1.认证
几个重要的类:
UsernamePasswordAuthenticationFilter从名字上看,就知道,这是一个验证username 和 password的过滤器,通过 filter获取request,从request获取username 和 password 来进行验证,最后生成一个UsernamePasswordAuthenticationToken ,这个类继承自Authentication,保存一个用户信息,然后交由后面来进行验证
Authentication
public interface Authentication extends Principal, Serializable { Collection<? extends GrantedAuthority> getAuthorities(); Object getCredentials(); Object getDetails(); Object getPrincipal(); boolean isAuthenticated(); void setAuthenticated(boolean var1) throws IllegalArgumentException; }这个接口表示用户的登陆信息,登陆后包装结果
AuthenticationManager
public interface AuthenticationManager { Authentication authenticate(Authentication var1) throws AuthenticationException; }这个是认证的主要管理类,主要实现类是ProviderManager,它也只是负责管理,实现认证的并不是这个类,它委托给了多个AuthenticationProvider,只要有一个通过了认证,AuthenticationManager就算认证成功
AuthenticationProvider
public interface AuthenticationProvider { Authentication authenticate(Authentication var1) throws AuthenticationException; boolean supports(Class<?> var1); }真正实现认证的类,主要实现是DaoAuthenticationProvider,主要目的是想通过查询数据来实现认证,自己不查询数据,交UserDetailsService来完成查询数据的任务,supports 判断是否支持认证
UserDetailsService
public interface UserDetailsService { UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException; }通过过username 来获取用户的各种信息,包括权限,密码,为之后验证做准备,返回一个UserDetails
UserDetails
public interface UserDetails extends Serializable { Collection<? extends GrantedAuthority> getAuthorities(); String getPassword(); String getUsername(); boolean isAccountNonExpired(); boolean isAccountNonLocked(); boolean isCredentialsNonExpired(); boolean isEnabled(); }用户的具体信息,登陆是未经过包装的用户信息,是最原始的信息
查询完成后 在 AuthenticationProvider 中,进行密码检验对比
protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { if (authentication.getCredentials() == null) { this.logger.debug("Authentication failed: no credentials provided"); throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } else { String presentedPassword = authentication.getCredentials().toString(); if (!this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) { this.logger.debug("Authentication failed: password does not match stored value"); throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } } }下面是一些辅助类:
GrantedAuthority
public interface GrantedAuthority extends Serializable { String getAuthority(); }权限实体类,获取主要权限标识,和 所需权限做对比,一般在投票器中使用,在后面授权在做介绍
PasswordEncoder
public interface PasswordEncoder { String encode(CharSequence var1); boolean matches(CharSequence var1, String var2); }
密码编译器,具有编码功能,可以重写,也可以用现成的,这个不做介绍
AuthenticationFailureHandler
public interface AuthenticationFailureHandler { void onAuthenticationFailure(HttpServletRequest var1, HttpServletResponse var2, AuthenticationException var3) throws IOException, ServletException; }认证失败处理器,有request,response,AuthenticationException ,自己定义,使用者是UsernamePasswordAuthenticationFilter
AuthenticationSuccessHandler
public interface AuthenticationSuccessHandler { void onAuthenticationSuccess(HttpServletRequest var1, HttpServletResponse var2, Authentication var3) throws IOException, ServletException; }认证成功处理器,自己定义,可以用现成,不多说
