Spring Security3源码分析-BasicAuthenticationFilter分析
程序员文章站
2022-04-25 21:50:59
...
BasicAuthenticationFilter过滤器对应的类路径为
org.springframework.security.web.authentication.www.BasicAuthenticationFilter
Basic验证方式相比较而言用的不是太多。spring security也支持basic的方式,配置如下
如果选择basic方式,需要把form-login标签的定义给注释掉。
接下来看BasicAuthenticationFilter的执行过程
org.springframework.security.web.authentication.www.BasicAuthenticationFilter
Basic验证方式相比较而言用的不是太多。spring security也支持basic的方式,配置如下
<security:http auto-config="true"> <!-- <security:form-login login-page="/login.jsp"/>--> <security:http-basic/> <security:logout logout-success-url="/login.jsp" invalidate-session="true"/> <security:intercept-url pattern="/login.jsp*" filters="none"/> <security:intercept-url pattern="/admin.jsp*" access="ROLE_ADMIN"/> <security:intercept-url pattern="/index.jsp*" access="ROLE_USER,ROLE_ADMIN"/> <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/> </security:http>
如果选择basic方式,需要把form-login标签的定义给注释掉。
接下来看BasicAuthenticationFilter的执行过程
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { final boolean debug = logger.isDebugEnabled(); final HttpServletRequest request = (HttpServletRequest) req; final HttpServletResponse response = (HttpServletResponse) res; //basic登录时,会产生Authorization的header信息 //Authorization的值是Basic eXVxaW5nc29uZzox //eXVxaW5nc29uZzox是经过base编码的一串字符 String header = request.getHeader("Authorization"); if ((header != null) && header.startsWith("Basic ")) { byte[] base64Token = header.substring(6).getBytes("UTF-8"); //经过base解码后,token值为username:password这种方式 String token = new String(Base64.decode(base64Token), getCredentialsCharset(request)); String username = ""; String password = ""; int delim = token.indexOf(":"); if (delim != -1) { username = token.substring(0, delim); password = token.substring(delim + 1); } if (debug) { logger.debug("Basic Authentication Authorization header found for user '" + username + "'"); } //下面的执行过程基本和login方式一样,认证、授权等过程 if (authenticationIsRequired(username)) { UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); authRequest.setDetails(authenticationDetailsSource.buildDetails(request)); Authentication authResult; try { authResult = authenticationManager.authenticate(authRequest); } catch (AuthenticationException failed) { // Authentication failed if (debug) { logger.debug("Authentication request for user: " + username + " failed: " + failed.toString()); } SecurityContextHolder.getContext().setAuthentication(null); rememberMeServices.loginFail(request, response); onUnsuccessfulAuthentication(request, response, failed); if (ignoreFailure) { chain.doFilter(request, response); } else { authenticationEntryPoint.commence(request, response, failed); } return; } // Authentication success if (debug) { logger.debug("Authentication success: " + authResult.toString()); } SecurityContextHolder.getContext().setAuthentication(authResult); rememberMeServices.loginSuccess(request, response, authResult); onSuccessfulAuthentication(request, response, authResult); } } chain.doFilter(request, response); }
上一篇: 关于自定义标签的开发说明