Spring Security authentication process of combing

Others 2019-10-20 20:27:01 views: null

Foreword

Spring Security should be one of the most steep curve of several modules Spring family bucket to learn, the very beginning of learning to read, and some confused at times looked after abandoned.

Until some time ago to pick it up again, this time on the Internet to find a lot of information, and finally to have a certain understanding of Spring Security, found that to understand is actually not so difficult.

Here is a simple summary of the sort.

Simple certification process

Many people, when just beginning to learn to write Web applications, you should have used this certification the following ways:

  1. After the front end of the information page for the user's account password and the like by a POST request to a backend
  2. The rear end to get the user's account password and other information to the database query server stored user information
  3. And front-end user information transfer from the comparison database account password information
  4. It generates the same to save a Token Token Seesion and returned to the client
  5. After saving the front end to get this Token Token carry in subsequent requests to prove his identity

This authentication method is very simple, but the certification process in Spring Security is it not so? But, Spring Security to achieve such a certification process through a more unified abstract interface.

Spring Security

In front of the simple authentication process, it can be something abstract as a separate entity, these entities can be found in the Spring Security corresponding object, comprising:

  1. Account passwords and other information entered by the user, in fact, these things user authentication information corresponding to the Spring Security, then that is Authenticationthe object, but, Authentication Spring Security objects in addition to saving the user authentication information, it also can be used to save user authentication For more information about the user after successfully get from the database.

    public interface Authentication extends Principal, Serializable {
  Collection<? extends GrantedAuthority> getAuthorities();  // 用户权限
  Object getCredentials();                                  // 用户认证信息
  Object getDetails();                                      // 用户详细信息
  Object getPrincipal();                                    // 用户身份信息
  boolean isAuthenticated();                                // 当前 Authentication 是否已认证
  void setAuthenticated(boolean isAuthenticated);
}

  2. Just by providing user authentication information it is often insufficient to determine whether the user is legitimate, so we usually need some means to get the user information stored on the server, but also need some means to store user information, these correspond to the words is the Spring Security UserDetailsServiceand UserDetailsthese two objects.

    public interface UserDetailsService {
  UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}

public interface UserDetails extends Serializable {
  Collection<? extends GrantedAuthority> getAuthorities();
  String getPassword();
  String getUsername();
  boolean isAccountNonExpired();
  boolean isAccountNonLocked();
  boolean isCredentialsNonExpired();
  boolean isEnabled();
}

  3. After the user has provided authentication information and user information stored on the server, we need to compare these two information in some way, and this efficacy to target information corresponding to the user authentication in Spring Security is the AuthenticationManagersubject of .

    Authentication authenticate(Authentication authentication)throws AuthenticationException;

    The view of the wide variety of user authentication information and the efficacy of the way after another, Spring Security provides us more easily extensible interface AuthenticationProviderand ProviderManagerthe default AuthenticationManager achieved. In use, we often only need to implement AuthenticationProvidersufficient.

    public interface AuthenticationProvider {
  Authentication authenticate(Authentication authentication) throws AuthenticationException;
  boolean supports(Class<?> authentication);
}

    It can be seen in AuthenticationProvider method authenticatereturns an Authenticationobject, when the certification, this object is often the user's details will be saved.

  4. When the user authentication information through the efficacy, we often need to save the authentication information in the server or generated token, the authentication information stored by the object in Spring Security is in SecurityContextand SecurityContextHolderthese two objects, SecurityContext save by authentication authentication object, SecurityContextHolder SecurityContext to save the context of the current thread to facilitate our use.

    public interface SecurityContext extends Serializable {
  Authentication getAuthentication();
  void setAuthentication(Authentication authentication);
}

public class SecurityContextHolder {
  public static SecurityContext getContext();
  public void SecurityContext setContext();
}

    Filter Spring Security is implemented based on, but also tend to assign each request a thread, therefore, before the request reaches Spring Security particular processing logic, it is possible to complete the authentication of user information in the Filter, generated subsequent use aspect SecurityContext .

Here comes the Attach a Spring Security (a) - Architecture Overview | taro channel source - pure source analytic blog of a map, a good explanation of the relationship between the objects:

It can be seen, although the Spring Security appears to be very complicated, but the core idea and before that a simple certification process is still the same. But, Spring Security will be one of the key part of the process of abstraction, but also provides a corresponding expansion interface.

When we use, they can realize their UserDetailsService and UserDetails to get hold user information to achieve their Authentication to save specific user authentication information, to realize their AuthenticationProvider use their own UserDetailsService and Authentication to efficacy for user authentication information.

Of course, Spring Security there are more features, but with a certain amount of understanding of basic processes, the follow-up of content it can more easily be learned.

Epilogue

In fact, apart outside Spring Security also looked at the Spring Security OAuth2 and Spring Security JWT, may have been feeling this blog together and summarized, but read, read only to find, raped, thinking part of Spring Security so clear, how to Spring Security OAuth2 after becoming intermittent.

Then just write, just a rough sort out the relationship between the Spring Security and Spring Security OAuth2, the details have yet to be scrutiny, therefore, left, right or in the future @ _ @

Reference links

Guess you like

Origin www.cnblogs.com/rgbit/p/11708807.html
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com