Shulou(Shulou.com)06/03 Report--

This article shows you what the SpringSecurity certification process is like, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Preface

Spring Seuciry-related content is really too much, but always feel that the understanding is not solid enough, or need to rely on knowledge output to consolidate.

Related version:

Java: jdk 8 spring-boot: 2.1.6.RELEASE

Filter chain and authentication process

An authentication process is actually the process to be performed by a green rectangle Filter on the filter chain.

The basic authentication process consists of three steps:

Filter intercepts requests and generates an unauthenticated

Authentication

Handed over to

AuthenticationManager

Carry out authentication

AuthenticationManager

Default implementation of

ProviderManager

Will pass

AuthenticationProvider

Yes

Authentication

For authentication, it does not do the authentication process itself; if the authentication is passed, create a certified

Authentication

Return; otherwise, an exception is thrown to indicate that the authentication has not passed.

To understand this process, you can learn about it from the classes UsernamePasswordAuthenticationFilter,ProviderManager,DaoAuthenticationProvider and InMemoryUserDetailsManager (the UserDetailsService implementation class, provided by the default configuration of UserDetailsServiceAutoConfiguration). Just create a springboot project with spring-boot-starter-security and see the process with the appropriate breakpoint interface.

Explain with the certification department

)

After the request is sent to the front desk, the receptionist in charge of the request will encapsulate the content of the request as an Authentication object and give it to the authentication management department, which only manages the certification department and does not do specific authentication operations, which are handled by the authentication departments related to the front desk. Of course, each certification department needs to determine whether the Authentication is responsible for the department, and it will be handled by the department, otherwise it will be handed over to the next department. After the authentication is successful, the authentication department will create an Authentication that has passed the authentication. Otherwise, either an exception is thrown to indicate that the authentication has not been passed, or it can be handed over to the next department for processing.

If you need to add a new authentication type, you only need to add the corresponding front desk (Filter) and the authentication department (AuthenticationProvider) corresponding to the front desk (Filter). Of course, you can also add a certification department corresponding to the existing front desk. The certification department will use the Authentication generated by the front desk to determine whether the certification is the responsibility of the department, so it may provide a mutually agreed Authentication.

When the certification department needs personnel information, it can obtain it from the personnel data department. Different systems have different personnel data departments, we need to provide this personnel data department, otherwise we will get blank files. Of course, the personnel data department is not necessarily the only one, and the certification department can have its own exclusive data department.

The above picture can also be drawn as follows:

This method of painting may be more in line with FilterChain. Each receptionist is actually one of the FilterChain, the customer takes the request to request authentication one by one, and then carries on the authentication judgment after finding the correct receptionist.

Front desk (Filter)

The foreground Filter here only refers to those Filter and other Filter that are handled in the Filter,Spring Security Filter Chain that implements authentication, such as CsrfFilter. If you have to give the role to them, treat them as security guards.

Spring Security provides us with three Filter that have been implemented. UsernamePasswordAuthenticationFilter,BasicAuthenticationFilter and RememberMeAuthenticationFilter. Without any personalized configuration, UsernamePasswordAuthenticationFilter and BasicAuthenticationFilter will be in the default filter chain. These two authentication methods are also the default authentication methods.

UsernamePasswordAuthenticationFilter will only take effect on the / login path, that is, UsernamePasswordAuthenticationFilter is responsible for issuing authentication, and the API for issuing authentication is / login.

Public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {... Public UsernamePasswordAuthenticationFilter () {super (new AntPathRequestMatcher ("/ login", "POST");}.}

UsernamePasswordAuthenticationFilter is an implementation of the abstract class AbstractAuthenticationProcessingFilter and BasicAuthenticationFilter is an implementation of the abstract class BasicAuthenticationFilter. These four classes of source code provides a good foreground (Filter) implementation ideas.

AbstractAuthenticationProcessingFilter

AbstractAuthenticationProcessingFilter provides what needs to be done before and after authentication, and its subclasses only need to provide abstract methods that implement attemptAuthentication (HttpServletRequest, HttpServletResponse) to complete authentication. When using AbstractAuthenticationProcessingFilter, you need to provide an intercept path (matching using AntPathMatcher) to intercept the corresponding specific path.

UsernamePasswordAuthenticationFilter

As the actual foreground, UsernamePasswordAuthenticationFilter will package the username and password submitted by the client into a UsernamePasswordAuthenticationToken to the authentication management department (AuthenticationManager) for authentication. In this way, her task was accomplished.

BasicAuthenticationFilter the Filter will only process the Header with Authorization and the lowercase value begins with basic, otherwise the Filter will not handle it. The Filter will obtain the username and password after the Base64 code from the header, and create a UsernamePasswordAuthenticationToken to provide to the authentication management department (AuthenticationMananager) for authentication.

Authentication data (Authentication)

After receiving the request, the front desk will obtain the required information from the request and create the certification data (Authentication) recognized by its own certification department (AuthenticationProvider), while the certification department (AuthenticationProvider) will mainly judge whether it is handled by the department through the type of certification data (Authentication).

Public interface Authentication extends Principal, Serializable {/ / the permissions that the principal has. The AuthorityUtils utility class provides some convenient methods. Collection

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.