Spring Security3源码分析(11)-BasicAuthenticationFilter分析

扫码关注公众号:Java 技术驿站

发送:vip
将链接复制到本浏览器,永久解锁本站全部文章

【公众号:Java 技术驿站】 【加作者微信交流技术,拉技术群】

BasicAuthenticationFilter过滤器对应的类路径为

org.springframework.security.web.authentication.www.BasicAuthenticationFilter

Basic验证方式相比较而言用的不是太多。spring security也支持basic的方式,配置如下

Xml代码

  1. <**security:http auto-config=“true”>**
  2. <!– –>
  3. <**security:http-basic**/>
  4. <**security:logout logout-success-url=“/login.jsp” invalidate-session=“true”/>**
  5. <**security:intercept-url pattern=“/login.jsp*” filters=“none”/>**
  6. <**security:intercept-url pattern=“/admin.jsp*” access=“ROLE_ADMIN”/>**
  7. <**security:intercept-url pattern=“/index.jsp*” access=“ROLE_USER,ROLE_ADMIN”/>**
  8. <**security:intercept-url pattern=“/**” access=“ROLE_USER,ROLE_ADMIN”/>**
  9. </**security:http**>

如果选择basic方式,需要把form-login标签的定义给注释掉。

接下来看BasicAuthenticationFilter的执行过程

Java代码

  1. public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
  2. throws IOException, ServletException {
  3. final boolean debug = logger.isDebugEnabled();
  4. final HttpServletRequest request = (HttpServletRequest) req;
  5. final HttpServletResponse response = (HttpServletResponse) res;
  6. //basic登录时,会产生Authorization的header信息
  7. //Authorization的值是Basic eXVxaW5nc29uZzox
  8. //eXVxaW5nc29uZzox是经过base编码的一串字符
  9. String header = request.getHeader(“Authorization”);
  10. if ((header != null) && header.startsWith(“Basic “)) {
  11. byte[] base64Token = header.substring(6).getBytes(“UTF-8”);
  12. //经过base解码后,token值为username:password这种方式
  13. String token = new String(Base64.decode(base64Token), getCredentialsCharset(request));
  14. String username = “”;
  15. String password = “”;
  16. int delim = token.indexOf(“:”);
  17. if (delim != –1) {
  18. username = token.substring(0, delim);
  19. password = token.substring(delim + 1);
  20. }
  21. if (debug) {
  22. logger.debug(“Basic Authentication Authorization header found for user ‘” + username + “‘”);
  23. }
  24. //下面的执行过程基本和login方式一样,认证、授权等过程
  25. if (authenticationIsRequired(username)) {
  26. UsernamePasswordAuthenticationToken authRequest =
  27. new UsernamePasswordAuthenticationToken(username, password);
  28. authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
  29. Authentication authResult;
  30. try {
  31. authResult = authenticationManager.authenticate(authRequest);
  32. } catch (AuthenticationException failed) {
  33. // Authentication failed
  34. if (debug) {
  35. logger.debug(“Authentication request for user: “ + username + ” failed: “ + failed.toString());
  36. }
  37. SecurityContextHolder.getContext().setAuthentication(null);
  38. rememberMeServices.loginFail(request, response);
  39. onUnsuccessfulAuthentication(request, response, failed);
  40. if (ignoreFailure) {
  41. chain.doFilter(request, response);
  42. } else {
  43. authenticationEntryPoint.commence(request, response, failed);
  44. }
  45. return;
  46. }
  47. // Authentication success
  48. if (debug) {
  49. logger.debug(“Authentication success: “ + authResult.toString());
  50. }
  51. SecurityContextHolder.getContext().setAuthentication(authResult);
  52. rememberMeServices.loginSuccess(request, response, authResult);
  53. onSuccessfulAuthentication(request, response, authResult);
  54. }
  55. }
  56. chain.doFilter(request, response);
  57. }

来源:http://ddrv.cn

赞(0) 打赏
版权归原创作者所有,任何形式的转载请联系博主:daming_90:Java 技术驿站 » Spring Security3源码分析(11)-BasicAuthenticationFilter分析

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏