Spring Security Primer (1-11) Spring Security-Anonymous authentication

Anonymous authentication

For anonymous access users, Spring Security supports the creation of an anonymous Anonymousauthenticationtoken store in Securitycontextholder, which is known as Anonymous authentication. In this way, we do not need to judge whether the authentication object held in Securitycontextholder is null in the future for authorization or other operations, and use it directly as a normal authentication. It's OK.

Configuration

With NameSpace, the use of HTTP elements enables the support of anonymous authentication by default, but we can also disable the support for Anonymous authentication by setting the Enabled property of the anonymous element under the HTTP element to False. The following are the properties that the anonymous element can configure, along with their default values.

      <security:anonymous enabled="true" key="doesNotMatter" username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>

The key is used to specify a value that is shared between Authenticationfilter and Authenticationprovider. Username is used to specify the user name for the anonymous user, and granted-authority is used to specify the permissions that the anonymous user has.

There are three classes associated with Anonymous authentication, and Anonymousauthenticationtoken will be stored as an instance of authentication in Securitycontextholder; the filter runs to Anonymousauthenticationfilter, if the authentication held in Securitycontextholder is still empty, the Anonymousauthenticationfilter A anonymousauthenticationtoken is created and stored in the Securitycontextholder. The last related class is Anonymousauthenticationprovider, which is added to the Providermanager Authenticationprovider list to support the Anonymousauthenticationtoken's certification. The certification of Anonymousauthenticationtoken is performed in the Beforeinvocation () method in Abstractsecurityinterceptor. These beans are automatically defined and added when you use the HTTP element definition. If you need to define these beans manually, you can define them as follows:

   <bean id="anonymousAuthFilter"   class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">      <property name="key" value="doesNotMatter" />      <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />   </bean>   <bean id="anonymousAuthenticationProvider"   class="org.springframework.security.authentication.AnonymousAuthenticationProvider">      <property name="key" value="doesNotMatter" />   </bean>

Keys are shared between Anonymousauthenticationprovider and Anonymousauthenticationfilter, and they must be consistent, Anonymousauthenticationprovider will use its own key to compare the key to the incoming Anonymousauthenticationtoken, the same is considered to be certified, otherwise it will throw an exception Badcredentialsexception. The Userattribute property is defined in the form of usernameintheauthenticationtoken,grantedauthority[,grantedauthority].

Authenticationtrustresolver

Authenticationtrustresolver is an interface that defines two methods, isanonymous () and Isrememberme (), which all receive a authentication object as a parameter. It has a default implementation class Authenticationtrustresolverimpl,spring Security is using it to determine whether a Securitycontextholder holds authentication Anonymousauthenticationtoken or Remembermeauthenticationtoken. If Exceptiontranslationfilter captures a accessdecisionmanager, it is used to determine whether the current authentication object is a Anonymousauthenticationtoken, if it is, it will be handled by Authenticationentrypoint, otherwise the 403 error code is returned.

Spring Security Primer (1-11) Spring Security-Anonymous authentication