当前位置:首页 > 开发 > 系统架构 > 架构 > 正文

Spring Security3源码分析-BasicAuthenticationFilter分析

发表于: 2012-05-08   作者:Dead_knight   来源:转载   浏览次数:
摘要: BasicAuthenticationFilter过滤器对应的类路径为 org.springframework.security.web.authentication.www.BasicAuthenticationFilter Basic验证方式相比较而言用的不是太多。spring security也支持basic的方式,配置如下 <security:http auto-c
BasicAuthenticationFilter过滤器对应的类路径为
org.springframework.security.web.authentication.www.BasicAuthenticationFilter

Basic验证方式相比较而言用的不是太多。spring security也支持basic的方式,配置如下
<security:http auto-config="true">
    <!-- <security:form-login login-page="/login.jsp"/>-->
    <security:http-basic/>
    <security:logout logout-success-url="/login.jsp" invalidate-session="true"/>
    <security:intercept-url pattern="/login.jsp*" filters="none"/>
    <security:intercept-url pattern="/admin.jsp*" access="ROLE_ADMIN"/>
    <security:intercept-url pattern="/index.jsp*" access="ROLE_USER,ROLE_ADMIN"/>
    <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/>
</security:http>

如果选择basic方式,需要把form-login标签的定义给注释掉。

接下来看BasicAuthenticationFilter的执行过程
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        final boolean debug = logger.isDebugEnabled();
        final HttpServletRequest request = (HttpServletRequest) req;
        final HttpServletResponse response = (HttpServletResponse) res;
        //basic登录时,会产生Authorization的header信息
         //Authorization的值是Basic eXVxaW5nc29uZzox
        //eXVxaW5nc29uZzox是经过base编码的一串字符
        String header = request.getHeader("Authorization");
        if ((header != null) && header.startsWith("Basic ")) {
            byte[] base64Token = header.substring(6).getBytes("UTF-8");
            //经过base解码后,token值为username:password这种方式
            String token = new String(Base64.decode(base64Token), getCredentialsCharset(request));
            String username = "";
            String password = "";
            int delim = token.indexOf(":");

            if (delim != -1) {
                username = token.substring(0, delim);
                password = token.substring(delim + 1);
            }

            if (debug) {
                logger.debug("Basic Authentication Authorization header found for user '" + username + "'");
            }
            //下面的执行过程基本和login方式一样,认证、授权等过程
            if (authenticationIsRequired(username)) {
                UsernamePasswordAuthenticationToken authRequest =
                        new UsernamePasswordAuthenticationToken(username, password);
                authRequest.setDetails(authenticationDetailsSource.buildDetails(request));

                Authentication authResult;

                try {
                    authResult = authenticationManager.authenticate(authRequest);
                } catch (AuthenticationException failed) {
                    // Authentication failed
                    if (debug) {
                        logger.debug("Authentication request for user: " + username + " failed: " + failed.toString());
                    }

                    SecurityContextHolder.getContext().setAuthentication(null);

                    rememberMeServices.loginFail(request, response);

                    onUnsuccessfulAuthentication(request, response, failed);

                    if (ignoreFailure) {
                        chain.doFilter(request, response);
                    } else {
                        authenticationEntryPoint.commence(request, response, failed);
                    }

                    return;
                }

                // Authentication success
                if (debug) {
                    logger.debug("Authentication success: " + authResult.toString());
                }

                SecurityContextHolder.getContext().setAuthentication(authResult);

                rememberMeServices.loginSuccess(request, response, authResult);

                onSuccessfulAuthentication(request, response, authResult);
            }
        }

        chain.doFilter(request, response);
    }

Spring Security3源码分析-BasicAuthenticationFilter分析

  • 0

    开心

    开心

  • 0

    板砖

    板砖

  • 0

    感动

    感动

  • 0

    有用

    有用

  • 0

    疑问

    疑问

  • 0

    难过

    难过

  • 0

    无聊

    无聊

  • 0

    震惊

    震惊

编辑推荐
前面分析了FilterChainProxy执行过程,也对常用的filter逐一深入介绍了,但似乎忽略了Spring Securi
前面分析了FilterChainProxy执行过程,也对常用的filter逐一深入介绍了,但似乎忽略了Spring Securi
前面分析了FilterChainProxy执行过程,也对常用的filter逐一深入介绍了,但似乎忽略了Spring Securi
前面分析了FilterChainProxy执行过程,也对常用的filter逐一深入介绍了,但似乎忽略了Spring Securi
前面分析了FilterChainProxy执行过程,也对常用的filter逐一深入介绍了,但似乎忽略了Spring Securi
0 概述 spring-web的web模块是更高一层的抽象,它封装了快速开发spring-web需要的基础组件。其结构
Spring 是一个非常流行和成功的 Java 应用开发框架。Spring Security 基于 Spring 框架,提供了一套
资源信息(文件、url响应的信息。。)对开发是很重要的东西。jdk也提供了访问资源的一些基类(File
本篇文章将会介绍上一个例子中的源码执行情况,从中熟悉整个SpringAOP的一些概念和接口设计。 首先
本篇文章将会介绍上一个例子中的源码执行情况,从中熟悉整个SpringAOP的一些概念和接口设计。 首先整
版权所有 IT知识库 CopyRight © 2009-2015 IT知识库 IT610.com , All Rights Reserved. 京ICP备09083238号