springSecurity流程
认证流程
-
登录请求进入UsernamePasswordAuthenticationFilter,父类是AbstractAuthenticationProcessingFilter,执行AbstractAuthenticationProcessingFilter的doFilter方法
authResult = attemptAuthentication(request, response);
-
确认该请求是否需要认证,如果需要认证且此时还没有进行认证,则尝试进行认证,调用UsernamePasswordAuthenticationFilter的attemptAuthentication方法,将从请求中获取的用户名和密码封装成UsernamePasswordAuthenticationToken对象(认证状态为未认证)
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);public UsernamePasswordAuthenticationToken(Object principal, Object credentials) {super(null);this.principal = principal;this.credentials = credentials;// 设置为未认证setAuthenticated(false);}
-
通过AuthenticationManager(实现类是ProviderManager)委托AuthenticationProvider(实现类是DaoAuthenticationProvider)关联UserDetailsService进行认证过程
// UsernamePasswordAuthenticationFilter中通过AuthenticationManager进行认证 return this.getAuthenticationManager().authenticate(authRequest);// ProviderManager中通过AuthenticationProvider进行认证,使用的是DaoAuthenticationProvider对象,DaoAuthenticationProvider继承了AbstractUserDetailsAuthenticationProvider类,实际走的是AbstractUserDetailsAuthenticationProvider的authenticate方法 result = provider.authenticate(authentication);// AbstractUserDetailsAuthenticationProvider的authenticate方法中检索用户,实际执行的是DaoAuthenticationProvider的retrieveUser方法 user = retrieveUser(username,(UsernamePasswordAuthenticationToken) authentication); // DaoAuthenticationProvider的retrieveUser方法中通过UserDetailsService就查询用户进行认证,可以自己实现用户查找以及认证过程 loadedUser = this.getUserDetailsService().loadUserByUsername(username);
-
UserDetailsService返回的UserDetails被封装成Authentication
-
如果认证成功则执行successfulAuthentication
successfulAuthentication(request, response, chain, authResult);
-
如果认证失败则执行unsuccessfulAuthentication
unsuccessfulAuthentication(request, response, failed);
权限流程
FilterSecurityInterceptor
-
判断请求是否有权限
InterceptorStatusToken token = super.beforeInvocation(fi);
-
进行springmvc处理
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
https://zhhll.icu/2021/框架/springSecurity/3.springSecurity流程/