一、SpringSecurity 过滤器链:
1、SecurityContextPersistenceFilter 会在请求开始时从配置好的SecurityContextRepository中获取SecurityContext,然后把它设置给SecurityContextHolder。
在请求完成后将SecurityContextHolder持有的SecurityContext再保存到配置好的SecurityContextRepository,同时清除SecurityContextHolder所持有的SecurityContext。
2、UsernamePasswordAuthenticationFilter用于处理来自表单提交的认证,认证成功由AuthenticationSuccessHandler处理,反之由AuthenticationFailureHandler处理。
3、FilterSecurityInterceptor用于保护Http资源(授权),它需要引用AccessDecisionManager(决策管理器)、AuthenticationManager(认证管理器)、 SecurityMetadataSource(资源与权限的对应关系)。
4、ExceptionTranslationFilter 只会处理 AuthenticationException、AccessDeniedException异常,其他的异常会抛出。
二、基于用户名、密码认证、授权流程:
1、AbstractAuthenticationProcessingFilter.attemptAuthentication()开始用户认证流程,在这里会处理认证的成功(AuthenticationSuccessHandler)或失败(AuthenticationFailureHandler);
2、重写UsernamePasswordAuthenticationFilter.attemptAuthentication()调用retrieveUser()方法,自定义用户名、密码、验证码校验、认证逻辑,返回Authentication对象实例存入SessionAuthenticationStrategy;
3、继承AbstractUserDetailsAuthenticationProvider重写retrieveUser方法,开始处理用户认证,调用DetailsServiceImpl.loadUserByUsername()返回UserDetails对象实例;
4、实现UserDetailsService重写loadUserByUsername,自定义用户名密码校验流程,成功返回UserDetails对象实例,否则抛出AuthenticationException类异常;用户认证结束;
5、FilterSecurityInterceptor.beforeInvocation()过滤器开始授权流程,实例化AccessDecisionManager(授权管理器)、AuthenticationManager(认证管理器)、FilterInvocationSecurityMetadataSource(处理url、权限关系的接口);
6、进入AbstractSecurityInterceptor.beforeInvocation(Object object)进行授权,分为三步开始处理。
6.1.Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource().getAttributes(object);//获取当前url的权限
6.2.Authentication authenticated = authenticateIfRequired();//获取Authenticatio实例,拿到当前用户信息
6.3.this.accessDecisionManager.decide(authenticated, object, attributes);//没有权限抛出AccessDeniedException类异常 ExceptionTranslationFilter处理异常
三、“记住我”功能实现原理:
1、用户第一次登陆,AbstractAuthenticationProcessingFilter 开始用户认证,成功后 RememberMeServices 实现类 AbstractRememberMeServices作业务处理。
PersistentTokenBasedRememberMeServices 继承了 AbstractRememberMeServices,重写了 onLoginSucce(),存储 PersistentTokenRepository 对象到DB。
public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices { private PersistentTokenRepository tokenRepository = new InMemoryTokenRepositoryImpl(); ...... protected void onLoginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication) { String username = successfulAuthentication.getName(); this.logger.debug("Creating new persistent login for user " + username); PersistentRememberMeToken persistentToken = new PersistentRememberMeToken(username, this.generateSeriesData(), this.generateTokenData(), new Date()); try { this.tokenRepository.createNewToken(persistentToken); this.addCookie(persistentToken, request, response); } catch (Exception var7) { this.logger.error("Failed to save persistent token ", var7); } } ...... }
2、第二次登陆 RememberMeAuthenticationFilter 处理
public class RememberMeAuthenticationFilter extends GenericFilterBean implements ApplicationEventPublisherAware { ...... public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest)req; HttpServletResponse response = (HttpServletResponse)res; if (SecurityContextHolder.getContext().getAuthentication() == null) { Authentication rememberMeAuth = this.rememberMeServices.autoLogin(request, response);// 解码cookie获取token,拿到UserDetails对象 if (rememberMeAuth != null) { try { rememberMeAuth = this.authenticationManager.authenticate(rememberMeAuth);//认证开始 SecurityContextHolder.getContext().setAuthentication(rememberMeAuth); this.onSuccessfulAuthentication(request, response, rememberMeAuth); if (this.logger.isDebugEnabled()) { this.logger.debug("SecurityContextHolder populated with remember-me token: '" + SecurityContextHolder.getContext().getAuthentication() + "'"); } if (this.eventPublisher != null) { this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(SecurityContextHolder.getContext().getAuthentication(), this.getClass())); } if (this.successHandler != null) { this.successHandler.onAuthenticationSuccess(request, response, rememberMeAuth); return; } } catch (AuthenticationException var8) { if (this.logger.isDebugEnabled()) { this.logger.debug("SecurityContextHolder not populated with remember-me token, as AuthenticationManager rejected Authentication returned by RememberMeServices: '" + rememberMeAuth + "'; invalidating remember-me token", var8); } this.rememberMeServices.loginFail(request, response);//失败跳转到登录页 this.onUnsuccessfulAuthentication(request, response, var8); } } chain.doFilter(request, response); } else { if (this.logger.isDebugEnabled()) { this.logger.debug("SecurityContextHolder not populated with remember-me token, as it already contained: '" + SecurityContextHolder.getContext().getAuthentication() + "'"); } chain.doFilter(request, response); } } }