springSecurity流程
认证流程
登录请求进入UsernamePasswordAuthenticationFilter,父类是AbstractAuthenticationProcessingFilter,执行AbstractAuthenticationProcessingFilter的doFilter方法
1
authResult = attemptAuthentication(request, response);
确认该请求是否需要认证,如果需要认证且此时还没有进行认证,则尝试进行认证,调用UsernamePasswordAuthenticationFilter的attemptAuthentication方法,将从请求中获取的用户名和密码封装成UsernamePasswordAuthenticationToken对象(认证状态为未认证)
1
2
3
4
5
6
7
8
9
10UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
public UsernamePasswordAuthenticationToken(Object principal, Object credentials) {
super(null);
this.principal = principal;
this.credentials = credentials;
// 设置为未认证
setAuthenticated(false);
}通过AuthenticationManager(实现类是ProviderManager)委托AuthenticationProvider(实现类是DaoAuthenticationProvider)关联UserDetailsService进行认证过程
1
2
3
4
5
6
7
8
9
10
11// UsernamePasswordAuthenticationFilter中通过AuthenticationManager进行认证
return this.getAuthenticationManager().authenticate(authRequest);
// ProviderManager中通过AuthenticationProvider进行认证,使用的是DaoAuthenticationProvider对象,DaoAuthenticationProvider继承了AbstractUserDetailsAuthenticationProvider类,实际走的是AbstractUserDetailsAuthenticationProvider的authenticate方法
result = provider.authenticate(authentication);
// AbstractUserDetailsAuthenticationProvider的authenticate方法中检索用户,实际执行的是DaoAuthenticationProvider的retrieveUser方法
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
// DaoAuthenticationProvider的retrieveUser方法中通过UserDetailsService就查询用户进行认证,可以自己实现用户查找以及认证过程
loadedUser = this.getUserDetailsService().loadUserByUsername(username);UserDetailsService返回的UserDetails被封装成Authentication
如果认证成功则执行successfulAuthentication
1
successfulAuthentication(request, response, chain, authResult);
如果认证失败则执行unsuccessfulAuthentication
1
unsuccessfulAuthentication(request, response, failed);
权限流程
FilterSecurityInterceptor
判断请求是否有权限
1
InterceptorStatusToken token = super.beforeInvocation(fi);
进行springmvc处理
1
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());