Spring Security authorization process

Spring Security is a security framework that can provide declarative security access control solutions for Spring-based enterprise application systems. It provides a set of beans that can be configured in the Spring application context, making full use of Spring IoC, DI (Inversion of Control, DI: Dependency Injection) and AOP (Aspect Oriented Programming) functions to provide application systems with Declarative security access control capabilities reduce the effort of writing a lot of repetitive code for enterprise system security controls.

foreword

This article is a continuation of the Spring Security authentication process in the previous chapter to further analyze Spring Securityhow the user name and password login authorization is implemented;

Class Diagram

debugging process

Use the debug method to start the project https://github.com/longfeizheng/logback , enter http://localhost:8080/persons in the browser , the user name is optional, and the password is 123456;

Source code analysis

As shown in the figure, it shows the filtersrelated author has marked out several filters that he considers important.

The order of execution can be seen from the figure. Let's take a look at the processing logic of several Filters that the author considers to be more important, UsernamePasswordAuthenticationFilter, AnonymousAuthenticationFilter, ExceptionTranslationFilter, FilterSecurityInterceptorand the related processing flow as follows;

UsernamePasswordAuthenticationFilter

The whole calling process is to call its parent class AbstractAuthenticationProcessingFilter.doFilter() method first, and then execute UsernamePasswordAuthenticationFilter.attemptAuthentication() method for verification;

AbstractAuthenticationProcessingFilter

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {

		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;
		#1.判断当前的filter是否可以处理当前请求，不可以的话则交给下一个filter处理
		if (!requiresAuthentication(request, response)) {
			chain.doFilter(request, response);

			return;
		}

		if (logger.isDebugEnabled()) {
			logger.debug("Request is to process authentication");
		}

		Authentication authResult;

		try {
			#2.抽象方法由子类UsernamePasswordAuthenticationFilter实现
			authResult = attemptAuthentication(request, response);
			if (authResult == null) {
				// return immediately as subclass has indicated that it hasn't completed
				// authentication
				return;
			}
			#2.认证成功后，处理一些与session相关的方法 
			sessionStrategy.onAuthentication(authResult, request, response);
		}
		catch (InternalAuthenticationServiceException failed) {
			logger.error(
					"An internal error occurred while trying to authenticate the user.",
					failed);
			#3.认证失败后的的一些操作
			unsuccessfulAuthentication(request, response, failed);

			return;
		}
		catch (AuthenticationException failed) {
			// Authentication failed
			unsuccessfulAuthentication(request, response, failed);

			return;
		}

		// Authentication success
		if (continueChainBeforeSuccessfulAuthentication) {
			chain.doFilter(request, response);
		}
		#3. 认证成功后的相关回调方法 主要将当前的认证放到SecurityContextHolder中
		successfulAuthentication(request, response, chain, authResult);
	}

The execution flow of the whole program is as follows:

Determine whether the filter can handle the current request, if not, release it to the next filter
Call the abstract method for verification, which is implemented attemptAuthenticationby subclassesUsernamePasswordAuthenticationFilter
After the authentication is successful, some methods related to the session are called back;
After the authentication is successful, the relevant callback method after the authentication is successful; after the authentication is successful, the relevant callback method after the authentication is successful;

protected void successfulAuthentication(HttpServletRequest request,
			HttpServletResponse response, FilterChain chain, Authentication authResult)
			throws IOException, ServletException {

		if (logger.isDebugEnabled()) {
			logger.debug("Authentication success. Updating SecurityContextHolder to contain: "
					+ authResult);
		}

		SecurityContextHolder.getContext().setAuthentication(authResult);

		rememberMeServices.loginSuccess(request, response, authResult);

		// Fire event
		if (this.eventPublisher != null) {
			eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
					authResult, this.getClass()));
		}

		successHandler.onAuthenticationSuccess(request, response, authResult);
	}

1. 将当前认证成功的 Authentication 放置到 SecurityContextHolder 中；
2. 将当前认证成功的 Authentication 放置到 SecurityContextHolder 中；
3. 调用其它可扩展的 handlers 继续处理该认证成功以后的回调事件；（实现`AuthenticationSuccessHandler`接口即可）

UsernamePasswordAuthenticationFilter

public Authentication attemptAuthentication(HttpServletRequest request,
			HttpServletResponse response) throws AuthenticationException {
		#1.判断请求的方法必须为POST请求
		if (postOnly && !request.getMethod().equals("POST")) {
			throw new AuthenticationServiceException(
					"Authentication method not supported: " + request.getMethod());
		}
		#2.从request中获取username和password
		String username = obtainUsername(request);
		String password = obtainPassword(request);

		if (username == null) {
			username = "";
		}

		if (password == null) {
			password = "";
		}

		username = username.trim();
		#3.构建UsernamePasswordAuthenticationToken（两个参数的构造方法setAuthenticated(false)）
		UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
				username, password);

		// Allow subclasses to set the "details" property
		setDetails(request, authRequest);
		#4. 调用 AuthenticationManager 进行验证（子类ProviderManager遍历所有的AuthenticationProvider认证）
		return this.getAuthenticationManager().authenticate(authRequest);
	}

The method to authenticate the request must bePOST
Get username and password from request
Encapsulated Authenticaitonimplementation class UsernamePasswordAuthenticationToken, ( UsernamePasswordAuthenticationTokencalls the two-parameter constructor setAuthenticated(false))
Call AuthenticationManagerthe authenticatemethod for verification; refer to the ProviderManager section;

AnonymousAuthenticationFilter

From the execution sequence diagram of the filter in the above figure, it can be seen that AnonymousAuthenticationFilterthe filter is after UsernamePasswordAuthenticationFilterwaiting for the filter. If none of the filters in front of it are successfully authenticated, add an anonymous implementation class Spring Securityfor the current one ;SecurityContextHolderAuthenticaitonAnonymousAuthenticationToken

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		#1.如果前面的过滤器都没认证通过，则SecurityContextHolder中Authentication为空
		if (SecurityContextHolder.getContext().getAuthentication() == null) {
			#2.为当前的SecurityContextHolder中添加一个匿名的AnonymousAuthenticationToken
			SecurityContextHolder.getContext().setAuthentication(
					createAuthentication((HttpServletRequest) req));

			if (logger.isDebugEnabled()) {
				logger.debug("Populated SecurityContextHolder with anonymous token: '"
						+ SecurityContextHolder.getContext().getAuthentication() + "'");
			}
		}
		else {
			if (logger.isDebugEnabled()) {
				logger.debug("SecurityContextHolder not populated with anonymous token, as it already contained: '"
						+ SecurityContextHolder.getContext().getAuthentication() + "'");
			}
		}

		chain.doFilter(req, res);
	}

	#3.创建匿名的AnonymousAuthenticationToken
	protected Authentication createAuthentication(HttpServletRequest request) {
		AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key,
				principal, authorities);
		auth.setDetails(authenticationDetailsSource.buildDetails(request));

		return auth;
	}
	
		/**
	 * Creates a filter with a principal named "anonymousUser" and the single authority
	 * "ROLE_ANONYMOUS".
	 *
	 * @param key the key to identify tokens created by this filter
	 */
	 ##.创建一个用户名为anonymousUser 授权为ROLE_ANONYMOUS
	public AnonymousAuthenticationFilter(String key) {
		this(key, "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
	}

Judging SecurityContextHolder中Authenticationwhether it is empty;
If empty SecurityContextHolder, add an anonymous AnonymousAuthenticationToken(user name is anonymousUser AnonymousAuthenticationToken) to the current one

ExceptionTranslationFilter

ExceptionTranslationFilterException handling filter, this filter is used to handle the exception (that is, the next filter FilterSecurityInterceptor) thrown during the system authentication and authorization process, mainly dealing with AuthenticationExceptionand AccessDeniedException.

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;

		try {
			chain.doFilter(request, response);

			logger.debug("Chain processed normally");
		}
		catch (IOException ex) {
			throw ex;
		}
		catch (Exception ex) {
			// Try to extract a SpringSecurityException from the stacktrace
			#.判断是不是AuthenticationException
			Throwable[] causeChain = throwableAnalyzer.determineCauseChain(ex);
			RuntimeException ase = (AuthenticationException) throwableAnalyzer
					.getFirstThrowableOfType(AuthenticationException.class, causeChain);

			if (ase == null) {
				#. 判断是不是AccessDeniedException
				ase = (AccessDeniedException) throwableAnalyzer.getFirstThrowableOfType(
						AccessDeniedException.class, causeChain);
			}

			if (ase != null) {
				handleSpringSecurityException(request, response, chain, ase);
			}
			else {
				// Rethrow ServletExceptions and RuntimeExceptions as-is
				if (ex instanceof ServletException) {
					throw (ServletException) ex;
				}
				else if (ex instanceof RuntimeException) {
					throw (RuntimeException) ex;
				}

				// Wrap other Exceptions. This shouldn't actually happen
				// as we've already covered all the possibilities for doFilter
				throw new RuntimeException(ex);
			}
		}
	}

FilterSecurityInterceptor

This filter is the last filter in the authentication and authorization filter chain, after which the real /personsservice is requested

public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		FilterInvocation fi = new FilterInvocation(request, response, chain);
		invoke(fi);
	}

public void invoke(FilterInvocation fi) throws IOException, ServletException {
		if ((fi.getRequest() != null)
				&& (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
				&& observeOncePerRequest) {
			// filter already applied to this request and user wants us to observe
			// once-per-request handling, so don't re-do security checking
			fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
		}
		else {
			// first time this request being called, so perform security checking
			if (fi.getRequest() != null) {
				fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
			}
			#1. before invocation重要
			InterceptorStatusToken token = super.beforeInvocation(fi);

			try {
				#2. 可以理解开始请求真正的 /persons 服务
				fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
			}
			finally {
				super.finallyInvocation(token);
			}
			#3. after Invocation
			super.afterInvocation(token, null);
		}
	}

before invocation is important
Request the real /persons service
after Invocation

Of the three parts, the most important is #1. During this process, will be called AccessDecisionManagerto verify whether the currently authenticated user has permission to access the resource;

before invocation: AccessDecisionManager

protected InterceptorStatusToken beforeInvocation(Object object) {
		...

		Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource()
				.getAttributes(object);

		...
		Authentication authenticated = authenticateIfRequired();

		// Attempt authorization
		try {
			#1.重点
			this.accessDecisionManager.decide(authenticated, object, attributes);
		}
		catch (AccessDeniedException accessDeniedException) {
			publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated,accessDeniedException));

			throw accessDeniedException;
		}

		...
	}

authenticatedIs the current certification Authentication, then objectand attributeswhat is it?

What are attributes and objects?

Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource()
				.getAttributes(object);

debugging

We find that objectit is the current request url:/persons, then the getAttributesmethod is to use the current access resource path to 匹配match the rules defined by ourselves.

protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()//使用表单登录，不再使用默认httpBasic方式
                .loginPage(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL)//如果请求的URL需要认证则跳转的URL
                .loginProcessingUrl(SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_FORM)//处理表单中自定义的登录URL
                .and()
                .authorizeRequests().antMatchers(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL,
                SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_FORM,
                SecurityConstants.DEFAULT_REGISTER_URL,
                "/**/*.js",
                "/**/*.css",
                "/**/*.jpg",
                "/**/*.png",
                "/**/*.woff2")
                .permitAll()//以上的请求都不需要认证
                .anyRequest()//剩下的请求
                .authenticated()//都需要认证
                .and()
                .csrf().disable()//关闭csrd拦截
        ;
    }

0-7Return permitALLmeans that no authentication is required, and the 8corresponding anyRequestreturn authenticatedmeans that the current request requires authentication;

You can see that the current authenticatedanonymous AnonymousAuthenticationuser name isanonymousUser

How is AccessDecisionManager authorized?

Spring SecurityBy default, the AffirmativeBasedimplemented methodAccessDecisionManager is used to implement authorizationdecide

public void decide(Authentication authentication, Object object,
			Collection<ConfigAttribute> configAttributes) throws AccessDeniedException {
		int deny = 0;
		#1.调用AccessDecisionVoter 进行vote(投票)
		for (AccessDecisionVoter voter : getDecisionVoters()) {
			int result = voter.vote(authentication, object, configAttributes);

			if (logger.isDebugEnabled()) {
				logger.debug("Voter: " + voter + ", returned: " + result);
			}

			switch (result) {
			#1.1只要有voter投票为ACCESS_GRANTED，则通过 直接返回
			case AccessDecisionVoter.ACCESS_GRANTED://1
				return;
			@#1.2只要有voter投票为ACCESS_DENIED，则记录一下
			case AccessDecisionVoter.ACCESS_DENIED://-1
				deny++;

				break;

			default:
				break;
			}
		}

		if (deny > 0) {
		#2.如果有两个及以上AccessDecisionVoter(姑且称之为投票者吧)都投ACCESS_DENIED，则直接就不通过了
			throw new AccessDeniedException(messages.getMessage(
					"AbstractAccessDecisionManager.accessDenied", "Access is denied"));
		}

		// To get this far, every AccessDecisionVoter abstained
		checkAllowIfAllAbstainDecisions();
	}

Call AccessDecisionVoter to vote (vote)
As long as there is a pass (ACCESS_GRANTED) vote, it is directly judged to be passed.
If the vote is not passed deny++, the final judgment is if（deny>0thrown AccessDeniedException(unauthorized)

WebExpressionVoter.vote()

public int vote(Authentication authentication, FilterInvocation fi,
			Collection<ConfigAttribute> attributes) {
		assert authentication != null;
		assert fi != null;
		assert attributes != null;

		WebExpressionConfigAttribute weca = findConfigAttribute(attributes);

		if (weca == null) {
			return ACCESS_ABSTAIN;
		}

		EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication,
				fi);
		ctx = weca.postProcess(ctx, fi);

		return ExpressionUtils.evaluateAsBoolean(weca.getAuthorizeExpression(), ctx) ? ACCESS_GRANTED
				: ACCESS_DENIED;
	}

authenticationThe current user information to this location , flthe currently accessed resource path and attributesthe decision of the current resource path (that is, whether authentication is required). The rest is to determine whether the current user's role Authentication.authoriteshas permission to access the current resource fi.