SecurityContextHolder, to provide access to the SecurityContext. SecurityContext: to hold the Authentication and possibly request-specific security information. Authentication: 表示用户认证信息 GrantedAuthority: 当前用户拥有的权限,通过Authentication的getAuthorities()获取,是一个数组。 UserDetails: 定义了一些可以获取用户名、密码、权限等与认证相关的信息的方法,通过UserDetailsService的loadUserByUsername()方法进行加载。 UserDetailsService: org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl(通过数据库或内存获取UserDetails) UserDetailsService->UserDetails UserDetailsService->GrantedAuthority(role) SecurityContextHolder->SecurityContext->Authentication(principal,) 加载用户dao相关: UserDetailsService(接口):loadUserByUsername(String username) 子类 UserDetailsManager:(接口)changePassword(String oldPassword, String newPassword),createUser(UserDetails user),deleteUser(String username)等 CachingUserDetailsService: InMemoryUserDetailsManager: JdbcDaoImpl: JdbcUserDetailsManager: LdapUserDetailsManager: LdapUserDetailsService: 用户信息相关: UserDetails:(接口)getAuthorities(),getPassword(),getUsername(),isAccountNonExpired()等 InetOrgPerson: LdapUserDetailsImpl: LdapUserDetailsImpl: Person:UserDetails implementation whose properties are based on the LDAP schema for Person. User:(类) 认证相关: Principal:(java.security)equals(Object another),getName() Authentication:(接口)一旦一个request被认证,Authentication 就会被放入 thread-local SecurityContext managed by the SecurityContextHolder SecurityContextHolder.getContext().setAuthentication(anAuthentication);显式认证, Collection<? extends GrantedAuthority> getAuthorities(),getCredentials(), getDetails(),getPrincipal() UsernamePasswordAuthenticationToken:for simple presentation of a username and password. RememberMeAuthenticationToken: OpenIDAuthenticationToken: ... GrantedAuthority:(接口)getAuthority()该方法返回一个字符串,表示对应权限的字符串表示,如果对应权限不能用字符串表示,则应当返回null。 SimpleGrantedAuthority:为Authentication存放一个代表权限的字符串. ... AuthenticationManager:(接口)处理一个Authentication request, Authentication authenticate(Authentication authentication) ProviderManager:通过AuthenticationProvider列表来处理认证请求,List<AuthenticationProvider> getProviders() authenticate(Authentication authentication) AuthenticationProvider:(接口) DaoAuthenticationProvider:从UserDetailsService获取一个user,getUserDetailsService(), retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) 异常相关: AuthenticationException: AuthenticationServiceException 过滤器相关: Filter(javax.servlet):void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) GenericFilterBean DelegatingFilterProxy: OncePerRequestFilter: FilterChainProxy: AbstractAuthenticationProcessingFilter: attemptAuthentication (request,response),getFailureHandler(),getSuccessHandler() successfulAuthentication(),unsuccessfulAuthentication() CasAuthenticationFilter, OpenIDAuthenticationFilter UsernamePasswordAuthenticationFilter:getPasswordParameter() ,getUsernameParameter() ,obtainPassword( request) ,setDetails() ExceptionTranslationFilter:Handles any AccessDeniedException and AuthenticationException thrown within the filter chain. ConcurrentSessionFilter:determineExpiredUrl(HttpServletRequest request, SessionInformation info) Hander相关: AuthenticationSuccessHandler:(接口):onAuthenticationSuccess(request,response,authentication) ForwardAuthenticationSuccessHandler: SavedRequestAwareAuthenticationSuccessHandler: SimpleUrlAuthenticationSuccessHandler: Event相关: InteractiveAuthenticationSuccessEvent 入口: AuthenticationEntryPoint: LoginUrlAuthenticationEntryPoint:UsernamePasswordAuthenticationFilter使用ExceptionTranslationFilter来重定向到登录页面 commence (request,response,authException)重定向方法,getLoginFormUrl() Listener相关: javax.servlet.http.HttpSessionListener HttpSessionEventPublisher: sessionCreated(javax.servlet.http.HttpSessionEvent event), sessionDestroyed(javax.servlet.http.HttpSessionEvent event) Session相关: SessionRegistry:(接口):getAllPrincipals() getAllSessions(), getSessionInformation(),registerNewSession() SessionRegistryImpl: SessionAuthenticationStrategy:(接口)A CompositeSessionAuthenticationStrategySessionAuthenticationStrategy that accepts multiple SessionAuthenticationStrategy implementations to delegate to. Each SessionAuthenticationStrategy is invoked in turn. The invocations are short circuited if any exception, (i.e. SessionAuthenticationException) is thrown. ConcurrentSessionControlAuthenticationStrategy:控制用户可以同时登录的数量,就是控制一个用户可以同时创建几个session SessionFixationProtectionStrategy:防止会话固定攻击 RegisterSessionAuthenticationStrategy:register a user with the SessionRegistry after successful Authentication. 匿名认证相关: AuthenticationProvider AnonymousAuthenticationProvider:authenticate(Authentication authentication), getKey() Authentication: AnonymousAuthenticationToken:Represents an anonymous Authentication,getPrincipal() GenericFilterBean AnonymousAuthenticationFilter: createAuthentication(HttpServletRequest request) public String getCurrentUsername() { Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); if (principal instanceof UserDetails) { return ((UserDetails) principal).getUsername(); } if (principal instanceof Principal) { return ((Principal) principal).getName(); } return String.valueOf(principal); }