【許可權管理系統】Spring security(三)---認證過程(原理解析,demo)
在前面兩節Spring security (一)架構框架-Component、Service、Filter分析和Spring Security(二)--WebSecurityConfigurer配置以及filter順序為Spring Security認證作好了準備,可以讓我們更好的理解認證過程以及專案程式碼編寫。
1.認證過程工作流程
認證工作流程:
AbstractAuthenticationProcessingFilter
doFilter()(attemptAuthentication()獲取Authentication實體)
->UsernamePasswordAuthenticationFilter(AbstractAuthenticationProcessingFilter的子類)
attemptAuthentication() (在UsernamePasswordAuthenticationToken()中將username 和 password 生成 UsernamePasswordAuthenticationToken物件,getAuthenticationManager().authenticate進行認證以及返回獲取Authentication實體)
->AuthenticationManager
->ProviderManager()(AuthenticationManager介面實現)
authenticate()(AuthenticationProvider.authenticate()進行認證並獲取Authentication實體)
->AbstractUserDetailsAuthenticationProvider(內建快取機制,如果快取中沒有使用者資訊就呼叫retrieveUser()獲取使用者)
authenticate() (獲取Authentication實體需要userDetails,在快取中或者retrieveUser()獲取userDetails;驗證additionalAuthenticationChecks(); createSuccessAuthentication()生成Authentication實體)
->DaoAuthenticationProvider
retrieveUser() (呼叫自定義UserDetailsService中loadUserByUsername()載入userDetails)
->UserDetailsService
loadUserByUsername()(獲取userDetails)具體流程請看下面小節。
1.1:請求首先經過過濾器AbstractAuthenticationProcessingFilter以及UsernamePasswordAuthenticationFilter進行處理
當請求來臨時,在預設情況下,請求先經過AbstractAuthenticationProcessingFilter的子類UsernamePasswordAuthenticationFilter過濾器。在UsernamePasswordAuthenticationFilter過濾器呼叫attemptAuthentication()方法現實主要的兩步過程:
-
建立擁有使用者的詳情資訊的Authentication物件,在預設的UsernamePasswordAuthenticationFilter中將建立UsernamePasswordAuthenticationToken的Authentication物件;
-
AuthenticationManager呼叫authenticate()方法進行認證過程,在預設情況,使用ProviderManager類進行認證。
UsernamePasswordAuthenticationFilter原始碼分析:
public class UsernamePasswordAuthenticationFilter extends
AbstractAuthenticationProcessingFilter {
....
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
.....
//1.建立擁有使用者的詳情資訊的Authentication物件
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
//2.AuthenticationManager進行認證
return this.getAuthenticationManager().authenticate(authRequest);
}
...
} 1.2請求經過過濾器處理之後,在AuthenticationManager以及ProviderManager認證
在UsernamePasswordAuthenticationFilter中看出,將呼叫AuthenticationManager介面的authenticate()方法進行詳細認證。預設情況將使用AuthenticationManager子類ProviderManager的authenticate()進行認證,可以分成三個主要過程:
-
AuthenticationProvide.authenticate()進行認證,預設下,將使用AbstractUserDetailsAuthenticationProvider進行認證;
-
認證成功後,從authentication中刪除憑據和其他機密資料,否則丟擲異常或者認證失敗;
-
釋出認證成功事件,並將Authentication物件儲存到security context中。
ProviderManager原始碼分析:
public class ProviderManager implements AuthenticationManager, MessageSourceAware,
InitializingBean {
...
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
...
//AuthenticationProvider依次進行認證
for (AuthenticationProvider provider : getProviders()) {
...
try {
//1.1進行認證,並返回Authentication物件
result = provider.authenticate(authentication);
if (result != null) {
copyDetails(authentication, result);
break;
}
}
...
catch (AuthenticationException e) {
lastException = e;
}
}
if (result == null && parent != null) {
// Allow the parent to try.
try {
//1.2如果1.1認證中沒有一個驗證通過,則使用父型別AuthenticationManager進行驗證
result = parent.authenticate(authentication);
}
catch (ProviderNotFoundException e) {
// ignore as we will throw below if no other exception occurred prior to
// calling parent and the parent
// may throw ProviderNotFound even though a provider in the child already
// handled the request
}
catch (AuthenticationException e) {
lastException = e;
}
}
//2.從authentication中刪除憑據和其他機密資料
if (result != null) {
if (eraseCredentialsAfterAuthentication
&& (result instanceof CredentialsContainer)) {
// Authentication is complete. Remove credentials and other secret data
// from authentication
((CredentialsContainer) result).eraseCredentials();
}
//3.釋出認證成功事件,並將Authentication物件儲存到security context中
eventPublisher.publishAuthenticationSuccess(result);
return result;
}
}
1.3 認證過程詳細處理:AuthenticationProvider、AbstractUserDetailsAuthenticationProvider以及DaoAuthenticationProvider
在預設認證詳細處理過程中,AuthenticationProvider認證由AbstractUserDetailsAuthenticationProvider抽象類以及AbstractUserDetailsAuthenticationProvider的子類DaoAuthenticationProvider進行方法重寫協助共同工作進行認證的。主要可以分成以下步驟:
-
獲取使用者資訊UserDetails,首先從快取中讀取資訊,如果快取中沒有的化,在UserDetailsService中載入,其最主要可以從我們自定義的UserDetailsService進行讀取使用者資訊UserDetails;
-
驗證三步走: 1). preAuthenticationChecks
2). additionalAuthenticationChecks:使用PasswordEncoder.matches()方法進行認證,其驗證方式中驗證資料已經過PasswordEncoder演算法加密,可以通過實現PasswordEncoder介面來定義演算法加密方式。
3). postAuthenticationChecks
-
將已通過驗證的使用者資訊封裝成 UsernamePasswordAuthenticationToken物件並返回;該物件封裝了使用者的身份資訊,以及相應的許可權資訊。
AbstractUserDetailsAuthenticationProvider主要功能提供authenticate()認證方法以及給DaoAuthenticationProvider重寫方法原始碼分析:
public abstract class AbstractUserDetailsAuthenticationProvider implements
AuthenticationProvider, InitializingBean, MessageSourceAware {
...
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
...
boolean cacheWasUsed = true;
//1.1獲取快取中UserDetails資訊
UserDetails user = this.userCache.getUserFromCache(username);
//1.2 如果快取中沒有資訊,從UserDetailsService中獲取
if (user == null) {
cacheWasUsed = false;
try {
//使用DaoAuthenticationProvider中重寫的方法去獲取資訊
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
}catch{
...
}
...
try {
//進行檢驗認證
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user,
(UsernamePasswordAuthenticationToken) authentication);
}catch{
...
}
...
postAuthenticationChecks.check(user);
....
// 將已通過驗證的使用者資訊封裝成 UsernamePasswordAuthenticationToken物件並返回
return createSuccessAuthentication(principalToReturn, authentication, user);
}
DaoAuthenticationProvider功能主要為認證憑證加密PasswordEncoder,以及重寫AbstractUserDetailsAuthenticationProvider抽象類的retrieveUser、additionalAuthenticationChecks方法,其中retrieveUser主要是獲取UserDetails資訊,原始碼分析
protected final UserDetails retrieveUser(String username,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
prepareTimingAttackProtection();
try {
//根據UserDetailsService獲取UserDetails資訊,從自定義的UserDetailsService獲取
UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
if (loadedUser == null) {
throw new InternalAuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
}
catch (UsernameNotFoundException ex) {
mitigateAgainstTimingAttack(authentication);
throw ex;
}
catch (InternalAuthenticationServiceException ex) {
throw ex;
}
catch (Exception ex) {
throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
}
}
additionalAuthenticationChecks主要使用PasswordEncoder進行密碼驗證,原始碼分析:
protected void additionalAuthenticationChecks(UserDetails userDetails,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
if (authentication.getCredentials() == null) {
logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
String presentedPassword = authentication.getCredentials().toString();
//進行密碼驗證
if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
logger.debug("Authentication failed: password does not match stored value");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
}
1.4 認證中所需的認證憑證獲取:UserDetailsService
在認證中必須獲取認證憑證,從UserDetailsService獲取到認證憑證,UserDetailsService介面只有一個方法:
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
通過使用者名稱 username 呼叫方法 loadUserByUsername 返回了一個UserDetails介面物件:
public interface UserDetails extends Serializable {
//1.許可權集合
Collection<? extends GrantedAuthority> getAuthorities();
//2.密碼
String getPassword();
//3.使用者名稱
String getUsername();
//4.使用者是否過期
boolean isAccountNonExpired();
//5.是否鎖定
boolean isAccountNonLocked();
//6.使用者密碼是否過期
boolean isCredentialsNonExpired();
//7.賬號是否可用(可理解為是否刪除)
boolean isEnabled();
}
我們通過實現UserDetailsService自定義獲取UserDetails類,可以從不同資料來源中獲取認證憑證。
1.5 總結
總結Spring Security(二)--WebSecurityConfigurer配置以及filter順序和本節Spring security(三)想要實現簡單認證過程:
-
第一步:配置WebSecurityConfig
-
第二步: 實現自定義UserDetailsService,自定義從資料來源碼獲取認證憑證。
2 Spring boot與Spring security整合
2.1配置WebSecurityConfig
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// TODO Auto-generated method stub
//super.configure(http);
http .csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login/form")
.failureUrl("/login-error")
.permitAll() //表單登入,permitAll()表示這個不需要驗證 登入頁面,登入失敗頁面
.and()
.logout().permitAll();
}
}
2.2 UserDetailsService實現
@service
public class CustomUserService implements UserDetailsService {
@Autowired
private UserInfoMapper userInfoMapper;
@Autowired
private PermissionInfoMapper permissionInfoMapper;
@Autowired
private BCryptPasswordEncoderService bCryptPasswordEncoderService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// TODO Auto-generated method stub
//這裡可以可以通過username(登入時輸入的使用者名稱)然後到資料庫中找到對應的使用者資訊,並構建成我們自己的UserInfo來返回。
UserInfoDTO user = userInfoMapper.getUserInfoByUserName(username);
if (user != null) {
List<PermissionInfoDTO> permissionInfoDTOS = permissionInfoMapper.findByAdminUserId(userInfo.getId());
List<GrantedAuthority> grantedAuthorityList = new ArrayList<>();
for (PermissionInfoDTO permissionInfoDTO : permissionInfoDTOS) {
if (permissionInfoDTO != null && permissionInfoDTO.getPermissionName() != null) {
GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(
permissionInfoDTO.getPermissionName());
grantedAuthorityList.add(grantedAuthority);
}
}
return new User(userInfo.getUserName(), bCryptPasswordEncoderService.encode(userInfo.getPasswaord()), grantedAuthorityList);
}else {
throw new UsernameNotFoundException("admin" + username + "do not exist");
}
}
}
往期文章:
-
Spring security (一)架構框架-Component、Service、Filter分析
-
Spring Security(二)--WebSecurityConfigurer配置以及filter順序
-
...
各位看官還可以嗎?喜歡的話,動動手指點個贊