Spring Security 4.2.3 Filters parsing

First, familiar with a module of the fastest method

1. Configure the Logback file to print the appropriate debug information

2. According to the corresponding information, break point to see the results of the execution

Ii. Spring uses Delegatingfilterproxy to manage filter chain

Allow the IoC container to manage the lifecycle instead of the servlet container

Org.springframework.web.filter.DelegatingFilterProxy is a filter implementation class defined in Spring that acts as a proxy for the real filter implementation class,

That is, the DoFilter () method of its proxy Filter is actually called when calling Delegatingfilterproxy's DoFilter () method. Using Delegatingfilterproxy

The benefit is that the filter class can use Spring's dependency injection mechanism to facilitate the free use of beans in ApplicationContext.

It is important to note that the initialization method of the proxy Filter init () and the Destroy method Destroy () are not executed by default. By setting the Delegatingfilterproxy

The Targetfilterlifecycle property is true to enable the proxy Filter to have the same life cycle as the delegatingfilterproxy.

Third, Filterchainproxy

Delegatingfilterproxy agent is a filterchainproxy. A filterchainproxy can contain more than one filterchain, but a request

Only one filterchain, and one filterchain can contain more than one Filter. When we use Spring Security, the system automatically

Register a bean named Springsecurityfilterchain with the type filterchainproxy (see Httpsecuritybeandefinitionparser).

Request firewalling

An HttpFirewall instance are used to validate incoming requests and create a wrapped request which provides consistent path

values for matching against. See DefaultHttpFirewall , for more information on the type of attacks which the default I

Mplementation protects against. A custom implementation can be injected to provide stricter control over the request contents

Or if an application needs to support certain types of request which is rejected by default.

Note that this means, must use the Spring Security filters in combination with a FilterChainProxy if you want this

protection. Don ' t define them explicitly in your web.xml file.

FilterChainProxyWould use the firewall instance to obtain both request and response objects which would be fed down the filter chain,

So it's also possible to use this functionality to control the functionality of the response. When the request has passed through the

Security filter chain, the reset method would be called. With the default implementation this means the original values of

servletPathAnd would be pathInfo returned thereafter, instead of the modified ones used for security pattern matching.

Iv. AuthenticationManager and Authenticationprovider

AuthenticationManager is an interface for processing authentication requests. In which only one method authenticate () is defined, and the method only receives an authentication request that represents the

The authentication object is used as a parameter, and if the authentication succeeds, it returns a authentication object that encapsulates information such as the current user's permissions.

     PublicAuthentication Authenticate (authentication authentication)throwsAuthenticationexception {
Class<?extendsAuthentication> totest =Authentication.getclass (); Authenticationexception lastexception=NULL; Authentication result=NULL; Booleandebug =logger.isdebugenabled ();
Using the Authenticationprovider list to process authentication requests for(Authenticationprovider provider:getproviders ()) {if(!provider.supports (totest)) {                Continue; }            if(Debug) {Logger.debug ("Authentication attempt using" +Provider.getclass (). GetName ()); }            Try{result=provider.authenticate (authentication); Certification success, jump out of the loopif(Result! =NULL) {copydetails (authentication, result);  Break; }            }            Catch(accountstatusexception e) {prepareexception (E, authentication); //Sec-546:avoid Polling additional providers if Auth failure are due to//Invalid account status                Throwe; }            Catch(internalauthenticationserviceexception e) {prepareexception (E, authentication); Throwe; }            Catch(authenticationexception e) {lastexception=e; }}//No results, retry authenticationif(Result = =NULL&& Parent! =NULL) {            //Allow the parent to try.            Try{result=parent.authenticate (authentication); }            Catch(providernotfoundexception e) {//Ignore as we'll throw below if no other exception occurred prior to//calling parent and the parent//May throw Providernotfound even though a provider in the child already//handled the request            }            Catch(authenticationexception e) {lastexception=e; }}//certification successful, release certification resultsif(Result! =NULL) {            if(Erasecredentialsafterauthentication&& (ResultinstanceofCredentialscontainer)) {                //authentication is complete. Remove credentials and other secret data//From authentication((Credentialscontainer) result). Erasecredentials ();            } eventpublisher.publishauthenticationsuccess (Result); returnresult; }        //Parent is null, or didn ' t authenticate (or throw an exception).        if(Lastexception = =NULL) {lastexception=Newprovidernotfoundexception (Messages.getmessage ("Providermanager.providernotfound",                    Newobject[] {totest.getname ()},"No Authenticationprovider found for {0}"));        } prepareexception (lastexception, authentication); Throwlastexception; }

1. Certification process

In Spring Security, the default implementation of AuthenticationManager is Providermanager, and it does not directly handle the authentication request, but instead entrusts it with

The Authenticationprovider list, and then use each of the Authenticationprovider for authentication, if there is a Authenticationprovider

The result of the certificate is not NULL, it means that the Authenticationprovider has been successfully certified, then the Authenticationprovider will no longer continue to authenticate. And then directly to the

Authenticationprovider certification results As a result of Providermanager certification. If all of the Authenticationprovider's authentication results are null, the table

Authentication fails, a providernotfoundexception will be thrown.

2. Verification Certification

The most common way to verify authentication requests is to load the corresponding userdetails based on the requested user name, and then match the password for the userdetails with the password for the authentication request.

such as Daoauthenticationprovider the internal use of Userdetailsservice to load userdetails. After the authentication is successful, it will use the loaded

Userdetails to encapsulate the authentication object to be returned, the loaded Userdetails object contains information such as user permissions. Authentication of successful return of authentication

The object will be saved in the current securitycontext.

4. Sharing SecurityContext between request

Since the securitycontext is stored in the ThreadLocal, and every permission is identified by the ThreadLocal from the SecurityContext to get the corresponding

Authentication has permissions, but different request is a different thread, why is it possible to get the securitycontext of the current user from ThreadLocal every time?

Get SecurityContext from the session at the beginning of each request and set it to Securitycontextholder

Reference:

Geek College: The first knowledge of spring Security

Spring Security 4.2.3 API

Spring Security 4.2.3 Filters parsing