springSecurity流程
认证流程
登录请求进入UsernamePasswordAuthenticationFilter,父类是AbstractAuthenticationProcessingFilter,执行AbstractAuthenticationProcessingFilter的doFilter方法
authResult = attemptAuthentication(request, response);
确认该请求是否需要认证,如果需要认证且此时还没有进行认证,则尝试进行认证,调用UsernamePasswordAuthenticationFilter的attemptAuthentication方法,将从请求中获取的用户名和密码封装成UsernamePasswordAuthenticationToken对象(认证状态为未认证)
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken( username, password); public UsernamePasswordAuthenticationToken(Object principal, Object credentials) { super(null); this.principal = principal; this.credentials = credentials; // 设置为未认证 setAuthenticated(false); }
通过AuthenticationManager(实现类是ProviderManager)委托AuthenticationProvider(实现类是DaoAuthenticationProvider)关联UserDetailsService进行认证过程
// UsernamePasswordAuthenticationFilter中通过AuthenticationManager进行认证 return this.getAuthenticationManager().authenticate(authRequest); // ProviderManager中通过AuthenticationProvider进行认证,使用的是DaoAuthenticationProvider对象,DaoAuthenticationProvider继承了AbstractUserDetailsAuthenticationProvider类,实际走的是AbstractUserDetailsAuthenticationProvider的authenticate方法 result = provider.authenticate(authentication); // AbstractUserDetailsAuthenticationProvider的authenticate方法中检索用户,实际执行的是DaoAuthenticationProvider的retrieveUser方法 user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication); // DaoAuthenticationProvider的retrieveUser方法中通过UserDetailsService就查询用户进行认证,可以自己实现用户查找以及认证过程 loadedUser = this.getUserDetailsService().loadUserByUsername(username);
UserDetailsService返回的UserDetails被封装成Authentication
如果认证成功则执行successfulAuthentication
successfulAuthentication(request, response, chain, authResult);
如果认证失败则执行unsuccessfulAuthentication
unsuccessfulAuthentication(request, response, failed);
权限流程
FilterSecurityInterceptor
判断请求是否有权限
InterceptorStatusToken token = super.beforeInvocation(fi);
进行springmvc处理
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
https://zhhll.icu/2021/框架/springSecurity/3.springSecurity流程/