登录请求被FormAuthenticationFilter拦截
FormAuthenticationFilter会执行其父类AdviceFilter的doFilterInternal方法
其代码如下:
boolean continueChain = preHandle(request, response);//判断是否执行后面的操作 if (continueChain) { executeChain(request, response, chain);//放行 } postHandle(request, response);//执行完操作后的操作
而preHandle调用PathMatchingFilter.preHandle -> isFilterChainContinued,再调用AccessControlFilter.onPreHandle
onPreHandle(request, response, pathConfig){ return isAccessAllowed(request, response, mappedValue)/*判断是否允许通过,如果不允许则执行onAccessDenied*/ || onAccessDenied(request, response, mappedValue); }
//AuthenticatingFilter.isAccessAllowed(request, response, mappedValue)的代码如下 protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { return super.isAccessAllowed(request, response, mappedValue)/*返回是已经否登录 return subject.isAuthenticated*/ ||(!isLoginRequest(request, response) && isPermissive(mappedValue)); /*不是loginUrl请求,并且是permissive的Url请求;PathMatchingFilter的appliedPaths将filterChainDefinitions中的值转为map,permissive就是从这里取得*/ }
//FormAuthenticationFilter.onAccessDenied(request, response)的代码如下 if (isLoginRequest(request, response)) { if (isLoginSubmission(request, response)) {//如果是loginUrl并且是post请求,执行登录请求 return executeLogin(request, response); } else {//如果是loginUrl并且是get请求,则运行放行,否则调到get的loginUrl return ture; } } else { saveRequestAndRedirectToLogin(request, response); //如果不是loginUrl,跳转到get的loginUrl return false; }
//当点击post请求的loginUrl后,执行executeLogin,代码如下 AuthenticationToken token = createToken(request, response);//抽象方法,待实现。可通过request,设置AuthenticationToken的username,password if (token == null) { throw new IllegalStateException(msg); } try { Subject subject = getSubject(request, response); subject.login(token);//此时调用realm的doGetAuthenticationInfo,在这里判断登录账号密码是否匹配,成功,则return AuthenticationInfo,失败,则返回异常(同时此处可设置session等) return onLoginSuccess(token, subject, request, response);//如果subject.login成功,则执行onLoginSuccess,否则,进入catch } catch (AuthenticationException e) { return onLoginFailure(token, e, request, response); }