SpringSecurity启动认证流程
2024-01-22 21:45:29 8 举报
springboot SpringSecurity 启动 + 认证源码流程
作者其他创作
大纲/内容
可以自己实现PasswordEncoder接口,交给spring容器。自定义凭证验证规则
// 创建webSecuritywebSecurity.build();
@beanauthenticationManagerBuildergetAuthenticationManager()
@BeanAutowireBeanFactoryObjectPostProcessor(beanFactory);
beforeConfigure()
初始化设置
addArgumentResolvers()@BeanRequestDataValueProcessor
doBuild();
WebSecurityConfigurerAdapterconfigurer.init((B) this);
认证管理器获取
WebSecurityEnablerConfiguration
SpringWebMvcImportSelector
验证凭证后校验用户postAuthenticationChecks.check(user);
OAuth2ImportSelector
用户是否过期if (!user.isAccountNonExpired())
init()
WebMvcSecurityConfiguration
@EnableGlobalAuthentication
FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);
// 建立security拦截器Filter springSecurityFilterChain()
return result;
(核心)AuthenticationConfiguration
@EnableWebSecurity
Authentication使用UsernamePasswordAuthenticationToken实现类authenticationManager.authenticate(Authentication authentication)
验证凭证前校验用户preAuthenticationChecks.check(user);
getHttp()
SecurityDataConfiguration
@Bean
@Autowiredprivate ObjectPostProcessor<Object> objectObjectPostProcessor;
@Autowired
((核心)WebSecurityConfiguration
SpringSecurity拦截请求配置接入点,该方法会调用实现了WebSecurityConfigurerAdapter抽象类的configure(http)
SecurityAutoConfiguration
空实现beforeConfigure();
DefaultAuthenticationEventPublisher
设置认证管理器AuthenticationManager authenticationManager = authenticationManager();
拿到Security所有拦截配置(WebSecurityConfigurerAdapter)this.webSecurityConfigurers = webSecurityConfigurers;
选择支持Authentication 实现类的认证管理器
Filter result = filterChainProxy;
创建Security的拦截器securityFilterChainBuilder.build()
校验凭证(密码)是否过期if (!user.isCredentialsNonExpired())
ObjectPostProcessor<Object>
webSecurity = objectPostProcessor.postProcess(new WebSecurity(objectPostProcessor));
final HttpSecurity http = getHttp();
设置userDetailsService、PasswordEncoder、authenticationProviders等
配置httpconfigure(http);
返回创建实现类为ProviderManager认证管理器
调用实现了UserDetailsService的loadUserByUsername方法,自定义获取用户信息UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
用户是否启用if (!user.isEnabled())
@Import(AuthenticationConfiguration.class)
创建security过滤器resultO result = performBuild();
2
创建HttpSecurity
configure()
获取请求中用户的凭证String presentedPassword = authentication.getCredentials().toString();
4
3
创建认证管理器authenticationManager = authBuilder.build();
setFilterChainProxySecurityConfigurer()
configure(http)
空实现configure();
DefaultConfigurerAdapter
ObjectPostProcessorConfiguration
authenticationConfiguration.getAuthenticationManager()
将用户信息包装成UserDetails的实现类返回return UserDetails
设置生成认证管理器需要的配置
使用凭证解码器解密并验证用户凭证
SpringBootWebSecurityConfiguration注入默认Security拦截配置
ImportSelector.selectImports
@import
1
开始验证result = provider.authenticate(authentication);
用户是否锁定if (!user.isAccountNonLocked())
0 条评论
回复 删除
下一页