Spring Security 源码解析(一)
上篇 Spring Security基本配置已讲述了Spring Security最简单的配置,本篇将开始分析其基本原理html
在上篇中能够看到,在访问 http://localhost:18081/user 时,直接跳转到登陆页。那Security是怎么作的呢?本篇主要讲述跳转到登陆页前的处理spring
首先来看一张时序图:缓存
经过上图能够看到,请求顺序为AbstractAuthenticationProcessingFilter -> AnonymousAuthenticationFilter -> ExceptionTranslationFilter -> FilterSecurityInterceptorsession
AbstractAuthenticationProcessingFilterapp
请求先进入 AbstractAuthenticationProcessingFilter 的doFilter()方法。判断当前filter是否能够处理当前请求(也就是是否包含用户名密码信息),若是是,则调用其子类 UsernamePasswordAuthenticationFilter.attemptAuthentication() 方法进行验证(第一次请求时,没有用户名密码,是不会调用子类的)ide
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; //判断当前的filter是否能够处理当前请求,不能够的话则交给下一个filter处理 if (!requiresAuthentication(request, response)) { chain.doFilter(request, response); return; } if (logger.isDebugEnabled()) { logger.debug("Request is to process authentication"); } Authentication authResult; try { //抽象方法由子类UsernamePasswordAuthenticationFilter实现 authResult = attemptAuthentication(request, response); if (authResult == null) { // return immediately as subclass has indicated that it hasn't completed // authentication return; } //认证成功后,处理一些与session相关的方法 sessionStrategy.onAuthentication(authResult, request, response); } catch (InternalAuthenticationServiceException failed) { logger.error( "An internal error occurred while trying to authenticate the user.", failed); //认证失败后的的一些操做 unsuccessfulAuthentication(request, response, failed); return; } catch (AuthenticationException failed) { // Authentication failed unsuccessfulAuthentication(request, response, failed); return; } // Authentication success if (continueChainBeforeSuccessfulAuthentication) { chain.doFilter(request, response); } //认证成功后的相关回调方法,主要将当前的认证放到SecurityContextHolder中 successfulAuthentication(request, response, chain, authResult); }
认证成功后的回调方法:post
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException { if (logger.isDebugEnabled()) { logger.debug("Authentication success. Updating SecurityContextHolder to contain: " + authResult); } //将认证结果保存到SecurityContextHolder中 SecurityContextHolder.getContext().setAuthentication(authResult); rememberMeServices.loginSuccess(request, response, authResult); // Fire event if (this.eventPublisher != null) { eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent( authResult, this.getClass())); } //调用其它可扩展的 handlers 继续处理该认证成功之后的回调事件 //实现AuthenticationSuccessHandler接口便可 successHandler.onAuthenticationSuccess(request, response, authResult); }
认证失败后的回调方法:性能
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException { //清除SecurityContextHolder的中数据 SecurityContextHolder.clearContext(); if (logger.isDebugEnabled()) { logger.debug("Authentication request failed: " + failed.toString(), failed); logger.debug("Updated SecurityContextHolder to contain null Authentication"); logger.debug("Delegating to authentication failure handler " + failureHandler); } rememberMeServices.loginFail(request, response); //调用其它可扩展的 handlers 处理该认证失败之后的回调事件 //实现 AuthenticationFailureHandler 接口便可 failureHandler.onAuthenticationFailure(request, response, failed);
关于自定义 handlers ,可参考 Spring Security认证配置(三)ui
UsernamePasswordAuthenticationFilterthis
UsernamePasswordAuthenticationFilter自己不是过滤器,而是继承了AbstractAuthenticationProcessingFilter才拥有过滤器的性能,其主要是验证用户名密码。
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { //认证请求的方法必须为POST if (postOnly && !request.getMethod().equals("POST")) { throw new AuthenticationServiceException( "Authentication method not supported: " + request.getMethod()); } //从request中获取 username 和 password String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); //封装Authenticaiton的实现类UsernamePasswordAuthenticationToken //传入用户名和密码,并将是否已经认证设为false UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken( username, password); //设置UsernamePasswordAuthenticationToken中的详细信息。如remoteAddress、sessionId // Allow subclasses to set the "details" property setDetails(request, authRequest); //调用 AuthenticationManager 的实现类 ProviderManager 进行验证 return this.getAuthenticationManager().authenticate(authRequest); }
验证的过程,能够参考AuthenticationManager、ProviderManager
ExceptionTranslationFilter
ExceptionTranslationFilter是异常处理过滤器,该过滤器用来处理在系统认证受权过程当中抛出的异常(也就是FilterSecurityInterceptor抛出来的),主要是处理
AccessDeniedException、AuthenticationException
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; try { chain.doFilter(request, response); logger.debug("Chain processed normally"); } catch (IOException ex) { throw ex; } catch (Exception ex) { //判断是否是AuthenticationException // Try to extract a SpringSecurityException from the stacktrace Throwable[] causeChain = throwableAnalyzer.determineCauseChain(ex); RuntimeException ase = (AuthenticationException) throwableAnalyzer .getFirstThrowableOfType(AuthenticationException.class, causeChain); if (ase == null) { //判断是否是AccessDeniedException ase = (AccessDeniedException) throwableAnalyzer.getFirstThrowableOfType( AccessDeniedException.class, causeChain); } if (ase != null) { //异常处理。包括缓存当前请求,跳转到登陆页 handleSpringSecurityException(request, response, chain, ase); } else { // Rethrow ServletExceptions and RuntimeExceptions as-is if (ex instanceof ServletException) { throw (ServletException) ex; } else if (ex instanceof RuntimeException) { throw (RuntimeException) ex; } // Wrap other Exceptions. This shouldn't actually happen // as we've already covered all the possibilities for doFilter throw new RuntimeException(ex); } } }
在 handleSpringSecurityException 方法中,有一段:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); //判断当前authentication是否是AnonymousAuthenticationToken(RememberMeAuthenticationToken)或者其子类 if (authenticationTrustResolver.isAnonymous(authentication) || authenticationTrustResolver.isRememberMe(authentication)) { logger.debug( "Access is denied (user is " + (authenticationTrustResolver.isAnonymous(authentication) ? "anonymous" : "not fully authenticated") + "); redirecting to authentication entry point", exception); sendStartAuthentication( request, response, chain, new InsufficientAuthenticationException( "Full authentication is required to access this resource")); }
其中sendStartAuthentication方法:
protected void sendStartAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, AuthenticationException reason) throws ServletException, IOException {
//清空SecurityContext SecurityContextHolder.getContext().setAuthentication(null); //缓存当前请求 requestCache.saveRequest(request, response); logger.debug("Calling Authentication entry point."); //调用AuthenticationEntryPoint的实现类LoginUrlAuthenticationEntryPoint(可扩展,实现AuthenticationEntryPoint便可) //跳转到可配置的登陆页(若是不配置,则跳转到spring security默认的登陆页) authenticationEntryPoint.commence(request, response, reason); }
FilterSecurityInterceptor
此过滤器为认证受权过滤器链中最后一个过滤器,该过滤器经过以后就是真正的 /user 服务
public void invoke(FilterInvocation fi) throws IOException, ServletException { ......
else { // first time this request being called, so perform security checking if (fi.getRequest() != null) { fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE); } //调用父类AbstractSecurityInterceptor.beforeInvocation方法,进行最后一次过滤 InterceptorStatusToken token = super.beforeInvocation(fi); try { //请求真正的 /user 服务 fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); } finally { super.finallyInvocation(token); } super.afterInvocation(token, null); } }
在beforeInvocation方法中,会调用AccessDecisionManager.decide方法来验证当前认证成功的用户是否有权限访问该资源
protected InterceptorStatusToken beforeInvocation(Object object) { ...... Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource() .getAttributes(object); ...... Authentication authenticated = authenticateIfRequired(); // Attempt authorization try { //受权认证 this.accessDecisionManager.decide(authenticated, object, attributes); } catch (AccessDeniedException accessDeniedException) { publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated, accessDeniedException)); throw accessDeniedException; } }
上面的object和attributes是什么?调试一下:
object为当前请求 URL:/user
requestMap的值有两个,以下图:
能够看到,这两个值对应SecurityConfig中的配置。第一个为antMatchs返回permitAll即不须要认证,第二个为anyRequest返回authenticated即其它请求须要认证
因此 getAttributes 就是使用当前请求路径去匹配咱们自定义的规则,attributes为匹配后的结果
咱们继续来看最核心的受权认证:
this.accessDecisionManager.decide(authenticated, object, attributes)
此时,authenticated为匿名AnonymousAuthenticationToken,attributes为authenticated
AccessDecisionManager是如何受权的呢?
Spring Security默认使用AccessDecisionManager的子类 AffirmativeBased,经过实现decide方法来鉴定用户是否有访问对应资源(方法或URL)的权限
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException { int deny = 0; //调用AccessDecisionVoter进行vote(投票) for (AccessDecisionVoter voter : getDecisionVoters()) { int result = voter.vote(authentication, object, configAttributes); if (logger.isDebugEnabled()) { logger.debug("Voter: " + voter + ", returned: " + result); } switch (result) { //voter投票为ACCESS_GRANTED,表示赞成,直接返回 case AccessDecisionVoter.ACCESS_GRANTED: return; //voter投票为ACCESS_DENIED,表示反对,则记录一下 case AccessDecisionVoter.ACCESS_DENIED: deny++; break; //voter投票为其它值,则表示弃权。都弃权也会经过 default: break; } } //只要有一个voter投票为ACCESS_DENIED,则直接就不经过了 if (deny > 0) { throw new AccessDeniedException(messages.getMessage( "AbstractAccessDecisionManager.accessDenied", "Access is denied")); } // To get this far, every AccessDecisionVoter abstained checkAllowIfAllAbstainDecisions(); }
第一次请求,这里将抛出AccessDeniedException。而后被ExceptionTranslationFilter捕获,跳转到受权登陆认证页面
相关文章
- 1. Spring Security源码解析
- 2. Spring Security 源码解析(一)AbstractAuthenticationProcessingFilter
- 3. spring security------过滤器源码解析(一)
- 4. Spring Security 解析(七) —— Spring Security Oauth2 源码解析
- 5. spring security 源码分析(1)
- 6. Spring Security OAuth2 源码分析
- 7. 【Spring-Security源码分析】AuthenticationManagerBuilder
- 8. spring security源码分析之一springSecurityFilterChain
- 9. Spring Security 登陆校验 源码解析
- 10. Spring Security Web 5.1.2 源码解析 -- WebAsyncManagerIntegrationFilter
- 更多相关文章...
- • XML DOM 解析器 - XML DOM 教程
- • TCP报文格式解析 - TCP/IP教程
- • Scala 中文乱码解决
- • 互联网组织的未来:剖析GitHub员工的任性之源
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. python的安装和Hello,World编写
- 2. 重磅解读:K8s Cluster Autoscaler模块及对应华为云插件Deep Dive
- 3. 鸿蒙学习笔记2(永不断更)
- 4. static关键字 和构造代码块
- 5. JVM笔记
- 6. 无法启动 C/C++ 语言服务器。IntelliSense 功能将被禁用。错误: Missing binary at c:\Users\MSI-NB\.vscode\extensions\ms-vsc
- 7. 【Hive】Hive返回码状态含义
- 8. Java树形结构递归(以时间换空间)和非递归(以空间换时间)
- 9. 数据预处理---缺失值
- 10. 都要2021年了,现代C++有什么值得我们学习的?
欢迎关注本站公众号,获取更多信息
相关文章
- 1. Spring Security源码解析
- 2. Spring Security 源码解析(一)AbstractAuthenticationProcessingFilter
- 3. spring security------过滤器源码解析(一)
- 4. Spring Security 解析(七) —— Spring Security Oauth2 源码解析
- 5. spring security 源码分析(1)
- 6. Spring Security OAuth2 源码分析
- 7. 【Spring-Security源码分析】AuthenticationManagerBuilder
- 8. spring security源码分析之一springSecurityFilterChain
- 9. Spring Security 登陆校验 源码解析
- 10. Spring Security Web 5.1.2 源码解析 -- WebAsyncManagerIntegrationFilter