Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "what is the login process of Spring Security". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

In Spring Security, authentication and authorization are implemented through filters.

When you start logging in, there is a key filter UsernamePasswordAuthenticationFilter, which inherits the abstract class AbstractAuthenticationProcessingFilter, and there is a doFilter method in AbstractAuthenticationProcessingFilter, so let's start here.

Private void doFilter (HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {if (! requiresAuthentication (request, response)) {chain.doFilter (request, response); return;} try {Authentication authenticationResult = attemptAuthentication (request, response); if (authenticationResult = = null) {/ / return immediately as subclass has indicated that it hasn't completed return;} this.sessionStrategy.onAuthentication (authenticationResult, request, response) / / Authentication success if (this.continueChainBeforeSuccessfulAuthentication) {chain.doFilter (request, response);} successfulAuthentication (request, response, chain, authenticationResult);} catch (InternalAuthenticationServiceException failed) {this.logger.error ("An internal error occurred while trying to authenticate the user.", failed); unsuccessfulAuthentication (request, response, failed);} catch (AuthenticationException ex) {/ / Authentication failed unsuccessfulAuthentication (request, response, ex);}}

First, requiresAuthentication determines whether or not to try to verify, and then calls the attemptAuthentication method, which is the attemptAuthentication method in UsernamePasswordAuthenticationFilter.

Public Authentication attemptAuthentication (HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {if (this.postOnly & &! request.getMethod (). Equals ("POST")) {throw new AuthenticationServiceException ("Authentication method not supported:" + request.getMethod ();} String username = obtainUsername (request); username = (username! = null)? Username: ""; username = username.trim (); String password = obtainPassword (request); password = (password! = null)? Password: ""; UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken (username, password); / / Allow subclasses to set the "details" property setDetails (request, authRequest); return this.getAuthenticationManager () .authenticate (authRequest);}

1. In the attemptAuthentication method of UsernamePasswordAuthenticationFilter, the first step is to verify the type of request, whether it is a POST request, and if not, throw an exception. (PS: the POST method must be used to log in)

two。 And get username and password. The obtainUsername method, that is, the get method, is used here.

@ Nullableprotected String obtainPassword (HttpServletRequest request) {return request.getParameter (this.passwordParameter);} @ Nullableprotected String obtainUsername (HttpServletRequest request) {return request.getParameter (this.usernameParameter);}

From this, we know that the parameters are obtained through the get method in Spring Security, so the JSON data cannot be accepted when the front and rear ends are separated. The processing method is to customize a Filter to inherit the UsernamePasswordAuthenticationFilter, rewrite the attemptAuthentication method, then create a Filter instance to write the logical processing of the success and failure of the login, and replace the official filter provided by the Spring Security through addFilterAt in the configure of the HttpSecurity parameter.

3. Create an instance of UsernamePasswordAuthenticationToken.

4. Set up Details, where the key is to record the user's remoteAddress and sessionId in the WebAuthenticationDetails class.

Public WebAuthenticationDetails (HttpServletRequest request) {this.remoteAddress = request.getRemoteAddr (); HttpSession session = request.getSession (false); this.sessionId = (session! = null)? Session.getId (): null;}

5. Get an AuthenticationManager and use the authenticate method to verify it. Here, take the implementation class ProviderManager as an example.

@ Overridepublic Authentication authenticate (Authentication authentication) throws AuthenticationException {/ / get the runtime class Class of Authentication

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.