Shulou(Shulou.com)06/02 Report--

Editor to share with you Spring Security how to achieve user name and password login, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Introduction

You use Spring Security in the security management of the server. After the user logs in successfully, Spring Security helps you save the user information in Session, but where exactly, if you don't dig into it, you may not know, which brings a problem. If the user modifies the current user information in the front-end operation, how to get the latest user information without re-logging in?

Inquiry

Ubiquitous Authentication

Friends who have played with Spring Security know that there is a very important object in Spring Security called Authentication. We can inject Authentication anywhere to get the current login user information. Authentication itself is an interface with many implementation classes:

Among the many implementation classes, the most commonly used is UsernamePasswordAuthenticationToken, but when we open the source code of this class, we find that the class is mediocre, it has only two properties, two constructors, and several get/set methods; of course, it has more properties on its parent class.

But from its only two properties, we can also roughly see that this class holds the basic information of our logged-in users. So how is our login information stored in these two objects? It's time to sort out the login process.

Login proc

Public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {/ / default user name and password corresponding to key public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username"; public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password"; / / the path intercepted by the current filter by default private static final AntPathRequestMatcher DEFAULT_ANT_PATH_REQUEST_MATCHER = new AntPathRequestMatcher ("/ login", "POST"); / / the default request parameter name specifies private String usernameParameter = "username" Private String passwordParameter = "password"; / / default can only be post request private boolean postOnly = true; public UsernamePasswordAuthenticationFilter () {/ / set the default interception path super (DEFAULT_ANT_PATH_REQUEST_MATCHER);} public UsernamePasswordAuthenticationFilter (AuthenticationManager authenticationManager) {/ / set the default intercept path, and the manager super (DEFAULT_ANT_PATH_REQUEST_MATCHER, authenticationManager) that handles authentication } public Authentication attemptAuthentication (HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {/ / determine the request method if (this.postOnly & &! request.getMethod (). Equals ("POST")) {throw new AuthenticationServiceException ("Authentication method not supported:" + request.getMethod ());} else {/ / get the corresponding value String username = this.obtainUsername (request) from the request parameters Username = username! = null? Username: ""; username = username.trim (); String password = this.obtainPassword (request); password = password! = null? Password: ""; / / construct the authentication token for username and password login UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken (username, password); / / set the details---deltails to store sessionID and remoteaddr / / authRequest by default, that is, the constructed authentication token this.setDetails (request, authRequest) / / check / / authRequest is the constructed authentication token return this.getAuthenticationManager () .authenticate (authRequest);} @ Nullable protected String obtainPassword (HttpServletRequest request) {return request.getParameter (this.passwordParameter);} @ Nullable protected String obtainUsername (HttpServletRequest request) {return request.getParameter (this.usernameParameter) } protected void setDetails (HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {authRequest.setDetails (this.authenticationDetailsSource.buildDetails (request));} public void setUsernameParameter (String usernameParameter) {Assert.hasText (usernameParameter, "Username parameter must not be empty or null"); this.usernameParameter = usernameParameter;} public void setPasswordParameter (String passwordParameter) {Assert.hasText (passwordParameter, "Password parameter must not be empty or null"); this.passwordParameter = passwordParameter } public void setPostOnly (boolean postOnly) {this.postOnly = postOnly;} public final String getUsernameParameter () {return this.usernameParameter;} public final String getPasswordParameter () {return this.passwordParameter;}}

According to this source code, we can see:

First of all, the user name / password in the request is extracted by obtainUsername and obtainPassword methods, and the extraction method is request.getParameter, which is why the default form login in Spring Security is to pass parameters in the form of key/value instead of JSON parameters. If you pass the JSON parameters, you can modify the logic here.

After getting the username / password passed in the request, we then construct a UsernamePasswordAuthenticationToken object, with username and password,username corresponding to the principal attribute in the UsernamePasswordAuthenticationToken and password corresponding to its credentials attribute.

Public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {private static final long serialVersionUID = 550L; private final Object principal; private Object credentials; public UsernamePasswordAuthenticationToken (Object principal, Object credentials) {super ((Collection) null); this.principal = principal; this.credentials = credentials; this.setAuthenticated (false);} public UsernamePasswordAuthenticationToken (Object principal, Object credentials, Collection

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.