Spring-security login authentication: springsecurity

Spring-security login authentication: springsecurity

First, you may want to download the Git source code for new users who are not familiar with the spring-security framework. Introduce to the project. This short article is about watching the source code. It will also start the project to verify your assumption.

 

The configuration items of spring-security login authentication are as follows: 

<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true" default-target-url="/index.ht" 　　username-parameter="username" password-parameter="password" login-processing-url="/j_spring_security_check"/> <logout logout-url="/logout.ht"/>

 

The configuration is actually quite clear. This is like configuring a control. The userName parameter is named "name" and the password is "password".

Then, verify the user password and go to the index. ht page.

 

The spring-security framework maintains a filter chain to provide services. The <form-login/> login configuration item actually creates a filter named UsernamePasswordAuthenticationFilter.

These filters provided by the framework also include the filters configured in <custom-filter/>. They are all executed in a strict order through a Kana. We will introduce the custom filters in detail later.

UsernamePasswordAuthenticationFilter:

As we configured these parameters, there will also be a default configuration such

UsernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY = "j_username ",

PasswordParameter = "j_password"

The default form request address is j_spring_security_check,

All configurable parameters have default parameters. These parameters are read after Initializing Spring root WebApplicationContext, load and parse the xml configuration file. Then initialize the ioc container. Form the filter chain mentioned above.

 

Briefly describe the xml parsing process:

HttpSecurityBeanDefinitionParser. parse () {filterChains. add (createFilterChain (element, pc ));}

The createFilterChain method calls the constructor method of AuthenticationConfigBuilder to initialize various filters createFormLoginFilter (sessionStrategy, authenticationManager). This is the parsing and processing method for the login configuration information xml.

SecurityNamespaceHandler. parse (Element element, ParserContext pc) // key code: String name = pc. getDelegate (). getLocalName (element); BeanDefinitionParser parser = parsers. get (name); the name of the configuration item. The exclusive parser obtained in the Policy mode implements the BeanDefinitionParser interface and runs the subclass through the parent class reference. Call the parse () method of these sub-classes, such as RememberMeBeanDefinitionParser, LogoutBeanDefinitionParser ,,Error code is not required

 

<Form-login/> is parsed in FormLoginBeanDefinitionParser. Obtain the parameters of the configuration item and initialize a filter.

I don't know why this parsing method didn't implement BeanDefinitionParser. I didn't want to post code. Users who want to read the source code can download the source code and read it by themselves.

<Security: authentication-manager alias = "authenticationManager"> <security: authentication-provider user-service-ref = "userDetailProvider"/> </security: authentication-manager>
<Bean id = "userDetailProvider" class = "com. hotent. web. security. provider. UserAuthProvider"/>

Then, use the List <AuthenticationProvider> providers Authentication Policy in ProviderManager for authentication (virtual)

AbstractUserDetailsAuthenticationProvider. authenticate ()

RetrieveUser () // call the implementation method of the subclass DaoAuthenticationProvider

DaoAuthenticationProvider. retrieveUser () will get the user through the userDetailProvider. loadUserByUsername (username) I configured earlier,

Then preAuthenticationChecks. check (user); check whether the user is available, locked, and expired

Then, call additionalAuthenticationChecks () to verify the password.

 

 

Then I couldn't log on to the server and found that the encryption type of the password was not configured. I found a document. After configuration, I found that it could not be started, sister's. Fortunately, I found the xsd validation file.

The correct configuration method is successfully found. Under the authentication-provider element, there is a password-encoder xs: element

This element has an attribute <xs: attributeGroup ref = "security: password-encoder.attlist"/>, presumably all the encryption types supported by spring-security. The xml is changed to this.

<Security: authentication-manager alias = "authenticationManager"> <! -- Authentication management --> <security: authentication-provider user-service-ref = "userDetailProvider"> <security: password-encoder hash = "SHA-256"/> </security: authentication-provider> </security: authentication-manager>

 

In fact, few people are so stupid to check attributes from the validation file. Except for people like me. In fact, the official documentation is very clear. However, I am too reluctant to look into it.

The password is verified. You can.

 

 

Most of the time, we want to make more extensions, such as adding some ushield passwords and text message verification. Verification code. So to implement it, you can add some custom filters, or rewrite some methods, etc. For the first time, I am not clear enough. However, these are slightly troublesome.

In fact, if you verify the user by yourself. Then, you can add the user logon information to SecurityContext as needed.

For example. Some of the above did not verify the user, verification code, number of attempts, etc...

Key code: Authentication auth = authenticationManager. authenticate (authRequest );

@ Resource (name = "authenticationManager ")
Private AuthenticationManager authenticationManager = null;

AuthenticationManager injection is actually the previously written ProviderManager which follows the following method. Because the userName parameter is not configured, the default j_username is used.

Naturally, the value cannot be obtained.

 

 

Continue when you are free