What does authentication specifically refer to and how to do it in spring security, this article makes a brief explanation
Environment
spring boot version: 1.5.4.RELEASE
Let's consider a simple authentication scenario that everyone is familiar with
- 1. A user is prompted for a username and password
- 2. The system verifies whether the user name and password are legal
- 3. The user's context information is obtained (such as the user's permission list)
- 4. Create a security context corresponding to the user
- 5. When the user continues to perform subsequent operations, the system's security access control mechanism uses the current security context information to determine whether these operations are permitted
The first three steps in the above scenario are the basic authentication process, let's see how this happens in spring security.
- 1. Get username and password from httpRequest, and then combine them into a UsernamePasswordAuthenticationToken instance that implements the Authentication interface
- 2. The combined token is passed to an AuthenticationManager instance (ProviderManager) for verification
- 3. If the verification is successful, the AuthenticationManager will return an assembled Authentication instance (including the user's permission information)
- 4. Create a security context by calling the SecurityContextHolder.getContext().setAuthentication(...) method and passing in the assembled Authentication instance
After that, the current user is authenticated. This process, you can have the following code to simulate
import org.springframework.security.authentication.*;
import org.springframework.security.core.*;
import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder;
public class AuthenticationExample {
private static AuthenticationManager am = new SampleAuthenticationManager();
public static void main(String[] args) throws Exception {
BufferedReader in = new BufferedReader(new InputStreamReader(System.in));
while(true) {
System.out.println("Please enter your username:"); String name = in.readLine(); System.out.println("Please enter your password:"); String password = in.readLine();
try {
Authentication request = new UsernamePasswordAuthenticationToken(name, password); Authentication result = am.authenticate(request); SecurityContextHolder.getContext().setAuthentication(result);
break;
} catch(AuthenticationException e) { System.out.println("Authentication failed: " + e.getMessage());
}
}
System.out.println("Successfully authenticated. Security context contains: " +
SecurityContextHolder.getContext().getAuthentication());
}
}
class SampleAuthenticationManager implements AuthenticationManager {
static final List<GrantedAuthority> AUTHORITIES = new ArrayList<GrantedAuthority>();
static {
AUTHORITIES.add(new SimpleGrantedAuthority("ROLE_USER"));
}
public Authentication authenticate(Authentication auth) throws AuthenticationException { if (auth.getName().equals(auth.getCredentials())) {
return new UsernamePasswordAuthenticationToken(auth.getName(),
auth.getCredentials(), AUTHORITIES);
}
throw new BadCredentialsException("Bad Credentials"); }
}
Among them, SampleAuthenticationManager is an authentication class we implemented, which simply judges that if the user name and password are the same, the authentication is successful, and assigns the user a fixed USER permission. The output of the program after running is as follows
Please enter your username: bob Please enter your password: password Authentication failed: Bad Credentials Please enter your username: bob Please enter your password: bob Successfully authenticated. Security context contains: \ org.springframework.security.authentication.UsernamePasswordAuthenticationToken@441d0230: \ Principal: bob; Password: [PROTECTED]; \ Authenticated: true; Details: null; \ Granted Authorities: ROLE_USER
In practical applications, we will not write the code directly like this. Here we are just to illustrate the authentication process of spring security. This example also shows how to judge the success of authentication in spring security, that is, the SecurityContextHolder contains a fully assembled Authentication object.
This example also shows that spring security does not care how the Authentication object is stored in the SecurityContextHolder. The only thing that needs to be confirmed is that the SecurityContextHolder contains an Authentication object when the AbstractSecurityInterceptor wants to authenticate a user.