First, login authentication based filter chain
Login authentication process is the core Spring Security filter chain. When a request arrives in the order in the filter chain in turn, by verifying that all filter chain, can access the API interface.
SpringSecurity login authentication offers a variety of ways, be implemented by a variety of Filter filter, such as:
- BasicAuthenticationFilter realize that login authentication mode HttpBasic
- UsernamePasswordAuthenticationFilter achieve username password login authentication
- RememberMeAuthenticationFilter login authentication to achieve the "Remember Me" feature
- SmsCodeAuthenticationFilter implement SMS verification code login authentication
- Processing SocialAuthenticationFilter way to achieve social media login authentication
- Oauth2AuthenticationProcessingFilter and Oauth2ClientAuthenticationProcessingFilter achieve Oauth2 authentication mode
Achieve our different needs and configurations, different Filter will be loaded into the application.
Second, the combination of source code to explain the login authentication process
We have a user name, password, login example to explain what Spring Security login authentication process.
2.1 UsernamePasswordAuthenticationFilter
The filter package basic user information (username, password), define the login form data related to the received information. Such as:
- The default username and password form input box name is username, password
- The default path is the logon request / login, using the POST method
DoFilter verification process of the method 2.2 AbstractAuthenticationProcessingFilter
UsernamePasswordAuthenticationFilter inherited from the abstract class AbstractAuthenticationProcessingFilter, the abstract class defines treatment success verification and validation failure.
Handler handler after the verification and validation success or failure after 2.3
That is when we need custom validation success or failure of treatment, or go to achieve AuthenticationSuccessHandler AuthenticationfailureHandler Interface
Third, the login authentication details inside
Management ProviderManager 3.1 multiple authentication methods
ProviderManager inheritance to AuthenticationManager is login authentication core classes. ProviderManager custody more than AuthenticationProvider, for different types of login authentication. such as:
- RememberMeAuthenticationProvider defines the "Remember Me" feature login validation logic
- DaoAuthenticationProvider load the database user information, the user's login password verification
public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {
……
private List<AuthenticationProvider> providers;
……
The following is ProviderManager core source code, traversing different login authentication AuthenticationProvider, only when supported in this way, before the implementation of specific login validation logic.
3.2 Interface login authentication AuthenticationProvider
public interface AuthenticationProvider {
Authentication authenticate(Authentication var1) throws AuthenticationException;
boolean supports(Class<?> var1);
}
AuthenticationProvider implementation class defines the specific login validation logic
3.3 database load user information DaoAuthenticationProvider
public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
Obtain user information from a source database
So when we need to load the user login authentication information, we need to implement UserDetailsService
the interface, rewrite loadUserByUsername
method, parameter is the user name entered by the user. The return value is UserDetails
.
Look forward to your attention
- Blogger recently wrote a book: "hand touch hand to teach you to learn SpringBoot series chapter 97 section -16"
- This article is reproduced indicate the source (en must not turn only the text): letters Gebo off .