Shulou(Shulou.com)06/03 Report--

The main content of this article is to explain "what is the principle of SpringSecurity". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn "what is the principle of SpringSecurity"?

Original understanding of SpringSecurity [3]: authentication and Authorization

It was mentioned in the previous article that there is a method-level filter in the process of building SecurityFilterChain: FilterSecurityInterceptor. The filter uniformly invokes authentication and authorization, and Spring Security mainly does these two things: 1: authentication (who is initiating the request) and 2: identity authorization (whether or not you have permission to access resources). But one thing needs to be clear: FilterSecurityInterceptor mainly does identity authorization based on access rules. Identity authentication is the premise of identity authorization, so FilterSecurityInterceptor will authenticate once when the authentication information does not exist. The normal authentication process is the authentication completed in other higher priority filters, of course, the authentication process of the two is the same:

Obtain the authentication information of the current request through AuthenticationManager

Use AccessDecisionManager to determine whether web resources with specific access rules can be accessed

Identity authentication

Authentication is to identify who sent the current request. In Spring Security, even if you don't need to know who sent a request, an identity is built for the source of the request: anonymous identity.

For those who need to know the requested identity information, it is necessary for the client to provide the identity code and the developer to provide identification file information, and the two can be compared before a decision on which specific identity can be made. The identity provided by the client is abstracted as token Token, and the way of providing identity file information is abstracted as: authentication provider AuthenticationProvider.

Identification token

A complete identification token should display the following information: token owner: Principal, owner's authentication certificate: Credentials, owner's additional information: Details, owner's permission information: Authorities. Using Authentication to represent in Spring Security

Public interface Authentication extends Principal, Serializable {/ / Authorization set: GrantedAuthority implementation class Collection

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.