开发者

Spring Security账户与密码验证实现过程

开发 作者: T.Y.Bao
目录
  • Introduction
  • 前后端分离模式下配置
  • AbstractAuthenticationProcessingFilter
  • UsernamePasswordAuthenticationFilter

这里使用Spring Boot 2.7.4版本,对应Spring Security 5.7.3版本

本文样例代码地址: spring-security-oauth2.0-sample

关于Username/Password认证的基本流程和基本方法参见官网 Username/Password Authentication

Introduction

Username/Password认证主要就是Spring Security 在 HttpServletRequest中读取用户登录提交的信息的认证机制。

Spring Security提供了登录页面,是前后端不分离的形式,前后端分离时的配置需另加配置。本文基于前后端分离模式来叙述。

基本流程如下:

Spring Security账户与密码验证实现过程

Username/Password认证可分为两部分:

  • 从HttpServletRequest中获取用户登录信息
  • 从密码存储处获取密码并比较

关于获取获取用户登录信息,Spring Security支持三种方式(基本用的都是Form表单提交,即POST方式提交):

  • Form
  • Basic
  • Digest

关于密码的获取和比对,关注下面几个类和接口:

  • UsernamePasswordAuthenticationFilter: 过滤器,父类AbstractAuthenticationProcessingFilter中组合了AuthenticationManagerAuthenticationManager的默认实现ProviderManager中又组合了多个AuthenticationProvider,该接口实现类,有一个DaoAuthenticationProvider负责获取用户密码以及权限信息,DaoAuthenticationProvider又把责任推卸给了UserDetailService
  • PasswordEncoder : 密码加密方式
  • UserDetails : 代表用户,包括 用户名、密码、权限等信息
  • UserDetailsService : 最终实际调用获取 UserDetails的接口,通常用户实现。

整个流程的UML图如下:

Spring Security账户与密码验证实现过程

前后端分离模式下配置

先来看对SecurityFilterChain的配置:

@Configuration
@EnableMethodSecurity()
@RequiredArgsConsphptructor
public class SecurityConfig {
	// 自定义成功处理,主要存储登录信息并返回jwt
	private final LoginSuccessHandler loginSuccessHandler;
	// 自定义失败处理,返回json格式而非默认的html
    private final LoginFailureHandler loginFailureHandler;
    private final CustomSessionAuthenticationStrategy customSessionAuthenticationStrategy;
	...
	@Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    	// 设置登录成功后session处理, 认证成功后
        // SessionAuthenticationStrategy的最早执行,详见AbstractAuthenticationProcessingFilter
        // 执行顺序:
        // 1. SessionAuthenticationStrategy#onAuthentication
        // 2. SecurityContextHolder#setContext
        // 3. SecurityContextRepository#saveContext
        // 4. RememberMeServices#loginSuccess
        // 5. ApplicationEventPublisher#publishEvent
        // 6. AuthenticationSuccessHandler#onAuthenticationSuccess
        http.sessionManagement().sessionAuthenticationStrategy(customSessionAuthenticationStrategy);
		...
		// 前后端不分离,可指定html返回。该项未测试
        // http.formLogin().loginPage("login").loginProcessingUrl("/hello/login");
        // 前后端分离下username/password登录
        http.formLogin()
                .usernameParameter("userId")
                .passwordParameter("password")
                // 前端登陆页面对这个url提交username/password即可
                // 必须为Post请求,且Body格式为x-www-form-urlencoded,如果要接受application/json格式,需另加配置
                .loginProcessingUrl("/hello/login")
                .successHandler(loginSuccessHandler)
                .failureHandler(loginFailureHandler);
                //  .securityContextRepository(...)  // pass
       ...
       return http.build();
	}
	...
}

使用Postman测试:编程客栈

登录成功登陆失败

Spring Security账户与密码验证实现过程

Spring Security账户与密码验证实现过程

AbstractAuthenticationProcessingFilter

该类是UsernamePasswordAuthenticationFilterOAuth2LoginAuthenticationFilter的父类,使用模板模式构建。

UsernamePasswordAuthenticationFilter只负责从HttpServletRequest中获取用户提交的用户名密码,而真正去认证、事件发布、SessionAuthenticationStrategy、AuthenticationSuccessHandler、AuthenticationFailureHandler、SecurityContextRepository、RememberMeServices这些内容均组合在AbstractAuthenticationProcessingFilter中。

public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean
		implements ApplicationEventPublisherAware, MessageSourceAware {
	...
	// 委托给子类ProviderManager执行认证,最终由DaoAuthenticationProvider认证
	// DaoAuthenticationProvider中会调用UserDetailsService#loadUserByUsername(username)接口方法
	// 我们只需实现该UserDetailsService接口注入Bean容器即可
	private AuthenticationManager authenticationManager;
	private SessionAuthenticationStrategy sessionStrategy;
	protected ApplicationEventPublisher eventPublisher;
	private RememberMeServices rememberMeServices;
	private AuthenticationSuccessHandler successHandler;
	private AuthenticationFailureHandler failureHandler;
	private SecurityContextRepository securityContextRepository;
	...
	private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
			throws IOException, ServletException {
		...
		try {
			// 模板模式,该方法子类实现
			Authentication authenticationResult = attemptAuthentication(request, response);
			// 1. 	
			this.sessionStrategy.onAuthentication(authenticationResult, request, response);
			// Authentication success
			if (this.continueChainBeforeSuccessfulAuthentication) {
				chain.doFilter(request, response);
			}
			// 成功后续处理
			successfulAuthentication(request, response, chain, authenticationResult);
		}
		catch (InternalAuthenticationServiceException failed) {
			// 失败后续处理
			unsuccessfulAuthentication(request, response, failed);
		}
		catch (AuthenticationException ex) {
			// Authentication failed
			unsuccessfulAuthentication(request, response, ex);
		}
	}
	// 模板模式,由UsernamePasswordAuthenticationFilter完成
	public abstract Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
			throws AuthenticationException, IOException, ServletException;}
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
			Authentication authResult) throws IOException, ServletException {
		SecurityContext context = SecurityContextHolder.createEmptyContext();
		context.setAuthentication(authResult);
		// 2. 
		SecurityContextHolder.setContext(context);
		// 3. 
		this.securityContextRepository.saveContext(context, request, response);
		// 4.
		this.rememberMeServices.loginSuccess(request, response, authResult);
		if (this.eventPublisher != null) {
			// 5.
			this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
		}
		// 6.
		this.successHandler.onAuthenticationSucchttp://www.devze.comess(requestoPPmXkO, response, authResult);
	}
}

UsernamePasswordAuthenticationFilterphp

public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
	@Override
	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
			throws AuthenticationException {
		if (this.postOnly && !request.getMethod().equals("POST")) {
			throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
		}
		String username = obtainUsername(request);
		username = (username != null) ? username.trim() : "";
		String password = obtainPassword(request);
		password = (password != null) ? password : "";
		UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(username,
				password);
		// Allow subclasses to set the "details" property
		setDetails(request, authRequest);
		// 调用父类中字段去认证,最终是 UserDetailService#loadUserByUsername(String username),该接口实现类由程序员根据业务定义。
		return this.getAuthenticationManager().authenticate(authRequest);
	}
	// ************** 重要 **************
	// 这里只能通过x-www-urlencoded方式获取,如果前端传过来application/json,是解析不到的
	// 非要用application/json,建议重写UsernamePasswordAuthenticationFilter方法,但由于body中内容默认只能读一次,又要做很多其他配置,比较麻烦,建议这里x-www-urlencoded
	// *******************开发者_JAVA**************
	@Nullable
	protected String obtainUsername(HttpServletRequest request) {
		return request.getParameter(this.usernameParameter);
	}
	@Nullable
	protected String obtainPassword(HttpServletRequest request) {
		return request.getParameter(this.passwordParameter);
	}
}

到此这篇关于Spring Security账户与密码验证实现过程的文章就介绍到这了,更多相关Spring Security内容请搜索我们以前的文章或继续浏览下面的相关文章希望大家以后多多支持我们!

继续阅读:Spring Security密码认证Spring Security账户验证

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新开发

开发排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9