从零学springSecurity-身份认证_HttpForm

203人浏览 / 0人评论 | 作者:kite

作者:kite

链接:http://kite.vsftp.cn:8089/article/4.index.html

声明:请尊重原作者的劳动,如需转载请注明出处


   使用HttpForm方式进行认证只需要在SpringSecurityConfig内的configure函数内修改原来的http.httpBasic()为http.formLogin()即可。

 protected void configure(HttpSecurity http) throws Exception{
    AuthenticationProperties properties = securityProperties.getAuthentication();
    http.formLogin()
        .authorizeRequests() // 授权请求
        .anyRequest().authenticated() // 所有请求都必须进行认证
  }

   springSecurity使用过滤器链来实现认证与授权。

    springSecurity认证流程为:    

    

            UsernamePasswordAuthenticationFilter // 在spring-security-web-5.2.0.RELEASE.jar内:org.springframework.security.web.authentication
              [http.formLogin 表单认证过滤器]
[请求中包含用户名&密码则进行认证,认证成功则标记为认证成功,否则进入下一认证过滤器]
                         |
                         |
            BasicAuthenticationFilter
        [http.httpBasic httpBasic认证过滤器]
[请求头有basic开头的信息,base64解码后认证,认证成功标记认证成功,否则进入下一认证处理器]
                         |
                         |
                   其他认证处理器
                         |
                         |
            ExceptionTranslationFilter
              [捕获异常进行后续处理]
                         |
                         |
            FilterSecurityInterceptor
[认证通过后,根据资源权限配置来判断当前请求是否可以访问对应资源]
                         |
                         |
                     Controller

在UsernamePasswordAuthenticationFilter内的attemptAuthentication是用来处理认证的函数.

    

public Authentication attemptAuthentication(HttpServletRequest request,
			HttpServletResponse response) throws AuthenticationException {
		if (postOnly && !request.getMethod().equals("POST")) { // 判断是否是POST请求
			throw new AuthenticationServiceException(
					"Authentication method not supported: " + request.getMethod());
		}

		String username = obtainUsername(request);// 请求登录的用户名
		String password = obtainPassword(request);// 请求登录的明文密码

		if (username == null) { // 判断数据值有效性
			username = "";
		}

		if (password == null) { // 判断数据值有效性
			password = "";
		}

		username = username.trim(); // 去除空格

		UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
				username, password); // 构建用户token 设置初始认证状态为未认证

		// Allow subclasses to set the "details" property
		setDetails(request, authRequest);

		return this.getAuthenticationManager().authenticate(authRequest); // 进行认证
	}

    认证通过则进入org.springframework.security.web.access.intercept下的FilterSecurityInterceptor进行处理。

    

public void invoke(FilterInvocation fi) throws IOException, ServletException {
		if ((fi.getRequest() != null)
				&& (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
				&& observeOncePerRequest) {
			// filter already applied to this request and user wants us to observe
			// once-per-request handling, so don't re-do security checking
			fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
		}
		else {
			// first time this request being called, so perform security checking
			if (fi.getRequest() != null && observeOncePerRequest) {
				fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
			}

			InterceptorStatusToken token = super.beforeInvocation(fi);// 请求/资源认证

			try {
				fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
			}
			finally {
				super.finallyInvocation(token);
			}

			super.afterInvocation(token, null);
		}
	}

 


原创:笔记


点赞(0) 打赏

全部评论

还没有评论!