Spring Security Log parsing source code verification process

First, login authentication based filter chain

Login authentication process is the core Spring Security filter chain. When a request arrives in the order in the filter chain in turn, by verifying that all filter chain, can access the API interface.


SpringSecurity login authentication offers a variety of ways, be implemented by a variety of Filter filter, such as:

  • BasicAuthenticationFilter realize that login authentication mode HttpBasic
  • UsernamePasswordAuthenticationFilter achieve username password login authentication
  • RememberMeAuthenticationFilter login authentication to achieve the "Remember Me" feature
  • SmsCodeAuthenticationFilter implement SMS verification code login authentication
  • Processing SocialAuthenticationFilter way to achieve social media login authentication
  • Oauth2AuthenticationProcessingFilter and Oauth2ClientAuthenticationProcessingFilter achieve Oauth2 authentication mode

Achieve our different needs and configurations, different Filter will be loaded into the application.

Second, the combination of source code to explain the login authentication process

We have a user name, password, login example to explain what Spring Security login authentication process.


2.1 UsernamePasswordAuthenticationFilter

The filter package basic user information (username, password), define the login form data related to the received information. Such as:

  • The default username and password form input box name is username, password
  • The default path is the logon request / login, using the POST method


DoFilter verification process of the method 2.2 AbstractAuthenticationProcessingFilter

UsernamePasswordAuthenticationFilter inherited from the abstract class AbstractAuthenticationProcessingFilter, the abstract class defines treatment success verification and validation failure.

Handler handler after the verification and validation success or failure after 2.3


That is when we need custom validation success or failure of treatment, or go to achieve AuthenticationSuccessHandler AuthenticationfailureHandler Interface


Third, the login authentication details inside

Management ProviderManager 3.1 multiple authentication methods

ProviderManager inheritance to AuthenticationManager is login authentication core classes. ProviderManager custody more than AuthenticationProvider, for different types of login authentication. such as:

  • RememberMeAuthenticationProvider defines the "Remember Me" feature login validation logic
  • DaoAuthenticationProvider load the database user information, the user's login password verification
public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {
    private List<AuthenticationProvider> providers;

The following is ProviderManager core source code, traversing different login authentication AuthenticationProvider, only when supported in this way, before the implementation of specific login validation logic.

3.2 Interface login authentication AuthenticationProvider

public interface AuthenticationProvider {
    Authentication authenticate(Authentication var1) throws AuthenticationException;

    boolean supports(Class<?> var1);

AuthenticationProvider implementation class defines the specific login validation logic


3.3 database load user information DaoAuthenticationProvider

public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {

Obtain user information from a source database


So when we need to load the user login authentication information, we need to implement UserDetailsServicethe interface, rewrite loadUserByUsernamemethod, parameter is the user name entered by the user. The return value is UserDetails.

Look forward to your attention

Guess you like

Origin www.cnblogs.com/zimug/p/11880050.html