UsernamePasswordAuthenticationFilter过滤器对应的类路径为 org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter 实际上这个Filter类的doFilter是父类AbstractAuthenticationProcessingFilter的
- public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
- throws IOException, ServletException {
-
- HttpServletRequest request = (HttpServletRequest) req;
- HttpServletResponse response = (HttpServletResponse) res;
-
-
-
- if (!requiresAuthentication(request, response)) {
- chain.doFilter(request, response);
-
- return;
- }
-
- if (logger.isDebugEnabled()) {
- logger.debug("Request is to process authentication");
- }
-
- Authentication authResult;
-
- try {
-
- authResult = attemptAuthentication(request, response);
- if (authResult == null) {
-
- return;
- }
-
-
-
-
- sessionStrategy.onAuthentication(authResult, request, response);
- }
- catch (AuthenticationException failed) {
-
-
- unsuccessfulAuthentication(request, response, failed);
-
- return;
- }
-
-
- if (continueChainBeforeSuccessfulAuthentication) {
- chain.doFilter(request, response);
- }
-
-
-
-
-
- successfulAuthentication(request, response, authResult);
- }
子类UsernamePasswordAuthenticationFilter的认证方法attemptAuthentication
- public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
-
- if (postOnly && !request.getMethod().equals("POST")) {
- throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
- }
-
- String username = obtainUsername(request);
- String password = obtainPassword(request);
-
- if (username == null) {
- username = "";
- }
-
- if (password == null) {
- password = "";
- }
-
- username = username.trim();
-
- UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
-
-
- HttpSession session = request.getSession(false);
-
- if (session != null || getAllowSessionCreation()) {
- request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username));
- }
-
-
-
-
- setDetails(request, authRequest);
-
- return this.getAuthenticationManager().authenticate(authRequest);
- }
这里的authenticationManager变量也是通过解析form-login标签,构造bean时注入的,具体解析类为:org.springframework.security.config.http.AuthenticationConfigBuilder 代码片段为:
- void createFormLoginFilter(BeanReference sessionStrategy, BeanReference authManager) {
-
- Element formLoginElt = DomUtils.getChildElementByTagName(httpElt, Elements.FORM_LOGIN);
-
- if (formLoginElt != null || autoConfig) {
- FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_security_check",
- AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy);
-
- parser.parse(formLoginElt, pc);
- formFilter = parser.getFilterBean();
- formEntryPoint = parser.getEntryPointBean();
- }
-
- if (formFilter != null) {
- formFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation));
-
- formFilter.getPropertyValues().addPropertyValue("authenticationManager", authManager);
-
-
-
- formFilterId = pc.getReaderContext().generateBeanName(formFilter);
- pc.registerBeanComponent(new BeanComponentDefinition(formFilter, formFilterId));
- injectRememberMeServicesRef(formFilter, rememberMeServicesId);
- }
- }
继续看ProviderManager代码。实际上authenticate方法由ProviderManager的父类定义,并且authenticate方法内调用子类的doAuthentication方法,记得这是设计模式中的模板模式
- public Authentication doAuthentication(Authentication authentication) throws AuthenticationException {
- Class<? extends Authentication> toTest = authentication.getClass();
- AuthenticationException lastException = null;
- Authentication result = null;
-
- for (AuthenticationProvider provider : getProviders()) {
- System.out.println("AuthenticationProvider: " + provider.getClass().getName());
- if (!provider.supports(toTest)) {
- continue;
- }
-
- logger.debug("Authentication attempt using " + provider.getClass().getName());
-
- try {
- result = provider.authenticate(authentication);
-
- if (result != null) {
-
- copyDetails(authentication, result);
- break;
- }
- } catch (AccountStatusException e) {
-
- eventPublisher.publishAuthenticationFailure(e, authentication);
- throw e;
- } catch (AuthenticationException e) {
- lastException = e;
- }
- }
-
- if (result == null && parent != null) {
-
- try {
- result = parent.authenticate(authentication);
- } catch (ProviderNotFoundException e) {
-
-
- } catch (AuthenticationException e) {
- lastException = e;
- }
- }
-
- if (result != null) {
- eventPublisher.publishAuthenticationSuccess(result);
- return result;
- }
-
-
-
- if (lastException == null) {
- lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound",
- new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}"));
- }
-
- eventPublisher.publishAuthenticationFailure(lastException, authentication);
-
- throw lastException;
- }
ProviderManager类中的providers由哪些provider呢?如果看完authentication-manager标签解析的讲解,应该知道注入到providers中的provider分别为: org.springframework.security.authentication.dao.DaoAuthenticationProvider org.springframework.security.authentication.AnonymousAuthenticationProvider 其他的provider根据特殊情况,再添加到providers中的,如remember me功能的provider org.springframework.security.authentication.RememberMeAuthenticationProvider
可以看出来,ProviderManager仅仅是管理provider的,具体的authenticate认证任务由各自provider来完成。
现在来看DaoAuthenticationProvider的认证处理,实际上authenticate由父类AbstractUserDetailsAuthenticationProvider完成。代码如下
- public Authentication authenticate(Authentication authentication) throws AuthenticationException {
- …………
-
- String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
-
- boolean cacheWasUsed = true;
-
- UserDetails user = this.userCache.getUserFromCache(username);
-
- if (user == null) {
- cacheWasUsed = false;
-
- try {
-
-
- user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
- } catch (UsernameNotFoundException notFound) {
- if (hideUserNotFoundExceptions) {
- throw new BadCredentialsException(messages.getMessage(
- "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
- } else {
- throw notFound;
- }
- }
-
- Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
- }
-
- try {
-
- preAuthenticationChecks.check(user);
-
- additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
- } catch (AuthenticationException exception) {
- if (cacheWasUsed) {
-
-
- cacheWasUsed = false;
- user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
- preAuthenticationChecks.check(user);
- additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);
- } else {
- throw exception;
- }
- }
-
- postAuthenticationChecks.check(user);
-
- if (!cacheWasUsed) {
- this.userCache.putUserInCache(user);
- }
-
- Object principalToReturn = user;
-
- if (forcePrincipalAsString) {
- principalToReturn = user.getUsername();
- }
-
- return createSuccessAuthentication(principalToReturn, authentication, user);
- }
继续看DaoAuthenticationProvider的retrieveUser方法
- protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
- throws AuthenticationException {
- UserDetails loadedUser;
-
- try {
-
-
-
- loadedUser = this.getUserDetailsService().loadUserByUsername(username);
- }
- catch (DataAccessException repositoryProblem) {
- throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);
- }
-
- if (loadedUser == null) {
- throw new AuthenticationServiceException(
- "UserDetailsService returned null, which is an interface contract violation");
- }
- return loadedUser;
- }
实际上,只要实现UserDetailsService接口的loadUserByUsername方法,就完成了登录认证的工作
- <authentication-manager alias="authenticationManager">
- <authentication-provider user-service-ref="userDetailsManager"/>
- </authentication-manager>
很多教程上说配置JdbcUserDetailsManager这个UserDetailsService,实际上该类的父类 JdbcDaoImpl方法loadUserByUsername代码如下:
- public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
-
- List<UserDetails> users = loadUsersByUsername(username);
-
- if (users.size() == 0) {
- throw new UsernameNotFoundException(
- messages.getMessage("JdbcDaoImpl.notFound", new Object[]{username}, "Username {0} not found"), username);
- }
-
- UserDetails user = users.get(0);
-
- Set<GrantedAuthority> dbAuthsSet = new HashSet<GrantedAuthority>();
-
- if (enableAuthorities) {
- dbAuthsSet.addAll(loadUserAuthorities(user.getUsername()));
- }
-
- if (enableGroups) {
- dbAuthsSet.addAll(loadGroupAuthorities(user.getUsername()));
- }
-
- List<GrantedAuthority> dbAuths = new ArrayList<GrantedAuthority>(dbAuthsSet);
-
- addCustomAuthorities(user.getUsername(), dbAuths);
-
- if (dbAuths.size() == 0) {
- throw new UsernameNotFoundException(
- messages.getMessage("JdbcDaoImpl.noAuthority",
- new Object[] {username}, "User {0} has no GrantedAuthority"), username);
- }
-
- return createUserDetails(username, user, dbAuths);
- }
-
-
-
- protected List<UserDetails> loadUsersByUsername(String username) {
- return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {
- public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
- String username = rs.getString(1);
- String password = rs.getString(2);
- boolean enabled = rs.getBoolean(3);
- return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);
- }
-
- });
- }
-
- ……
- protected UserDetails createUserDetails(String username, UserDetails userFromUserQuery,
- List<GrantedAuthority> combinedAuthorities) {
- String returnUsername = userFromUserQuery.getUsername();
-
- if (!usernameBasedPrimaryKey) {
- returnUsername = username;
- }
-
- return new User(returnUsername, userFromUserQuery.getPassword(), userFromUserQuery.isEnabled(),
- true, true, true, combinedAuthorities);
- }
其他的provider,如 RememberMeAuthenticationProvider、AnonymousAuthenticationProvider的认证处理都很简单,首先判断是否支持Authentication,不支持直接返回null,支持也不处理直接返回该Authentication
这里需要强调一下,DaoAuthenticationProvider只支持UsernamePasswordAuthenticationToken这个Authentication。如果对其他的Authentication,DaoAuthenticationProvider是不做处理的
|