一、AuthenticationManager
AuthenticationManager是spring security中的认证管理器用来对登录请求进行处理。举个例子讲,在使用表单登录时处理用户的登录请求的是UsernamePasswordAuthenticationFilter 这个过滤器,它内部持有一个AuthenticationManager的对象,处理认证登录请求时会调用AuthenticationManager#authenticate方法处理请求。
1.1 AuthenticationManager
AuthenticationManager是一个接口,是对认证管理器进行的抽象,先来看下它的源码
public interface AuthenticationManager {
//调用authenticate对认证请求进行处理。
//入参是一个Authentication对象,封装了用户名和密码
//返回一个已经被认证过的Authentication对象
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
1.2 Authentication
接着看下Authentication这个类,它用来对用户信息进行封装
public interface Authentication extends Principal, Serializable {
//这个方法返回用户的权限信息
Collection<? extends GrantedAuthority> getAuthorities();
//返回用户的凭证信息,例如密码
Object getCredentials();
/** 返回用户的一些额外信息,例如ip等,可以自定义多个属性
* Stores additional details about the authentication request. These might be an IP
* address, certificate serial number etc.
*
* @return additional details about the authentication request, or <code>null</code>
* if not used
*/
Object getDetails();
/** 返回用户主体,使用表单登录时返回的是用户的用户名
*/
Object getPrincipal();
//用来判断当前这个Authentication对象是否认证通过
boolean isAuthenticated();
//设置当前这个Authentication对象的认证状态
void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException;
}
接着看下UsernamePasswordAuthenticationFilter这个类中是如何使用认证管理器的
1.3 UsernamePasswordAuthenticationFilter
看一个过滤器的源码我们都会从doFilter方法看起,
UsernamePasswordAuthenticationFilter,这个类继承了AbstractAuthenticationProcessingFilter,doFilter方法定义在它的父类中,
AbstractAuthenticationProcessingFilter部分源码
public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean
implements ApplicationEventPublisherAware, MessageSourceAware {
//该过滤器中持有的认证管理器对象
private AuthenticationManager authenticationManager;
//session管理器策略
private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();
//登录成功和登录失败时的处理器
private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
//处理登录请求的方法
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
if (logger.isDebugEnabled()) {
logger.debug("Request is to process authentication");
}
Authentication authResult;
try {
//处理登录请求的方法,这个方法在本类中是抽象方法,会被子类
//UsernamePasswordAuthenticationFilter实现
authResult = attemptAuthentication(request, response);
if (authResult == null) {
//说明UsernamePasswordAuthenticationFilter这个过滤器并没有完成认证但也没报错
// return immediately as subclass has indicated that it hasn't completed
// authentication
return;
}
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (InternalAuthenticationServiceException failed) {
logger.error(
"An internal error occurred while trying to authenticate the user.",
failed);
//认证过程中报错了,属于认证失败。
unsuccessfulAuthentication(request, response, failed);
return;
}
catch (AuthenticationException failed) {
// Authentication failed
//认证过程中报错了,属于认证失败。
unsuccessfulAuthentication(request, response, failed);
return;
}
// Authentication success
if (continueChainBeforeSuccessfulAuthentication) {
//认证成功,继续执行过滤器链中其他的过滤器
chain.doFilter(request, response);
}
//认证成功的后续处理
successfulAuthentication(request, response, chain, authResult);
}
}
所以认证的关键就在子类的attemptAuthentication方法中
public class UsernamePasswordAuthenticationFilter extends
AbstractAuthenticationProcessingFilter {
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
//这两个属性定义了从请求中获取用户名/密码时使用的参数名
private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
//从请求对象中获取用户名和密码
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
//把用户名和密码封装成一个Authentication对象
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
// Allow subclasses to set the "details" property
//在此过滤器中是空方法
setDetails(request, authRequest);
//先获取认证管理器,然后执行authenticate方法对authRequest这个Authentication对象进行认证
return this.getAuthenticationManager().authenticate(authRequest);
}
}
接下来就可以去看下认证管理器的认证逻辑
1.4 ProviderManager
AuthenticationManager是一个接口,springsecurity提供了一个实现类ProviderManager,来看下它的源码
ProviderManager部分源码:
public class ProviderManager implements AuthenticationManager, MessageSourceAware,
InitializingBean {
//重要属性,存储该认证管理器中持有的AuthenticationProvider
//认证时会循环调用持有的provider对请求进行处理,所以真正对请求进行认证的是各种provider
private List<AuthenticationProvider> providers = Collections.emptyList();
//当前认证管理器的父管理器,通常被称作全局认证管理器,
//如果循环完自己的providers后还不能对请求进行认证就会调用parent对请求进行处理
private AuthenticationManager parent;
//这个方法时具体的认证逻辑
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
AuthenticationException parentException = null;
Authentication result = null;
Authentication parentResult = null;
boolean debug = logger.isDebugEnabled();
//遍历该认证管理器中持有的providers
for (AuthenticationProvider provider : getProviders()) {
//看provider是否支持当前请求,如果不支持就跳过进行下个循环
if (!provider.supports(toTest)) {
continue;
}
if (debug) {
logger.debug("Authentication attempt using "
+ provider.getClass().getName());
}
try {
//此provider支持当前请求,调用provider.authenticate
result = provider.authenticate(authentication);
if (result != null) {
copyDetails(authentication, result);
break;
}
}
catch (AccountStatusException e) {
prepareException(e, authentication);
// SEC-546: Avoid polling additional providers if auth failure is due to
// invalid account status
throw e;
}
catch (InternalAuthenticationServiceException e) {
prepareException(e, authentication);
throw e;
}
catch (AuthenticationException e) {
lastException = e;
}
}
if (result == null && parent != null) {
// Allow the parent to try.
//如果自己的providers没有处理请求,再调用parent进行一次尝试
try {
result = parentResult = parent.authenticate(authentication);
}
catch (ProviderNotFoundException e) {
// ignore as we will throw below if no other exception occurred prior to
// calling parent and the parent
// may throw ProviderNotFound even though a provider in the child already
// handled the request
}
catch (AuthenticationException e) {
lastException = parentException = e;
}
}
if (result != null) {
//进到这里表示认证成功了
if (eraseCredentialsAfterAuthentication
&& (result instanceof CredentialsContainer)) {
// Authentication is complete. Remove credentials and other secret data
// from authentication
((CredentialsContainer) result).eraseCredentials();
}
// If the parent AuthenticationManager was attempted and successful than it will publish an AuthenticationSuccessEvent
// This check prevents a duplicate AuthenticationSuccessEvent if the parent AuthenticationManager already published it
if (parentResult == null) {
eventPublisher.publishAuthenticationSuccess(result);
}
return result;
}
// Parent was null, or didn't authenticate (or throw an exception).
if (lastException == null) {
lastException = new ProviderNotFoundException(messages.getMessage(
"ProviderManager.providerNotFound",
new Object[] { toTest.getName() },
"No AuthenticationProvider found for {0}"));
}
// If the parent AuthenticationManager was attempted and failed than it will publish an AbstractAuthenticationFailureEvent
// This check prevents a duplicate AbstractAuthenticationFailureEvent if the parent AuthenticationManager already published it
if (parentException == null) {
prepareException(lastException, authentication);
}
throw lastException;
}
}
所以需要接着看下AuthenticationProvider
1.5 AuthenticationProvider
AuthenticationProvider也是一个接口
public interface AuthenticationProvider {
//具体的认证方法,只有支持时才会被调用
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
//验证此provider是否支持当前请求
boolean supports(Class<?> authentication);
}
当我们使用表单登录时,使用的provider是DaoAuthenticationProvider
1.6 DaoAuthenticationProvider
DaoAuthenticationProvider#authenticate方法定义在它的父类AbstractUserDetailsAuthenticationProvider中,先看下这个方法
public abstract class AbstractUserDetailsAuthenticationProvider implements
AuthenticationProvider, InitializingBean, MessageSourceAware {
//具体的认证方法
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
() -> messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.onlySupports",
"Only UsernamePasswordAuthenticationToken is supported"));
// Determine username
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED"
: authentication.getName();
boolean cacheWasUsed = true;
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
//缓存中获取不到用户时在执行获取用户的方法
// 这个方法需要被子类实现,所以具体逻辑在DaoAuthenticationProvider
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
}
catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
else {
throw notFound;
}
}
Assert.notNull(user,
"retrieveUser returned null - a violation of the interface contract");
}
try {
preAuthenticationChecks.check(user);
//这个方法对用户名和密码进行校验,本来中是抽象方法,需要子类来实现
additionalAuthenticationChecks(user,
(UsernamePasswordAuthenticationToken) authentication);
}
catch (AuthenticationException exception) {
if (cacheWasUsed) {
// There was a problem, so try again after checking
// we're using latest data (i.e. not from the cache)
cacheWasUsed = false;
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user,
(UsernamePasswordAuthenticationToken) authentication);
}
else {
throw exception;
}
}
postAuthenticationChecks.check(user);
if (!cacheWasUsed) {
this.userCache.putUserInCache(user);
}
Object principalToReturn = user;
if (forcePrincipalAsString) {
principalToReturn = user.getUsername();
}
//认证成功创建一个新的Authentication对象返回
return createSuccessAuthentication(principalToReturn, authentication, user);
}
protected Authentication createSuccessAuthentication(Object principal,
Authentication authentication, UserDetails user) {
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(
principal, authentication.getCredentials(),
authoritiesMapper.mapAuthorities(user.getAuthorities()));
result.setDetails(authentication.getDetails());
return result;
}
}
所以还需要在子类DaoAuthenticationProvider中看下retrieveUser,additionalAuthenticationChecks这两个方法
public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
//密码编码器
private PasswordEncoder passwordEncoder;
//查询用户信息的service
private UserDetailsService userDetailsService;
//查询用户
protected final UserDetails retrieveUser(String username,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
prepareTimingAttackProtection();
try {
//调用自己的UserDetailsService
UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
if (loadedUser == null) {
throw new InternalAuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
}
catch (UsernameNotFoundException ex) {
mitigateAgainstTimingAttack(authentication);
throw ex;
}
catch (InternalAuthenticationServiceException ex) {
throw ex;
}
catch (Exception ex) {
throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
}
}
protected void additionalAuthenticationChecks(UserDetails userDetails,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
if (authentication.getCredentials() == null) {
logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
String presentedPassword = authentication.getCredentials().toString();
//把请求中传过来的密码密文和userDetails中查询出的密文进行匹配
if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
logger.debug("Authentication failed: password does not match stored value");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
}
@Override
protected Authentication createSuccessAuthentication(Object principal,
Authentication authentication, UserDetails user) {
//这个是更新密码的逻辑,一般不会执行
boolean upgradeEncoding = this.userDetailsPasswordService != null
&& this.passwordEncoder.upgradeEncoding(user.getPassword());
if (upgradeEncoding) {
String presentedPassword = authentication.getCredentials().toString();
String newPassword = this.passwordEncoder.encode(presentedPassword);
user = this.userDetailsPasswordService.updatePassword(user, newPassword);
}
return super.createSuccessAuthentication(principal, authentication, user);
}
//对请求进行判断看是否支持
public boolean supports(Class<?> authentication) {
return (UsernamePasswordAuthenticationToken.class
.isAssignableFrom(authentication));
}
}
到这里还差查询用户的哪个UserDetailsService没有看
1.7 UserDetailsService
这个接口中定义了查询根据用户名查询用户的方法,会在DaoAuthenticationProvider中使用,需要我们提供他的实现类,通常在系统中会提供一个从数据库中查询用户的实现。
public interface UserDetailsService {
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}
到这里AuthenticationManager相关的功能就介绍完了,接下里我们研究下在springboot启动过程中这个对象是什么时候创建出来的。
二、AuthenticationManagerBuilder
AuthenticationManagerBuilder是用来创建AuthenticationManager的构建器,它实现了SecurityBuilder,所以
SecurityBuilder 创建对象时的一些方法在它的继承体系中都有。
//部分源码
public class AuthenticationManagerBuilder
extends
AbstractConfiguredSecurityBuilder<AuthenticationManager, AuthenticationManagerBuilder>
implements ProviderManagerBuilder<AuthenticationManagerBuilder> {
//父级认证管理器
private AuthenticationManager parentAuthenticationManager;
//providers集合,这些Providers最后会被添加到构建出的AuthenticationManager中
private List<AuthenticationProvider> authenticationProviders = new ArrayList<>();
//这是一个用来给构建器中添加provider的方法
public AuthenticationManagerBuilder authenticationProvider(
AuthenticationProvider authenticationProvider) {
this.authenticationProviders.add(authenticationProvider);
return this;
}
//这个方法最终会被调用用来创建认证管理器对象
@Override
protected ProviderManager performBuild() throws Exception {
if (!isConfigured()) {
logger.debug("No authenticationProviders and no parentAuthenticationManager defined. Returning null.");
return null;
}
//创建认证管理器对象
ProviderManager providerManager = new ProviderManager(authenticationProviders,
parentAuthenticationManager);
if (eraseCredentials != null) {
providerManager.setEraseCredentialsAfterAuthentication(eraseCredentials);
}
if (eventPublisher != null) {
providerManager.setAuthenticationEventPublisher(eventPublisher);
}
//用处理器对providerManager进行处理,一般情况不会有这个步骤
providerManager = postProcess(providerManager);
return providerManager;
}
}
在spring security中创建认证管理器时都是使用这个构建器进行创建的,接下来就来研究下什么时候会创建
2.1 builder创建时机 WebSecurityConfigurerAdapter
我们对spring security的使用都是从自定义一个WebSecurityConfigurerAdapter的实现类开始的,更具体的内容可以看下这里spring seurity 自动配置的原理
WebSecurityConfigurerAdapter也是一个SecurityConfigurer,所以首先从这个类的init方法开始
public abstract class WebSecurityConfigurerAdapter implements
WebSecurityConfigurer<WebSecurity> {
//三个重要的属性
//用来生成全局认证管理器的配置类,可能用也可能不用
private AuthenticationConfiguration authenticationConfiguration;
//用来生成局部认证管理器的builder
private AuthenticationManagerBuilder authenticationBuilder;
//用来生成全局认证管理器的builder,其实就是上边builder生成的认证管理器的parent
private AuthenticationManagerBuilder localConfigureAuthenticationBldr;
//spring容器启动过程中会执行这个方法给上边的两个builder属性进行赋值
@Autowired
public void setApplicationContext(ApplicationContext context) {
this.context = context;
ObjectPostProcessor<Object> objectPostProcessor = context.getBean(ObjectPostProcessor.class);
LazyPasswordEncoder passwordEncoder = new LazyPasswordEncoder(context);
//这里创建了两个builder
//DefaultPasswordEncoderAuthenticationManagerBuilder是当前类的内部类
authenticationBuilder = new DefaultPasswordEncoderAuthenticationManagerBuilder(objectPostProcessor, passwordEncoder);
localConfigureAuthenticationBldr = new DefaultPasswordEncoderAuthenticationManagerBuilder(objectPostProcessor, passwordEncoder) {
@Override
public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials) {
authenticationBuilder.eraseCredentials(eraseCredentials);
return super.eraseCredentials(eraseCredentials);
}
};
}
//容器启动过程中会给AuthenticationConfiguration这个属性赋值
@Autowired
public void setAuthenticationConfiguration(
AuthenticationConfiguration authenticationConfiguration) {
this.authenticationConfiguration = authenticationConfiguration;
}
//重点的init方法,这个方法的分析可以看下上边连接给出的另一篇博客
public void init(final WebSecurity web) throws Exception {
//获取http对象
final HttpSecurity http = getHttp();
web.addSecurityFilterChainBuilder(http).postBuildAction(new Runnable() {
public void run() {
FilterSecurityInterceptor securityInterceptor = http
.getSharedObject(FilterSecurityInterceptor.class);
web.securityInterceptor(securityInterceptor);
}
});
}
//getHttp方法
protected final HttpSecurity getHttp() throws Exception {
if (http != null) {
return http;
}
DefaultAuthenticationEventPublisher eventPublisher = objectPostProcessor
.postProcess(new DefaultAuthenticationEventPublisher());
localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);
//获取全局的认证管理器,也就是parent,这个方法重点看下
AuthenticationManager authenticationManager = authenticationManager();
//设置parent,
//认证的时候如果自己不能认证就会使用parent再进行一次认证
//这个builder创建的是局部的认证管理器,它会被放到sharedObjects中,
//在HttpSecurity的beforeConfigure方法中会拿出这个buildr执行得到一个
//局部的AuthenticationManager在放进sharedObjects中,这部分内容可以看下我的另一篇
//分析FormLoginConfigurer的博客
authenticationBuilder.parentAuthenticationManager(authenticationManager);
authenticationBuilder.authenticationEventPublisher(eventPublisher);
Map<Class<? extends Object>, Object> sharedObjects = createSharedObjects();
http = new HttpSecurity(objectPostProcessor, authenticationBuilder,
sharedObjects);
if (!disableDefaults) {
// @formatter:off
http
.csrf().and()
.addFilter(new WebAsyncManagerIntegrationFilter())
.exceptionHandling().and()
.headers().and()
.sessionManagement().and()
.securityContext().and()
.requestCache().and()
.anonymous().and()
.servletApi().and()
.apply(new DefaultLoginPageConfigurer<>()).and()
.logout();
ClassLoader classLoader = this.context.getClassLoader();
List<AbstractHttpConfigurer> defaultHttpConfigurers =
SpringFactoriesLoader.loadFactories(AbstractHttpConfigurer.class, classLoader);
for (AbstractHttpConfigurer configurer : defaultHttpConfigurers) {
http.apply(configurer);
}
}
configure(http);
return http;
}
//这个方法用来获取全局的认证管理器
protected AuthenticationManager authenticationManager() throws Exception {
if (!authenticationManagerInitialized) {
//这个configure方法可以被子类重写,对localConfigureAuthenticationBldr进行一些定制
//如果没重写这个方法将不会使用localConfigureAuthenticationBldr来构建
//AuthenticationManager,使用springsecurity的自动配置
configure(localConfigureAuthenticationBldr);
if (disableLocalConfigureAuthenticationBldr) {
//进到这里表示使用authenticationConfiguration中的自动配置来生成全局认证管理器
//调用getAuthenticationManager方法
authenticationManager = authenticationConfiguration
.getAuthenticationManager();
}
else {
//进到这里表示重写configure方法自定义了localConfigureAuthenticationBldr,
//就使用它来创建,不使用authenticationConfiguration中的自动配置
authenticationManager = localConfigureAuthenticationBldr.build();
}
authenticationManagerInitialized = true;
}
return authenticationManager;
}
//上边configure方法本类的实现
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//禁用全局认证管理器的builder,意思是不使用这个builder,使用springsecurity的自动配置
this.disableLocalConfigureAuthenticationBldr = true;
}
}
2.2 AuthenticationConfiguration中的自动配置
AuthenticationConfiguration针对AuthenticationManager做了许多自动配置,保证能够生成一个AuthenticationManager对象,我们先来研究下使用自动配置时会如何创建出一个AuthenticationManager对象。
在WebSecurityConfigurerAdapter中是通过调用authenticationConfiguration.getAuthenticationManager方法来生成认证管理器对象。
@Configuration
@Import(ObjectPostProcessorConfiguration.class)
public class AuthenticationConfiguration {
// 存储特定SecurityConfigurer的集合,下边会有一个set方法自动给此属性注入值
private List<GlobalAuthenticationConfigurerAdapter> globalAuthConfigurers = Collections
.emptyList();
//这个类中给spring容器中注入了几个bean
//注入了一个认证管理器的构建器
@Bean
public AuthenticationManagerBuilder authenticationManagerBuilder(
ObjectPostProcessor<Object> objectPostProcessor, ApplicationContext context) {
LazyPasswordEncoder defaultPasswordEncoder = new LazyPasswordEncoder(context);
AuthenticationEventPublisher authenticationEventPublisher = getBeanOrNull(context, AuthenticationEventPublisher.class);
DefaultPasswordEncoderAuthenticationManagerBuilder result = new DefaultPasswordEncoderAuthenticationManagerBuilder(objectPostProcessor, defaultPasswordEncoder);
if (authenticationEventPublisher != null) {
result.authenticationEventPublisher(authenticationEventPublisher);
}
return result;
}
@Bean
public static GlobalAuthenticationConfigurerAdapter enableGlobalAuthenticationAutowiredConfigurer(
ApplicationContext context) {
return new EnableGlobalAuthenticationAutowiredConfigurer(context);
}
//给容器中注入了一个SecurityConfigurer,
//这个configurer会给authenticationManagerBuilder中注入一个DaoAuthenticationProvider,
//下边会具体分析
@Bean
public static InitializeUserDetailsBeanManagerConfigurer initializeUserDetailsBeanManagerConfigurer(ApplicationContext context) {
return new InitializeUserDetailsBeanManagerConfigurer(context);
}
//给容器中注入了一个SecurityConfigurer
//这个configurer会从容器中获取AuthenticationProvider并添加到authenticationManagerBuilder中
@Bean
public static InitializeAuthenticationProviderBeanManagerConfigurer initializeAuthenticationProviderBeanManagerConfigurer(ApplicationContext context) {
return new InitializeAuthenticationProviderBeanManagerConfigurer(context);
}
//这个方法会给当前类自动注入SecurityConfigurer,实际上会把上边用@Bean放入容器的三个
//SecurityConfigurer注入进来。
@Autowired(required = false)
public void setGlobalAuthenticationConfigurers(
List<GlobalAuthenticationConfigurerAdapter> configurers) throws Exception {
Collections.sort(configurers, AnnotationAwareOrderComparator.INSTANCE);
this.globalAuthConfigurers = configurers;
}
//这个方法就是用来获取AuthenticationManager的
public AuthenticationManager getAuthenticationManager() throws Exception {
if (this.authenticationManagerInitialized) {
return this.authenticationManager;
}
//先拿到一个AuthenticationManagerBuilder,调的是本类的方法
AuthenticationManagerBuilder authBuilder = authenticationManagerBuilder(
this.objectPostProcessor, this.applicationContext);
if (this.buildingAuthenticationManager.getAndSet(true)) {
return new AuthenticationManagerDelegator(authBuilder);
}
//把属性globalAuthConfigurers中所有的configurer应用到authBuilder中,
//这个属性值是spring自动注入进来的,实际就是上边用@Bean放进来的三个configurer
for (GlobalAuthenticationConfigurerAdapter config : globalAuthConfigurers) {
authBuilder.apply(config);
}
//执行构建器的build方法
authenticationManager = authBuilder.build();
if (authenticationManager == null) {
authenticationManager = getAuthenticationManagerBean();
}
this.authenticationManagerInitialized = true;
return authenticationManager;
}
}
接下里需要看下上边用@Bean放进来的几个Configurer的作用
2.3.1 InitializeUserDetailsBeanManagerConfigurer
class InitializeUserDetailsBeanManagerConfigurer
extends GlobalAuthenticationConfigurerAdapter {
static final int DEFAULT_ORDER = Ordered.LOWEST_PRECEDENCE - 5000;
private final ApplicationContext context;
/**
* @param context
*/
public InitializeUserDetailsBeanManagerConfigurer(ApplicationContext context) {
this.context = context;
}
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
//这个configurer的init方法又给builder中添加了一个内部类
auth.apply(new InitializeUserDetailsManagerConfigurer());
}
class InitializeUserDetailsManagerConfigurer
extends GlobalAuthenticationConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
if (auth.isConfigured()) {
return;
}
//从容器中获取UserDetailsService的实现类
UserDetailsService userDetailsService = getBeanOrNull(
UserDetailsService.class);
if (userDetailsService == null) {
return;
}
//从容器中获取PasswordEncoder的实现类
PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class);
UserDetailsPasswordService passwordManager = getBeanOrNull(UserDetailsPasswordService.class);
//创建DaoAuthenticationProvider
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
//给provider中的UserDetailsService赋值
provider.setUserDetailsService(userDetailsService);
if (passwordEncoder != null) {
provider.setPasswordEncoder(passwordEncoder);
}
if (passwordManager != null) {
provider.setUserDetailsPasswordService(passwordManager);
}
provider.afterPropertiesSet();
//把provider添加到构建器中
auth.authenticationProvider(provider);
}
}
所以说这个configurer给AuthenticationManagerBuilder中添加了一个DaoAuthenticationProvider。
上边提到了从容器中获取UserDetailsService的实现类,如果有自定义当然会获取到自定义的那个,那如果没有自定义会怎么样呢,需要看下UserDetailsServiceAutoConfiguration
2.3.2 UserDetailsServiceAutoConfiguration
@Configuration
@ConditionalOnClass(AuthenticationManager.class)
@ConditionalOnBean(ObjectPostProcessor.class)
//条件注解,这个自动配置类只有在使用者没有自定义AuthenticationProvider,UserDetailsService时
//才会生效。
@ConditionalOnMissingBean({ AuthenticationManager.class, AuthenticationProvider.class,
UserDetailsService.class })
public class UserDetailsServiceAutoConfiguration {
private static final String NOOP_PASSWORD_PREFIX = "{noop}";
private static final Pattern PASSWORD_ALGORITHM_PATTERN = Pattern
.compile("^\\{.+}.*$");
private static final Log logger = LogFactory
.getLog(UserDetailsServiceAutoConfiguration.class);
//这个方法给容器中注入了一个基于内存的UserDetails实现,
@Bean
@ConditionalOnMissingBean(type = "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository")
@Lazy
public InMemoryUserDetailsManager inMemoryUserDetailsManager(
SecurityProperties properties,
ObjectProvider<PasswordEncoder> passwordEncoder) {
SecurityProperties.User user = properties.getUser();
List<String> roles = user.getRoles();
return new InMemoryUserDetailsManager(User.withUsername(user.getName())
.password(getOrDeducePassword(user, passwordEncoder.getIfAvailable()))
.roles(StringUtils.toStringArray(roles)).build());
}
private String getOrDeducePassword(SecurityProperties.User user,
PasswordEncoder encoder) {
String password = user.getPassword();
if (user.isPasswordGenerated()) {
logger.info(String.format("%n%nUsing generated security password: %s%n",
user.getPassword()));
}
if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {
return password;
}
return NOOP_PASSWORD_PREFIX + password;
}
}
2.3.3 InitializeAuthenticationProviderBeanManagerConfigurer
再看下InitializeAuthenticationProviderBeanManagerConfigurer
class InitializeAuthenticationProviderBeanManagerConfigurer
extends GlobalAuthenticationConfigurerAdapter {
static final int DEFAULT_ORDER = InitializeUserDetailsBeanManagerConfigurer.DEFAULT_ORDER
- 100;
private final ApplicationContext context;
/**
* @param context the ApplicationContext to look up beans.
*/
public InitializeAuthenticationProviderBeanManagerConfigurer(
ApplicationContext context) {
this.context = context;
}
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
//同样的套路
auth.apply(new InitializeUserDetailsManagerConfigurer());
}
class InitializeUserDetailsManagerConfigurer
extends GlobalAuthenticationConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
if (auth.isConfigured()) {
return;
}
//从容器中获取AuthenticationProvider
AuthenticationProvider authenticationProvider = getBeanOrNull(
AuthenticationProvider.class);
if (authenticationProvider == null) {
return;
}
//添加到builder中
auth.authenticationProvider(authenticationProvider);
}
//从这个方法可以看出如果容器中存在多个type类型的bean会返回null
private <T> T getBeanOrNull(Class<T> type) {
String[] userDetailsBeanNames = InitializeAuthenticationProviderBeanManagerConfigurer.this.context
.getBeanNamesForType(type);
if (userDetailsBeanNames.length != 1) {
return null;
}
return InitializeAuthenticationProviderBeanManagerConfigurer.this.context
.getBean(userDetailsBeanNames[0], type);
}
}
}
2.3 localConfigureAuthenticationBldr的使用
上边第2.2节讲的使用spring security提供的自动配置来生成认证管理器,当不想使用自动配置时就要重写
WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder) 这个方法,2.1节有提到
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//重写时要删掉这句,表示启用 LocalConfigureAuthenticationBldr
this.disableLocalConfigureAuthenticationBldr = true;
//调用auth提供的方法对它进行定制,一般最常用的是添加自己的AuthenticationProvider,
//这样后边创建出的认证管理器就会使用我们自己的AuthenticationProvider对请求进行认证
auth.authenticationProvider(myBuilder)
}