Spring Security (11)--Anonymous authentication

Directory

1.1 Configuration

1.2 Authenticationtrustresolver

For anonymous access users, Spring security supports the creation of an anonymous Anonymousauthenticationtoken store in Securitycontextholder, which is known as Anonymous authentication. In this way we do not need to judge whether the authentication object held in Securitycontextholder is null in future authorization or other operations. It is OK to use it directly as a normal authentication.

1.1 Configuration

With namespace, the use of HTTP elements enables the support of anonymous authentication by default, but we can also disable the support for Anonymous authentication by setting the Enabled property of the anonymous element under the HTTP element to False. The following are the properties that the anonymous element can configure, along with their default values.

<security:anonymous enabled="true" key="Doesnotmatter" username="Anonymoususer" granted-authority="role_anonymous"/>

The key is used to specify a value that is shared between Authenticationfilter and Authenticationprovider. Username is used to specify the user name for the anonymous user, and granted-authority is used to specify the permissions that the anonymous user has.

There are three classes associated with Anonymous authentication, and Anonymousauthenticationtoken will be stored as an instance of authentication in Securitycontextholder When the filter is running to Anonymousauthenticationfilter, if the authentication held in Securitycontextholder are empty, Then Anonymousauthenticationfilter will create a anonymousauthenticationtoken and store it in Securitycontextholder. The last related class is Anonymousauthenticationprovider, which is added to the Providermanager authenticationprovider list. To support the certification of Anonymousauthenticationtoken. The certification of Anonymousauthenticationtoken is performed in the Beforeinvocation () method in Abstractsecurityinterceptor. These beans are automatically defined and added when you use the HTTP element definition. If you need to define these beans manually, you can define them as follows:

<bean id="Anonymousauthfilter"

class="Org.springframework.security.web.authentication.AnonymousAuthenticationFilter">

<property name="key" value="Doesnotmatter" />

<property name="Userattribute" value="anonymoususer,role_anonymous" />

</bean>

<bean id="Anonymousauthenticationprovider"

class="Org.springframework.security.authentication.AnonymousAuthenticationProvider">

<property name="key" value="Doesnotmatter" />

</bean>

Keys are shared between Anonymousauthenticationprovider and Anonymousauthenticationfilter, and they must be consistent, Anonymousauthenticationprovider will use its own key to compare with the key of the incoming Anonymousauthenticationtoken, the same is considered to be certified, Otherwise, an exception badcredentialsexception will be thrown. The Userattribute property is defined in the form of usernameintheauthenticationtoken,grantedauthority[,grantedauthority].

1.2 Authenticationtrustresolver

Authenticationtrustresolver is an interface that defines two methods, isanonymous () and Isrememberme (), which all receive a authentication object as a parameter. It has a default implementation class Authenticationtrustresolverimpl,spring Security is the use of it to determine whether a Securitycontextholder-held authentication is Anonymousauthenticationtoken or Remembermeauthenticationtoken 。 If Exceptiontranslationfilter captures a accessdecisionmanager, it is used to determine whether the current authentication object is a Anonymousauthenticationtoken , if it is, it will be handled by Authenticationentrypoint, otherwise 403 error code is returned.

(Note: This article is written based on spring Security3.1.6)

Spring Security (11)--Anonymous authentication