2019獨(dú)角獸企業(yè)重金招聘Python工程師標(biāo)準(zhǔn)>>>

UsernamePasswordAuthenticationFilter過(guò)濾器對(duì)應(yīng)的類路徑為
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
實(shí)際上這個(gè)Filter類的doFilter是父類AbstractAuthenticationProcessingFilter的
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) req;HttpServletResponse response = (HttpServletResponse) res;//判斷form-login標(biāo)簽是否包含login-processing-url屬性//如果沒(méi)有采用默認(rèn)的url：j_spring_security_check//如果攔截的url不需要認(rèn)證，直接跳過(guò)if (!requiresAuthentication(request, response)) {chain.doFilter(request, response);return;}if (logger.isDebugEnabled()) {logger.debug("Request is to process authentication");}Authentication authResult;try {//由子類完成認(rèn)證authResult = attemptAuthentication(request, response);if (authResult == null) {// return immediately as subclass has indicated that it hasn't completed authenticationreturn;}//session策略處理認(rèn)證信息//sessionStrategy是通過(guò)session-management標(biāo)簽中定義的//session管理策略構(gòu)造的SessionAuthenticationStrategy//具體的session管理比較復(fù)雜，部分后面單個(gè)篇幅講解sessionStrategy.onAuthentication(authResult, request, response);}catch (AuthenticationException failed) {// Authentication failed//認(rèn)證失敗處理unsuccessfulAuthentication(request, response, failed);return;}// Authentication successif (continueChainBeforeSuccessfulAuthentication) {chain.doFilter(request, response);}//認(rèn)證成功處理//1.向SecurityContext中設(shè)置Authentication認(rèn)證信息//2.如果有remember me服務(wù)，則查找請(qǐng)求參數(shù)中是否包含_spring_security_remember_me，如果該參數(shù)值為true、yes、on、1則執(zhí)行remember me功能:添加cookie、入庫(kù)。為下次請(qǐng)求時(shí)自動(dòng)登錄做準(zhǔn)備//3.發(fā)布認(rèn)證成功事件//4.執(zhí)行跳轉(zhuǎn)successfulAuthentication(request, response, authResult);}
子類UsernamePasswordAuthenticationFilter的認(rèn)證方法attemptAuthentication
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {//只處理post提交的請(qǐng)求if (postOnly && !request.getMethod().equals("POST")) {throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());}//獲取用戶名、密碼數(shù)據(jù)String username = obtainUsername(request);String password = obtainPassword(request);if (username == null) {username = "";}if (password == null) {password = "";}username = username.trim();//構(gòu)造未認(rèn)證的UsernamePasswordAuthenticationTokenUsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);// Place the last username attempted into HttpSession for viewsHttpSession session = request.getSession(false);//如果session不為空，添加username到session中if (session != null || getAllowSessionCreation()) {request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username));}// Allow subclasses to set the "details" property//設(shè)置details，這里就是設(shè)置org.springframework.security.web.//authentication.WebAuthenticationDetails實(shí)例到details中setDetails(request, authRequest);//通過(guò)AuthenticationManager:ProviderManager完成認(rèn)證任務(wù)return this.getAuthenticationManager().authenticate(authRequest);}
這里的authenticationManager變量也是通過(guò)解析form-login標(biāo)簽，構(gòu)造bean時(shí)注入的，具體解析類為：org.springframework.security.config.http.AuthenticationConfigBuilder
代碼片段為：
void createFormLoginFilter(BeanReference sessionStrategy, BeanReference authManager) {Element formLoginElt = DomUtils.getChildElementByTagName(httpElt, Elements.FORM_LOGIN);if (formLoginElt != null || autoConfig) {FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_security_check",AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy);parser.parse(formLoginElt, pc);formFilter = parser.getFilterBean();formEntryPoint = parser.getEntryPointBean();}if (formFilter != null) {formFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation));//設(shè)置authenticationManager的bean依賴formFilter.getPropertyValues().addPropertyValue("authenticationManager", authManager);// Id is required by login page filterformFilterId = pc.getReaderContext().generateBeanName(formFilter);pc.registerBeanComponent(new BeanComponentDefinition(formFilter, formFilterId));injectRememberMeServicesRef(formFilter, rememberMeServicesId);}}

繼續(xù)看ProviderManager代碼。實(shí)際上authenticate方法由ProviderManager的父類定義，并且authenticate方法內(nèi)調(diào)用子類的doAuthentication方法，記得這是設(shè)計(jì)模式中的模板模式
public Authentication doAuthentication(Authentication authentication) throws AuthenticationException {Class<? extends Authentication> toTest = authentication.getClass();AuthenticationException lastException = null;Authentication result = null;//循環(huán)ProviderManager中的providers，由具體的provider執(zhí)行認(rèn)證操作for (AuthenticationProvider provider : getProviders()) {System.out.println("AuthenticationProvider: " + provider.getClass().getName());if (!provider.supports(toTest)) {continue;}logger.debug("Authentication attempt using " + provider.getClass().getName());try {result = provider.authenticate(authentication);if (result != null) {//復(fù)制detailscopyDetails(authentication, result);break;}} catch (AccountStatusException e) {// SEC-546: Avoid polling additional providers if auth failure is due to invalid account statuseventPublisher.publishAuthenticationFailure(e, authentication);throw e;} catch (AuthenticationException e) {lastException = e;}}if (result == null && parent != null) {// Allow the parent to try.try {result = parent.authenticate(authentication);} catch (ProviderNotFoundException e) {// ignore as we will throw below if no other exception occurred prior to calling parent and the parent// may throw ProviderNotFound even though a provider in the child already handled the request} catch (AuthenticationException e) {lastException = e;}}if (result != null) {eventPublisher.publishAuthenticationSuccess(result);return result;}// Parent was null, or didn't authenticate (or throw an exception).if (lastException == null) {lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound",new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}"));}//由注入進(jìn)來(lái)的org.springframework.security.authentication.DefaultAuthenticationEventPublisher完成事件發(fā)布任務(wù)eventPublisher.publishAuthenticationFailure(lastException, authentication);throw lastException;}

ProviderManager類中的providers由哪些provider呢？如果看完authentication-manager標(biāo)簽解析的講解，應(yīng)該知道注入到providers中的provider分別為：
org.springframework.security.authentication.dao.DaoAuthenticationProvider
org.springframework.security.authentication.AnonymousAuthenticationProvider
其他的provider根據(jù)特殊情況，再添加到providers中的，如remember me功能的provider
org.springframework.security.authentication.RememberMeAuthenticationProvider

可以看出來(lái)，ProviderManager僅僅是管理provider的，具體的authenticate認(rèn)證任務(wù)由各自provider來(lái)完成。

現(xiàn)在來(lái)看DaoAuthenticationProvider的認(rèn)證處理，實(shí)際上authenticate由父類AbstractUserDetailsAuthenticationProvider完成。代碼如下
public Authentication authenticate(Authentication authentication) throws AuthenticationException {…………//獲取登錄的用戶名String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();boolean cacheWasUsed = true;//如果配置了緩存，從緩存中獲取UserDetails實(shí)例UserDetails user = this.userCache.getUserFromCache(username);if (user == null) {cacheWasUsed = false;try {//如果UserDetails為空，則由具體子類DaoAuthenticationProvider//根據(jù)用戶名、authentication獲取UserDetailsuser = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);} catch (UsernameNotFoundException notFound) {if (hideUserNotFoundExceptions) {throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));} else {throw notFound;}}Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");}try {//一些認(rèn)證檢查（賬號(hào)是否可用、是否過(guò)期、是否被鎖定）preAuthenticationChecks.check(user);//額外的密碼檢查（salt、passwordEncoder）additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);} catch (AuthenticationException exception) {if (cacheWasUsed) {// There was a problem, so try again after checking// we're using latest data (i.e. not from the cache)cacheWasUsed = false;user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);preAuthenticationChecks.check(user);additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);} else {throw exception;}}//檢查賬號(hào)是否過(guò)期postAuthenticationChecks.check(user);//添加UserDetails到緩存中if (!cacheWasUsed) {this.userCache.putUserInCache(user);}Object principalToReturn = user;if (forcePrincipalAsString) {principalToReturn = user.getUsername();}//返回成功認(rèn)證后的Authenticationreturn createSuccessAuthentication(principalToReturn, authentication, user);}

繼續(xù)看DaoAuthenticationProvider的retrieveUser方法
protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)throws AuthenticationException {UserDetails loadedUser;try {//最關(guān)鍵的部分登場(chǎng)了//UserDetailService就是authentication-provider標(biāo)簽中定義的//屬性u(píng)ser-service-refloadedUser = this.getUserDetailsService().loadUserByUsername(username);}catch (DataAccessException repositoryProblem) {throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);}if (loadedUser == null) {throw new AuthenticationServiceException("UserDetailsService returned null, which is an interface contract violation");}return loadedUser;}
實(shí)際上，只要實(shí)現(xiàn)UserDetailsService接口的loadUserByUsername方法，就完成了登錄認(rèn)證的工作
<authentication-manager alias="authenticationManager"><authentication-provider user-service-ref="userDetailsManager"/> </authentication-manager>
很多教程上說(shuō)配置JdbcUserDetailsManager這個(gè)UserDetailsService，實(shí)際上該類的父類
JdbcDaoImpl方法loadUserByUsername代碼如下：
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {//根據(jù)username從數(shù)據(jù)庫(kù)中查詢User數(shù)據(jù)List<UserDetails> users = loadUsersByUsername(username);if (users.size() == 0) {throw new UsernameNotFoundException(messages.getMessage("JdbcDaoImpl.notFound", new Object[]{username}, "Username {0} not found"), username);}UserDetails user = users.get(0); // contains no GrantedAuthority[]Set<GrantedAuthority> dbAuthsSet = new HashSet<GrantedAuthority>();//添加授權(quán)信息if (enableAuthorities) {dbAuthsSet.addAll(loadUserAuthorities(user.getUsername()));}//是否使用了Groupif (enableGroups) {dbAuthsSet.addAll(loadGroupAuthorities(user.getUsername()));}List<GrantedAuthority> dbAuths = new ArrayList<GrantedAuthority>(dbAuthsSet);addCustomAuthorities(user.getUsername(), dbAuths);if (dbAuths.size() == 0) {throw new UsernameNotFoundException(messages.getMessage("JdbcDaoImpl.noAuthority",new Object[] {username}, "User {0} has no GrantedAuthority"), username);}return createUserDetails(username, user, dbAuths);}//usersByUsernameQuery查詢語(yǔ)句可配置//直接從數(shù)據(jù)庫(kù)中查詢?cè)搖sername對(duì)應(yīng)的數(shù)據(jù)，并構(gòu)造User對(duì)象protected List<UserDetails> loadUsersByUsername(String username) {return getJdbcTemplate().query(usersByUsernameQuery, new String[] {username}, new RowMapper<UserDetails>() {public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {String username = rs.getString(1);String password = rs.getString(2);boolean enabled = rs.getBoolean(3);return new User(username, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES);}});}……protected UserDetails createUserDetails(String username, UserDetails userFromUserQuery,List<GrantedAuthority> combinedAuthorities) {String returnUsername = userFromUserQuery.getUsername();if (!usernameBasedPrimaryKey) {returnUsername = username;}//根據(jù)用戶名、密碼、enabled、授權(quán)列表構(gòu)造UserDetails實(shí)例Userreturn new User(returnUsername, userFromUserQuery.getPassword(), userFromUserQuery.isEnabled(),true, true, true, combinedAuthorities);}
其他的provider，如
RememberMeAuthenticationProvider、AnonymousAuthenticationProvider的認(rèn)證處理都很簡(jiǎn)單，首先判斷是否支持Authentication，不支持直接返回null，支持也不處理直接返回該Authentication

這里需要強(qiáng)調(diào)一下，DaoAuthenticationProvider只支持UsernamePasswordAuthenticationToken這個(gè)Authentication。如果對(duì)其他的Authentication，DaoAuthenticationProvider是不做處理的

轉(zhuǎn)載于:https://my.oschina.net/snakerflow/blog/194515

總結(jié)

以上是生活随笔為你收集整理的Spring Security3源码分析-UsernamePasswordAuthenticationFilter分析的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。