SpringSecurity认证专题之【AuthenticationManager】

た 入场券 2022-12-14 13:39 417阅读 0赞

  哈喽,大家好,最近有段时间没有写博客了,今天开始我会陆续给大家整理出SpringSecurity原理源码相关的文件,本篇文章主要是给大家介绍下认证体系中最基础的AuthenticationManager的内容,让你对它从整体上面有一个认知。

AuthenticationManager

  首先我们来看下AuthenticationManager这个接口的定义。

  1. public interface AuthenticationManager { 
  2.     /** * 定义的一个认证的方法 **/
  3.     Authentication authenticate(Authentication authentication)
  4.             throws AuthenticationException;
  5. }

  通过源码能发现,单纯的就是定义了一个认证的方法,所以要分析的话我们要看下他的实现,在SpringSecurity中默认的AuthenticationManager的实现是ProviderManager.

在这里插入图片描述

ProviderManager

  ProviderManagerAuthenticationManager的默认实现,但是ProviderManager并没有提供具体的认证逻辑,而是具有多个AuthenticationProvider.
也就是在ProviderManager中支持多种认证方式,而AuthenticationProvider就是一种具体的认证。

  1. public class ProviderManager implements AuthenticationManager, MessageSourceAware,
  2.         InitializingBean { 
  3.     // 多种认证方式
  4.     private List<AuthenticationProvider> providers = Collections.emptyList();
  6.     private AuthenticationManager parent;
  7.     private boolean eraseCredentialsAfterAuthentication = true;
  9.     /** * 遍历每一种认证方式,进行认证 **/
  10.     public Authentication authenticate(Authentication authentication)
  11.             throws AuthenticationException { 
  12.         Class<? extends Authentication> toTest = authentication.getClass();
  13.         AuthenticationException lastException = null;
  14.         AuthenticationException parentException = null;
  15.         Authentication result = null;
  16.         Authentication parentResult = null;
  17.         boolean debug = logger.isDebugEnabled();
  18.         // 遍历每一种认证方式
  19.         for (AuthenticationProvider provider : getProviders()) { 
  20.             if (!provider.supports(toTest)) { 
  21.                 continue;
  22.             }
  23.             // 忽略...
  24.             try { 
  25.                 // 调用具体的认证方法
  26.                 result = provider.authenticate(authentication);
  28.                 if (result != null) { 
  29.                     copyDetails(authentication, result);
  30.                     break;
  31.                 }
  32.             }
  33.             catch (AccountStatusException | InternalAuthenticationServiceException e) { 
  34.                 prepareException(e, authentication);
  35.                 throw e;
  36.             } catch (AuthenticationException e) { 
  37.                 lastException = e;
  38.             }
  39.         }
  40.         // 忽略...
  41.     }
  42. }

在这里插入图片描述

  通过上图可以简单的体现这三者之间的关系

AuthenticationProvider

  现在我们来看下AuthenticationProvider的具体认证流程的实现

  1. public interface AuthenticationProvider { 
  2.     /** * 认证逻辑实现的方法 */
  3.     Authentication authenticate(Authentication authentication)
  4.             throws AuthenticationException;
  6.     /** * 判断当前provider是否支持该Authentication * / boolean supports(Class<?> authentication); }

  源码中的方法相比AuthenticationManager中多了一个supports方法,主要是用来做支持判断的。具体是认证实现还要看其具体的实现,默认的实现是DaoAuthenticationProvider,还有个中间抽象类AbstractUserDetailsAuthenticationProvider

在这里插入图片描述

AbstractUserDetailsAuthenticationProvider

  在其中定义了认证的主要流程

  1. public abstract class AbstractUserDetailsAuthenticationProvider implements
  2.         AuthenticationProvider, InitializingBean, MessageSourceAware { 
  3.     // 抽象定义
  4.     protected abstract void additionalAuthenticationChecks(UserDetails userDetails,
  5.             UsernamePasswordAuthenticationToken authentication)
  6.             throws AuthenticationException;
  8.     // 定义主要流程,关键账号验证和密码验证在具体实现类中实现
  9.     public Authentication authenticate(Authentication authentication)
  10.             throws AuthenticationException { 
  11.         Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
  12.                 () -> messages.getMessage(
  13.                         "AbstractUserDetailsAuthenticationProvider.onlySupports",
  14.                         "Only UsernamePasswordAuthenticationToken is supported"));
  16.         // Determine username
  17.         String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED"
  18.                 : authentication.getName();
  20.         boolean cacheWasUsed = true;
  21.         UserDetails user = this.userCache.getUserFromCache(username);
  23.         if (user == null) { 
  24.             cacheWasUsed = false;
  26.             try { 
  27.                 user = retrieveUser(username,
  28.                         (UsernamePasswordAuthenticationToken) authentication);
  29.             }
  30.             catch (UsernameNotFoundException notFound) { 
  31.                 logger.debug("User '" + username + "' not found");
  33.                 if (hideUserNotFoundExceptions) { 
  34.                     throw new BadCredentialsException(messages.getMessage(
  35.                             "AbstractUserDetailsAuthenticationProvider.badCredentials",
  36.                             "Bad credentials"));
  37.                 }
  38.                 else { 
  39.                     throw notFound;
  40.                 }
  41.             }
  43.             Assert.notNull(user,
  44.                     "retrieveUser returned null - a violation of the interface contract");
  45.         }
  47.         try { 
  48.             preAuthenticationChecks.check(user);
  49.             additionalAuthenticationChecks(user,
  50.                     (UsernamePasswordAuthenticationToken) authentication);
  51.         }
  52.         catch (AuthenticationException exception) { 
  53.             if (cacheWasUsed) { 
  54.                 // There was a problem, so try again after checking
  55.                 // we're using latest data (i.e. not from the cache)
  56.                 cacheWasUsed = false;
  57.                 user = retrieveUser(username,
  58.                         (UsernamePasswordAuthenticationToken) authentication);
  59.                 preAuthenticationChecks.check(user);
  60.                 additionalAuthenticationChecks(user,
  61.                         (UsernamePasswordAuthenticationToken) authentication);
  62.             }
  63.             else { 
  64.                 throw exception;
  65.             }
  66.         }
  68.         postAuthenticationChecks.check(user);
  70.         if (!cacheWasUsed) { 
  71.             this.userCache.putUserInCache(user);
  72.         }
  74.         Object principalToReturn = user;
  76.         if (forcePrincipalAsString) { 
  77.             principalToReturn = user.getUsername();
  78.         }
  80.         return createSuccessAuthentication(principalToReturn, authentication, user);
  81.     }
  84.         UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(
  85.                 principal, authentication.getCredentials(),
  86.                 authoritiesMapper.mapAuthorities(user.getAuthorities()));
  87.         result.setDetails(authentication.getDetails());
  89.         return result;
  90.     }
  91.     // 抽象的 账号验证
  92.     protected abstract UserDetails retrieveUser(String username,
  93.             UsernamePasswordAuthenticationToken authentication)
  94.             throws AuthenticationException;
  96.     public boolean supports(Class<?> authentication) { 
  97.         return (UsernamePasswordAuthenticationToken.class
  98.                 .isAssignableFrom(authentication));
  99.     }
  101. }

DaoAuthenticationProvider

  默认的具体认证实现

  1. protected final UserDetails retrieveUser(String username,
  2.             UsernamePasswordAuthenticationToken authentication)
  3.             throws AuthenticationException { 
  4.         prepareTimingAttackProtection();
  5.         try { 
  6.             UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
  7.             if (loadedUser == null) { 
  8.                 throw new InternalAuthenticationServiceException(
  9.                         "UserDetailsService returned null, which is an interface contract violation");
  10.             }
  11.             return loadedUser;
  12.         }
  13.         catch (UsernameNotFoundException ex) { 
  14.             mitigateAgainstTimingAttack(authentication);
  15.             throw ex;
  16.         }
  17.         catch (InternalAuthenticationServiceException ex) { 
  18.             throw ex;
  19.         }
  20.         catch (Exception ex) { 
  21.             throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
  22.         }
  23.     }
  24.     @SuppressWarnings("deprecation")
  25.     protected void additionalAuthenticationChecks(UserDetails userDetails,
  26.             UsernamePasswordAuthenticationToken authentication)
  27.             throws AuthenticationException { 
  28.         if (authentication.getCredentials() == null) { 
  29.             logger.debug("Authentication failed: no credentials provided");
  31.             throw new BadCredentialsException(messages.getMessage(
  32.                     "AbstractUserDetailsAuthenticationProvider.badCredentials",
  33.                     "Bad credentials"));
  34.         }
  36.         String presentedPassword = authentication.getCredentials().toString();
  38.         if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) { 
  39.             logger.debug("Authentication failed: password does not match stored value");
  41.             throw new BadCredentialsException(messages.getMessage(
  42.                     "AbstractUserDetailsAuthenticationProvider.badCredentials",
  43.                     "Bad credentials"));
  44.         }
  45.     }

在这里插入图片描述
  上图是整理的相关的整体的结构,通过上图应该能够对于相关的结构关系会有一个整体的认证,下篇文章我们会给大家梳理下初始化的过程

发表评论

表情:
评论列表 (有 0 条评论,417人围观)

还没有评论,来说两句吧...

相关阅读