录做准备
//3.发布认证成功事件
//4.执行跳转
successfulAuthentication(request, response, authResult);

}

2、子类UsernamePasswordAuthenticationFilter的认证方法attemptAuthentication

public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
//只处理post提交的请求
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
//获取用户名、密码数据
String username = obtainUsername(request);
String password = obtainPassword(request);

if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
//构造未认证的UsernamePasswordAuthenticationToken
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

// Place the last username attempted into HttpSession for views
HttpSession session = request.getSession(false);
//如果session不为空，添加username到session中
if (session != null || getAllowSessionCreation()) {
request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username));
}

// Allow subclasses to set the "details" property
//设置details，这里就是设置org.springframework.security.web.
//authentication.WebAuthenticationDetails实例到details中
setDetails(request, authRequest);
//通过AuthenticationManager:ProviderManager完成认证任务
return this.getAuthenticationManager().authenticate(authRequest);
}

3、这里的authenticationManager变量也是通过解析form-login标签，Spring安全配置文件为applicationContext-security.xml，构造bean时注入的，具体解析类为：org.springframework.security.config.http.AuthenticationConfigBuilder
代码片段为：

void createFormLoginFilter(BeanReference sessionStrategy, BeanReference authManager) {
Element formLoginElt = DomUtils.getChildElementByTagName(httpElt, Elements.FORM_LOGIN);
if (formLoginElt != null || autoConfig) {
FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_security_check",
AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy);
parser.parse(formLoginElt, pc);
formFilter = parser.getFilterBean();
formEntryPoint = parser.getEntryPointBean();
}
if (formFilter != null) {
formFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation));
//设置authenticationManager的bean依赖
formFilter.getPropertyValues().addPropertyValue("authenticationManager", authManager);

// Id is required by login page filter
formFilterId = pc.getReaderContext().generateBeanName(formFilter);
pc.registerBeanComponent(new BeanComponentDefinition(formFilter, formFilterId));
injectRememberMeServicesRef(formFilter, rememberMeServicesId);
}
}

4、继续看ProviderManager代码。实际上authenticate方法由ProviderManager的父类定义，并且authenticate方法内调用子类的doAuthentication方法，记得这是设计模式中的模板模式

public Authentication doAuthentication(Authentication authentication) throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
Authentication result = null;
//循环ProviderManager中的providers，由具体的provider执行认证操作
for (AuthenticationProvider provider : getProviders()) {
System.out.println("AuthenticationProvider: " + provider.getClass().getName());
if (!provider.supports(toTest)) {
continue;
}
logger.debug("Authentication attempt using " + provider.getClass().getName());
try {
result = provider.authenticate(authentication);
if (result != null) {
//复制details
copyDetails(authentication, result);
break;
}
} catch (AccountStatusException e) {
// SEC-546: Avoid polling additional providers if auth failure is due to invalid account status
eventPublisher.publishAuthenticationFailure(e, authentication);
throw e;
} catch (AuthenticationException e) {
lastException = e;
}
}
if (result == null && parent != null) {
// Allow the parent to try.
try {
result = parent.authenticate(authentication);
} catch (ProviderNotFoundException e) {
// ignore as we will throw below if no other exception occurred prior to calling parent and the parent
// may throw ProviderNotFound even though a provider in the child already handled the request
} catch (AuthenticationException e) {
lastException = e;
}
}
if (result != null) {
eventPublisher.publishAuthenticationSuccess(result);
return result;
}

// Parent was null, or didn't authenticate (or throw an exception).
if (lastException == null) {
lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound",
new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}"));
}
//由注入进来的org.springframework.security.authentication.DefaultAuthenticationEventPublisher完成事件发布任务
eventPublisher.publishAuthenticationFailure(lastException, authentication);
throw lastException;
}

ProviderManager类中的providers由哪些provider呢？如果看完authentication-manager标签解析的讲解，应该知道注入到providers中的provider分别为：
org.springframework.security.authentication.dao.DaoAuthenticationProvider
org.springframework.security.authentication.AnonymousAuthenticationProvider
其他的provider根据特殊情况，再添加到providers中的，如remember me功能的provider
org.springframework.security.authentication.RememberMeAuthenticationProvider
可以看出来，ProviderManager仅仅是管理provider的，具体的authenticate认证任务由各自provider来完成。

5、现在来看DaoAuthenticationProvider的认证处理，实际上authenticate由父类AbstractUserDetailsAuthenticationProvider完成：

public Authentication authenticate(Authentication authentication) throws AuthenticationException {
…………
//获取登录的用户名
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
boolean cacheWasUsed = true;
//如果配置了缓存，从缓存中获取UserDetails实例
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
//如果UserDetails为空，则由具体子类DaoAuthenticationProvider
//根据用户名、authentication获取UserDetails
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
}

try {
//一些认证检查（账号是否可用、是否过期、是否被锁定）
preAuthenticationChecks.check(user);
//额外的密码检查（salt、passwordEncoder）
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
} catch (AuthenticationException exception) {
if (cacheWasUsed) {
// There was a problem, so try again after checking
// we're using latest data (i.e. not from the cache)
cacheWasUsed = false;
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
} else {
throw exception;
}
}
//检查账号是否过期
postAuthenticationChecks.check(user);
//添加UserDetails到缓存中
if (!cacheWasUsed) {
this.userCache.putUserInCache(user);
}
Object principalToReturn = user;
if (forcePrincipalAsString) {
principalToReturn = user.getUsername();
}
//返回成功认证后的Authentication
return createSuccessAuthentication(principalToReturn, authentication, user);
}

6、之前看代码，我首先看到的就是父类AbstractUserDetailsAuthenticationProvider，因为根据我们自己的代码顺藤摸瓜，首先找到的是父类，走到retrieveUser方法时，不知道是哪个子类来实现它的，最后在网上看到是DaoAuthenticationProvider进行了实现，这个方法的作用就是如果缓存中没有用户信息，通过数据库查询方法，检索用户信息。

protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
UserDetails loadedUser;
try {
//最关键的部分登场了
//UserDetailService就是authentication-provider标签中定义的

//<authentication-manager alias="xxxAuthenticationManager">
// <authentication-provider user-service-ref="xxxUserDetailService">
// <password-encoder ref="boPasswordEncoder" />
// </authentication-provider>
//</authentication-manager>
//属性user-service-ref可以用来定义UserDetailsService的接口实现类，来实现loadUserByUsername方法。

loadedUser = this.getUserDetailsService().loadUserByUsername(username);
}
catch (DataAccessException repositoryProblem) {
throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);
}

if (loadedUser == null) {
throw new AuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
}

7、UserDetailsService的接口实现类，来实现loadUserByUsername方法：

public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
//根据username从数据库中查询User数据
List<UserDetails> users = loadUsersByUsername(username);

if (users.size() == 0) {
throw new UsernameNotFoundException(
messages.getMessage("JdbcDaoImpl.notFound", new Object[]{username}, "Username {0} not found"), username);
}

UserDetails user = users.get(0); // contains no GrantedAuthority[]
Set<GrantedAuthority> dbAuthsSet = new HashSet<GrantedAuthority>();
//添加授权信息
if (enableAuthorities) {
dbAuthsSet.addAll(loadUserAuthorities(user.getUsername()));
}
//是否使用了Group
if (enableGroups) {
dbAuthsSet.addAll(loadGroupAuthorities(user.getUsername()));
}
List<GrantedAuthority> dbAuths = new ArrayList<GrantedAuthority>(dbAuthsSet);
addCustomAuthorities(user.getUsername(), dbAuths);
if (dbAuths.size() == 0) {
throw new UsernameNotFoundException(
messages.getMessage("JdbcDaoImpl.noAuthority",
new Object[] {username}, "User {0} has no GrantedAuthority"), username);
}
return createUserDetails(username, user, dbAuths);
}

//usersByUsernameQuery查询语句可配置
//直接从数据库中查询该username对应的数据，并构造User对象
protected List<UserDetails> loadUsersByUsername(String username) {
return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
String username = rs.getString(1);
String password = rs.getString(2);
boolean enabled = rs.getBoolean(3);
return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
}

});
}

……
protected UserDetails createUserDetails(String username, UserDetails userFromUserQuery,
List<GrantedAuthority> combinedAuthorities) {
String returnUsername = userFromUserQuery.getUsername();

if (!usernameBasedPrimaryKey) {
returnUsername = username;
}
//根据用户名、密码、enabled、授权列表构造UserDetails实例User
return new User(returnUsername, userFromUserQuery.getPassword(), userFromUserQuery.isEnabled(),
true, true, true, combinedAuthorities);
}

实现UserDetailsService接口的loadUserByUsername方法，就完成了登录认证的工作。

0 0