1,简要说明
在Spring Security中对用户进行认证的是AuthenticationManager,其只有一个方法,尝试对封装了认证信息的Authentication进行身份验证,如果成功,则返回完全填充的Authentication(包括授予的权限)。
public interface AuthenticationManager {
/**
* 尝试对通过Authentication实例对象封装的身份信息进行验证。
* 如果验证成功,则返回完全填充的Authentication对象(包括授予的权限)。
*
* AuthenticationManager 建议遵循以下的约定
* 1,如果帐户被禁用并且AuthenticationManager可以测试此状态,则必须引发 DisabledException
* 2,如果帐户被锁定并且并且AuthenticationManager可以测试帐户锁定,则必须抛出LockedException
* 3,如果凭据不正确,则必须抛出BadCredentialsException
* 虽然上述选项是可选的,但是 AuthenticationManager 必须始终测试凭据。
* 我们应该上述顺序捕获这些异常,同时实现者也应按上述顺序抛出异常(即,如果帐户被禁用或锁定,
* 则立即拒绝身份验证请求,并且不执行凭据测试过程),这可以防止根据禁用或锁定的帐户测试凭据。
*/
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
AuthenticationManager 只关注认证成功与否而并不关心具体的认证方式。例如我们可以通过用户名及密码、短信、刷脸、OAuth2协议等方式进行认证。对于这些具体认证方式是交给了AuthenticationProvider来负责。
public interface AuthenticationProvider {
/**
*使用与AuthenticationManager的authenticate方法相同的
*协定执行身份验证(例如按照什么规则抛出异常等)
*/
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
/**
*如果支持指定的Authentication 对象,则返回true</code
*/
boolean supports(Class<?> authentication);
}
下面展示了AuthenticationProvider的部分实现
AuthenticationProvider的部分实现
AuthenticationManager与AuthenticationProvider 是怎么被创建使用,以及如何自由的添加认证方式的问题,在下面的内容中将进一步分析
2,认证方式的全局配置
前面章节分析了WebSecurityConfiguration配置类里面相关的内容,现在回到@EnableWebSecurity 注解上,我们接着分析下@EnableGlobalAuthentication内部都做了些啥
@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import({ WebSecurityConfiguration.class,
SpringWebMvcImportSelector.class,
OAuth2ImportSelector.class })
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
/**
* Controls debugging support for Spring Security. Default is false.
* @return if true, enables debug support with Spring Security
*/
boolean debug() default false;
}
@EnableGlobalAuthentication
@Retention(value = java.lang.annotation.RetentionPolicy.RUNTIME)
@Target(value = { java.lang.annotation.ElementType.TYPE })
@Documented
@Import(AuthenticationConfiguration.class)
@Configuration
public @interface EnableGlobalAuthentication {
}
其重点就是导入了AuthenticationConfiguration配置对象
@Configuration(proxyBeanMethods = false)
@Import(ObjectPostProcessorConfiguration.class)
public class AuthenticationConfiguration {
... ...
}
AuthenticationConfiguration 中还导入了ObjectPostProcessorConfiguration配置,该配置比较简单,就是实例化了一个bean,而该Bean在前面的章节中也在不断的用到
@Configuration(proxyBeanMethods = false)
public class ObjectPostProcessorConfiguration {
@Bean
public ObjectPostProcessor<Object> objectPostProcessor(
AutowireCapableBeanFactory beanFactory) {
return new AutowireBeanFactoryObjectPostProcessor(beanFactory);
}
}
3,AuthenticationConfiguration
下面,我们深入分析下AuthenticationConfiguration配置类的实现。
先简单的说下AuthenticationManager构建的主体过程
- AuthenticationConfiguration中收集所有GlobalAuthenticationConfigurerAdapter类型的Bean并保存到globalAuthConfigurers中;
- AuthenticationConfiguration中创建AuthenticationManagerBuilder类型的实例对象DefaultPasswordEncoderAuthenticationManagerBuilder;
- 将globalAuthConfigurers里面的对象传递给AuthenticationManagerBuilder;
- 执行AuthenticationManagerBuilder的build()方法完成AuthenticationManager的构建;
- WebSecurityConfigurerAdapter中调用AuthenticationConfiguration的getAuthenticationManager()方法得到构建的AuthenticationManager类似对象;
@Configuration(proxyBeanMethods = false)
@Import(ObjectPostProcessorConfiguration.class)
public class AuthenticationConfiguration {
private AtomicBoolean buildingAuthenticationManager = new AtomicBoolean();
private ApplicationContext applicationContext;
private AuthenticationManager authenticationManager;
private boolean authenticationManagerInitialized;
private List<GlobalAuthenticationConfigurerAdapter> globalAuthConfigurers = Collections
.emptyList();
private ObjectPostProcessor<Object> objectPostProcessor;
@Autowired
public void setApplicationContext(ApplicationContext applicationContext) {
this.applicationContext = applicationContext;
}
@Autowired
public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
this.objectPostProcessor = objectPostProcessor;
}
//收集GlobalAuthenticationConfigurerAdapter类型对象
@Autowired(required = false)
public void setGlobalAuthenticationConfigurers(
List<GlobalAuthenticationConfigurerAdapter> configurers) {
configurers.sort(AnnotationAwareOrderComparator.INSTANCE);
this.globalAuthConfigurers = configurers;
}
@Bean
public static GlobalAuthenticationConfigurerAdapter enableGlobalAuthenticationAutowiredConfigurer(
ApplicationContext context) {
//GlobalAuthenticationConfigurerAdapter类型对象
return new EnableGlobalAuthenticationAutowiredConfigurer(context);
}
//目的是构建默认的DaoAuthenticationProvider
@Bean
public static InitializeUserDetailsBeanManagerConfigurer initializeUserDetailsBeanManagerConfigurer(ApplicationContext context) {
//GlobalAuthenticationConfigurerAdapter类型对象
return new InitializeUserDetailsBeanManagerConfigurer(context);
}
//目的是将ApplicationContext中存在的AuthenticationProvider类型直接添加进来
@Bean
public static InitializeAuthenticationProviderBeanManagerConfigurer initializeAuthenticationProviderBeanManagerConfigurer(ApplicationContext context) {
//GlobalAuthenticationConfigurerAdapter类型对象
return new InitializeAuthenticationProviderBeanManagerConfigurer(context);
}
//身份验证管理器生成器【下面个方法会获取使用】
@Bean
public AuthenticationManagerBuilder authenticationManagerBuilder(
ObjectPostProcessor<Object> objectPostProcessor, ApplicationContext context) {
//创建“惰性”密码编码器,所谓“惰性”是指在真正使用到某个方法时才去到ApplicationContext中
//获取PasswordEncoder类型的对象进行调用【对于不确定某对象何时加入到ApplicationContext是挺有用】
//默认情况,如果ApplicationContext没有得到PasswordEncoder类型的实例,
//则使用默认的DelegatingPasswordEncoder
LazyPasswordEncoder defaultPasswordEncoder = new LazyPasswordEncoder(context);
//从ApplicationContext中获取AuthenticationEventPublisher类型的bean
AuthenticationEventPublisher authenticationEventPublisher = getBeanOrNull(context, AuthenticationEventPublisher.class);
//创建默认的AuthenticationManagerBuilder实例
DefaultPasswordEncoderAuthenticationManagerBuilder result = new DefaultPasswordEncoderAuthenticationManagerBuilder(objectPostProcessor, defaultPasswordEncoder);
if (authenticationEventPublisher != null) {
result.authenticationEventPublisher(authenticationEventPublisher);
}
return result;
}
//创建身份认证管理器实例
//注意:该方法在WebSecurityConfigurerAdapter中被调用
public AuthenticationManager getAuthenticationManager() throws Exception {
if (this.authenticationManagerInitialized) {
return this.authenticationManager;
}
//获取身份验证管理器生成器DefaultPasswordEncoderAuthenticationManagerBuilder
AuthenticationManagerBuilder authBuilder = this.applicationContext.getBean(AuthenticationManagerBuilder.class);
if (this.buildingAuthenticationManager.getAndSet(true)) { //第一次调用不会进入,后面都会进入
return new AuthenticationManagerDelegator(authBuilder);
}
for (GlobalAuthenticationConfigurerAdapter config : globalAuthConfigurers) {
authBuilder.apply(config);
}
//重点需要关注这个方法执行的过程【重点】
authenticationManager = authBuilder.build();
if (authenticationManager == null) {
authenticationManager = getAuthenticationManagerBean();
}
this.authenticationManagerInitialized = true;
return authenticationManager;
}
private AuthenticationManager getAuthenticationManagerBean() {
return lazyBean(AuthenticationManager.class);
}
}
3.1 ,DefaultPasswordEncoderAuthenticationManagerBuilder
由上门可知,其默认使用DefaultPasswordEncoderAuthenticationManagerBuilder作为认证管理的构建器,下面分析其build()方法的执行过程。
AuthenticationManagerBuilder
DefaultPasswordEncoderAuthenticationManagerBuilder在执行build()方法时,其父类AbstractConfiguredSecurityBuilder的doBuild()方法被执行,前面有说过,这个方法是个模板方法,如下所示:
public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>>
extends AbstractSecurityBuilder<O> {
private final Log logger = LogFactory.getLog(getClass());
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = new LinkedHashMap<>();
private final List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<>();
private final Map<Class<?>, Object> sharedObjects = new HashMap<>();
private final boolean allowConfigurersOfSameType;
private BuildState buildState = BuildState.UNBUILT;
private ObjectPostProcessor<Object> objectPostProcessor;
//模板方法
protected final O doBuild() throws Exception {
synchronized (configurers) {
buildState = BuildState.INITIALIZING;
beforeInit();
init(); //这个方法的执行是关键
buildState = BuildState.CONFIGURING;
beforeConfigure();
configure();
buildState = BuildState.BUILDING;
O result = performBuild(); //执行子类的具体实现
buildState = BuildState.BUILT;
return result;
}
}
protected abstract O performBuild() throws Exception;
@SuppressWarnings("unchecked")
private void init() throws Exception {
//当前这里存储的是GlobalAuthenticationConfigurerAdapter类型的实例,
//默认的有:InitializeUserDetailsBeanManagerConfigurer、
//InitializeAuthenticationProviderBeanManagerConfigurer、
//EnableGlobalAuthenticationAutowiredConfigurer
Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();
for (SecurityConfigurer<O, B> configurer : configurers) {
configurer.init((B) this);
}
for (SecurityConfigurer<O, B> configurer : configurersAddedInInitializing) {
configurer.init((B) this);
}
}
@SuppressWarnings("unchecked")
private void configure() throws Exception {
//当前这里存储的是GlobalAuthenticationConfigurerAdapter类型的实例,
//默认的有:InitializeUserDetailsBeanManagerConfigurer、
//InitializeAuthenticationProviderBeanManagerConfigurer、
//EnableGlobalAuthenticationAutowiredConfigurer
Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();
for (SecurityConfigurer<O, B> configurer : configurers) {
configurer.configure((B) this);
}
}
}
接着我们分析下这三个默认的GlobalAuthenticationConfigurerAdapter类型的实例中init和configure方法都做了啥
3.2 InitializeUserDetailsBeanManagerConfigurer
该类的目的纯粹是为了添加InitializeUserDetailsManagerConfigurer配置,通过在其configure方法阶段创建DaoAuthenticationProvider对象,最终被添加到ProviderManager中
@Order(InitializeUserDetailsBeanManagerConfigurer.DEFAULT_ORDER)
class InitializeUserDetailsBeanManagerConfigurer
extends GlobalAuthenticationConfigurerAdapter {
static final int DEFAULT_ORDER = Ordered.LOWEST_PRECEDENCE - 5000;
private final ApplicationContext context;
/**
* @param context
*/
InitializeUserDetailsBeanManagerConfigurer(ApplicationContext context) {
this.context = context;
}
//注意:这里并没有重写configure方法
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
//直接添加InitializeUserDetailsManagerConfigurer配置类
auth.apply(new InitializeUserDetailsManagerConfigurer());
}
class InitializeUserDetailsManagerConfigurer
extends GlobalAuthenticationConfigurerAdapter {
//重写configure方法
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
if (auth.isConfigured()) {
return;
}
//用于根据用户名得到用户信息
//Springboot的自动化配置中会默认创建InMemoryUserDetailsManager
UserDetailsService userDetailsService = getBeanOrNull(
UserDetailsService.class);
if (userDetailsService == null) {
return;
}
//用于对用户的密码进行加密以及密码比对验证
PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class);
//用户更新用户密码
UserDetailsPasswordService passwordManager = getBeanOrNull(UserDetailsPasswordService.class);
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
if (passwordEncoder != null) {
provider.setPasswordEncoder(passwordEncoder);
}
if (passwordManager != null) {
provider.setUserDetailsPasswordService(passwordManager);
}
//用于验证provider中的userDetailsService是否为空【不许为空】
provider.afterPropertiesSet();
//直接添加回DefaultPasswordEncoderAuthenticationManagerBuilder
auth.authenticationProvider(provider);
}
/**
* @return a bean of the requested class if there's just a single registered component, null otherwise.
*/
private <T> T getBeanOrNull(Class<T> type) {
String[] userDetailsBeanNames = InitializeUserDetailsBeanManagerConfigurer.this.context
.getBeanNamesForType(type);
if (userDetailsBeanNames.length != 1) {
return null;
}
return InitializeUserDetailsBeanManagerConfigurer.this.context
.getBean(userDetailsBeanNames[0], type);
}
}
}
Springboot的自动化配置中会默认创建InMemoryUserDetailsManager,请参考Spring Security解析二:自动化装配
我们也可以通过配置来指定,例如:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.jdbcAuthentication()
.dataSource(dataSource)
.withDefaultSchema()
.withUser("user").password("password").roles("USER").and()
.withUser("admin").password("password").roles("USER", "ADMIN");
}
接着进一步研究下DaoAuthenticationProvider都做了些啥,它是怎么对身份进行认证的?
DaoAuthenticationProvider继承关系
3.2.1 AbstractUserDetailsAuthenticationProvider
public abstract class AbstractUserDetailsAuthenticationProvider implements
AuthenticationProvider, InitializingBean, MessageSourceAware {
protected final Log logger = LogFactory.getLog(getClass());
// ~ Instance fields
// ================================================================================================
protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
private UserCache userCache = new NullUserCache();
private boolean forcePrincipalAsString = false;
protected boolean hideUserNotFoundExceptions = true;
private UserDetailsChecker preAuthenticationChecks = new DefaultPreAuthenticationChecks();
private UserDetailsChecker postAuthenticationChecks = new DefaultPostAuthenticationChecks();
private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();
protected abstract void additionalAuthenticationChecks(UserDetails userDetails,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException;
protected abstract UserDetails retrieveUser(String username,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException;
//说明该身份认证方式仅适合UsernamePasswordAuthenticationToken
@Override
public boolean supports(Class<?> authentication) {
return (UsernamePasswordAuthenticationToken.class
.isAssignableFrom(authentication));
}
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
() -> messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.onlySupports",
"Only UsernamePasswordAuthenticationToken is supported"));
// 从认证主体中得到用户名(或返回未提供-NONE_PROVIDED)
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED"
: authentication.getName();
boolean cacheWasUsed = true;
//从缓存中取得用户信息(默认使用的缓存是NullUserCache)
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
//检索用户【由子类实现】
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
}
catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
else {
throw notFound;
}
}
Assert.notNull(user,
"retrieveUser returned null - a violation of the interface contract");
}
try {
//检测UserDetails的状态【是否被锁、是否可用、是否过期】
preAuthenticationChecks.check(user);
//子类执行任何附加检查,例如:验证密码是否匹配
additionalAuthenticationChecks(user,
(UsernamePasswordAuthenticationToken) authentication);
}
catch (AuthenticationException exception) {
if (cacheWasUsed) {
//如果从缓存中得到的用户信息验证失败,则从非缓存的地方得到重新验证
// There was a problem, so try again after checking
// we're using latest data (i.e. not from the cache)
cacheWasUsed = false;
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user,
(UsernamePasswordAuthenticationToken) authentication);
}
else {
throw exception;
}
}
//检测UserDetails的状态【凭据是否未过期】
postAuthenticationChecks.check(user);
if (!cacheWasUsed) {
//将通过检查的用户信息加入缓存
this.userCache.putUserInCache(user);
}
Object principalToReturn = user;
if (forcePrincipalAsString) { //值返回用户名
principalToReturn = user.getUsername();
}
//返回成功的响应
return createSuccessAuthentication(principalToReturn, authentication, user);
}
//注意:子类有重写
protected Authentication createSuccessAuthentication(Object principal,
Authentication authentication, UserDetails user) {
// Ensure we return the original credentials the user supplied,
// so subsequent attempts are successful even with encoded passwords.
// Also ensure we return the original getDetails(), so that future
// authentication events after cache expiry contain the details
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(
principal, authentication.getCredentials(),
authoritiesMapper.mapAuthorities(user.getAuthorities()));
result.setDetails(authentication.getDetails());
return result;
}
}
可见上的操作主要是从某个地方得到用户信息,然后检查用户的状态,如果检查失败则抛出相应的异常,否则返回成功的认证信息。
上面的retrieveUser与additionalAuthenticationChecks是需要继续研究的地方
3.2.2 DaoAuthenticationProvider
public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
private PasswordEncoder passwordEncoder;
private UserDetailsService userDetailsService;
private UserDetailsPasswordService userDetailsPasswordService;
public DaoAuthenticationProvider() {
setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
}
@SuppressWarnings("deprecation")
@Override
protected void additionalAuthenticationChecks(UserDetails userDetails,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
if (authentication.getCredentials() == null) {
logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
String presentedPassword = authentication.getCredentials().toString();
if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
logger.debug("Authentication failed: password does not match stored value");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
}
@Override
protected final UserDetails retrieveUser(String username,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
prepareTimingAttackProtection();
try {
UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
if (loadedUser == null) {
throw new InternalAuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
}
catch (UsernameNotFoundException ex) {
mitigateAgainstTimingAttack(authentication);
throw ex;
}
catch (InternalAuthenticationServiceException ex) {
throw ex;
}
catch (Exception ex) {
throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
}
}
@Override
protected Authentication createSuccessAuthentication(Object principal,
Authentication authentication, UserDetails user) {
boolean upgradeEncoding = this.userDetailsPasswordService != null
&& this.passwordEncoder.upgradeEncoding(user.getPassword());
if (upgradeEncoding) {
String presentedPassword = authentication.getCredentials().toString();
String newPassword = this.passwordEncoder.encode(presentedPassword);
user = this.userDetailsPasswordService.updatePassword(user, newPassword);
}
return super.createSuccessAuthentication(principal, authentication, user);
}
}
上面通过userDetailsService来得到用户的信息,并通过passwordEncoder来验证密码是否正确,而这两个对象是通过上面 3.2小结里的InitializeUserDetailsManagerConfigurer中从ApplicationContext获得。
3.3 InitializeAuthenticationProviderBeanManagerConfigurer
该类的目的纯粹是为了添加InitializeUserDetailsManagerConfigurer配置,通过在其configure方法阶段从ApplicationContext中得到AuthenticationProvider类型的Bean,并加入到ProviderManager中
@Order(InitializeAuthenticationProviderBeanManagerConfigurer.DEFAULT_ORDER)
class InitializeAuthenticationProviderBeanManagerConfigurer
extends GlobalAuthenticationConfigurerAdapter {
static final int DEFAULT_ORDER = InitializeUserDetailsBeanManagerConfigurer.DEFAULT_ORDER
- 100;
private final ApplicationContext context;
/**
* @param context the ApplicationContext to look up beans.
*/
InitializeAuthenticationProviderBeanManagerConfigurer(
ApplicationContext context) {
this.context = context;
}
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.apply(new InitializeUserDetailsManagerConfigurer());
}
class InitializeUserDetailsManagerConfigurer
extends GlobalAuthenticationConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) {
if (auth.isConfigured()) {
return;
}
//直接从ApplicationContext中得到AuthenticationProvider类型Bean
//也就是说,我们可以自定义一个,直接加入到ApplicationContext就可生效了,方便扩展
AuthenticationProvider authenticationProvider = getBeanOrNull(
AuthenticationProvider.class);
if (authenticationProvider == null) {
return;
}
//这里直接添加到DefaultPasswordEncoderAuthenticationManagerBuilder中
auth.authenticationProvider(authenticationProvider);
}
/**
* @return
*/
private <T> T getBeanOrNull(Class<T> type) {
String[] userDetailsBeanNames = InitializeAuthenticationProviderBeanManagerConfigurer.this.context
.getBeanNamesForType(type);
if (userDetailsBeanNames.length != 1) {
return null;
}
return InitializeAuthenticationProviderBeanManagerConfigurer.this.context
.getBean(userDetailsBeanNames[0], type);
}
}
}
小结:
Spring Security默认给我们创建了一个支持UsernamePasswordAuthenticationToken认证的AuthenticationProvider,里面用到了从ApplicationContext中取到的UserDetailsService、PasswordEncoder和UserDetailsPasswordService的实例对象;
我们可以自定义AuthenticationProvider实例来添加其它类型的验证工作,同时,只需要将实例对象添加到ApplicationContext容器中即可生效。
经过上来的步骤后,在DefaultPasswordEncoderAuthenticationManagerBuilder的authenticationProviders属性中添加了一个或多个AuthenticationProvider,接下来的工作便是执行DefaultPasswordEncoderAuthenticationManagerBuilder的performBuild()方法完成AuthenticationManager的创建工作。当然,其实该方法是在父类AuthenticationManagerBuilder中的。
public class AuthenticationManagerBuilder
extends
AbstractConfiguredSecurityBuilder<AuthenticationManager, AuthenticationManagerBuilder>
implements ProviderManagerBuilder<AuthenticationManagerBuilder> {
private final Log logger = LogFactory.getLog(getClass());
private AuthenticationManager parentAuthenticationManager;
private List<AuthenticationProvider> authenticationProviders = new ArrayList<>();
private UserDetailsService defaultUserDetailsService;
private Boolean eraseCredentials;
private AuthenticationEventPublisher eventPublisher;
@Override
protected ProviderManager performBuild() throws Exception {
if (!isConfigured()) {
logger.debug("No authenticationProviders and no parentAuthenticationManager defined. Returning null.");
return null;
}
ProviderManager providerManager = new ProviderManager(authenticationProviders,
parentAuthenticationManager);
if (eraseCredentials != null) {
providerManager.setEraseCredentialsAfterAuthentication(eraseCredentials);
}
if (eventPublisher != null) {
providerManager.setAuthenticationEventPublisher(eventPublisher);
}
providerManager = postProcess(providerManager);
return providerManager;
}
}
返回的其实是ProviderManager,而ProviderManager可以看成是AuthenticationManager的代理对象,里面保存了多个AuthenticationManager的实现。
public class ProviderManager implements AuthenticationManager, MessageSourceAware,
InitializingBean {
// ~ Static fields/initializers
// =====================================================================================
private static final Log logger = LogFactory.getLog(ProviderManager.class);
// ~ Instance fields
// ================================================================================================
private AuthenticationEventPublisher eventPublisher = new NullEventPublisher();
private List<AuthenticationProvider> providers = Collections.emptyList();
protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
//可以是ProviderManager,目的是当无法进行身份认证时,再使用这个AuthenticationManager进行认证
private AuthenticationManager parent;
private boolean eraseCredentialsAfterAuthentication = true;
public ProviderManager(List<AuthenticationProvider> providers) {
this(providers, null);
}
public ProviderManager(List<AuthenticationProvider> providers,
AuthenticationManager parent) {
Assert.notNull(providers, "providers list cannot be null");
this.providers = providers;
this.parent = parent;
checkState();
}
public void afterPropertiesSet() {
checkState();
}
private void checkState() {
if (parent == null && providers.isEmpty()) {
throw new IllegalArgumentException(
"A parent AuthenticationManager or a list "
+ "of AuthenticationProviders is required");
}
}
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
AuthenticationException parentException = null;
Authentication result = null;
Authentication parentResult = null;
boolean debug = logger.isDebugEnabled();
//查找匹配的 AuthenticationProvider 来执行验证
for (AuthenticationProvider provider : getProviders()) {
if (!provider.supports(toTest)) {
continue;
}
try {
result = provider.authenticate(authentication);
if (result != null) {
copyDetails(authentication, result);
break;
}
}
catch (AccountStatusException | InternalAuthenticationServiceException e) {
prepareException(e, authentication);
// SEC-546: Avoid polling additional providers if auth failure is due to
// invalid account status
throw e;
} catch (AuthenticationException e) {
lastException = e;
}
}
if (result == null && parent != null) {
// Allow the parent to try.
try {
result = parentResult = parent.authenticate(authentication);
}
catch (ProviderNotFoundException e) {
// ignore as we will throw below if no other exception occurred prior to
// calling parent and the parent
// may throw ProviderNotFound even though a provider in the child already
// handled the request
}
catch (AuthenticationException e) {
lastException = parentException = e;
}
}
if (result != null) {
if (eraseCredentialsAfterAuthentication
&& (result instanceof CredentialsContainer)) {
// Authentication is complete. Remove credentials and other secret data
// from authentication
((CredentialsContainer) result).eraseCredentials();
}
// If the parent AuthenticationManager was attempted and successful than it will publish an AuthenticationSuccessEvent
// This check prevents a duplicate AuthenticationSuccessEvent if the parent AuthenticationManager already published it
if (parentResult == null) {
eventPublisher.publishAuthenticationSuccess(result);
}
return result;
}
// Parent was null, or didn't authenticate (or throw an exception).
if (lastException == null) {
lastException = new ProviderNotFoundException(messages.getMessage(
"ProviderManager.providerNotFound",
new Object[] { toTest.getName() },
"No AuthenticationProvider found for {0}"));
}
// If the parent AuthenticationManager was attempted and failed than it will publish an AbstractAuthenticationFailureEvent
// This check prevents a duplicate AbstractAuthenticationFailureEvent if the parent AuthenticationManager already published it
if (parentException == null) {
prepareException(lastException, authentication);
}
throw lastException;
}
}
Spring Security默认情况下为我们创建了一个基于用户名和密码进行验证的AuthenticationManager实例,同时收集ApplicationContext中的AuthenticationProvider类型的Bean 一起添加到ProviderManager(AuthenticationManager的子类)中供需要的地方进行使用。
构造器
AuthenticationManager
