Spring Security Principle and application

What is Spring security?

Spring security is a secure framework that provides declarative, secure access control solutions for spring-based enterprise applications. It provides a set of beans that can be configured in the context of the spring application (note: Includes authentication and permission acquisition, configuration, processing-related instances), taking full advantage of the spring Ioc,di (control inversion inversion of controls, di:dependency Injection dependency injection) and AOP (aspect-oriented programming) (Note: agent-enhanced Class) feature provides declarative, secure access control for application systems, reducing the amount of repetitive code that is written for enterprise system security controls.

Core class library and certification process

Core Authenticator

AuthenticationManager

The object provides the entrance to the authentication method, receiving an Authentiaton object as a parameter;

public interface AuthenticationManager {Authentication authenticate(Authentication authentication)throws AuthenticationException;}

Validation logic

AuthenticationManagerReceives the Authentication object as the parameter, and authenticate(Authentication) validates it through the method, implements the class to AuthenticationProvider support to the Authentication object validation action, UsernamePasswordAuthenticationToken realizes the Authentication main is the user input user name and the password to encapsulate, and supplies AuthenticationManager carries on the verification ; The validation will return a successful object after completion Authentication ;

Providermanager

It is AuthenticationManager an implementation class that provides basic authentication logic and methods; It contains an List<AuthenticationProvider> object that extends the different authentication providers through the Authenticationprovider interface (which Spring Security can be extended when the default provided implementation class does not meet the requirements) AuthenticationProvidercoverage supports(Class<?> authentication)  method);

Implementing logic

PublicAuthenticationAuthenticate(AuthenticationAuthentication)ThrowsAuthenticationexception{#1. Get the authentication type for the current authenticationClass<?ExtendsAuthentication>Totest=Authentication.GetClass();AuthenticationexceptionLastexception=Null;AuthenticationResult=Null;BooleanDebug=Logger.Isdebugenabled();#2. Traverse all providers use the Supports method to determine whether the provider supports the current authentication type, and continues traversal if not supportedFor(AuthenticationproviderProvider:Getproviders()){If(!Provider.Supports(Totest)){Continue;}If(Debug){Logger.Debug("Authentication attempt using"+Provider.GetClass().GetName());}Try{#3.Supported Words callProviderOfAuthenticatMethod CertificationResult=Provider.Authenticate(Authentication);If(Result!=Null){#4.The certification is rebuilt by the wordAuthenticationcorresponding to theTokenCopydetails(Authentication,Result);Break;}}Catch(AccountstatusexceptionE){Prepareexception(E,Authentication);Sec-546:avoid polling additional providers if Auth failure are due toInvalid account statusThrowE;}Catch(InternalauthenticationserviceexceptionE){Prepareexception(E,Authentication);ThrowE;}Catch(AuthenticationexceptionE){Lastexception=E;}}If(Result==Null&&Parent!=Null){Allow the parent to try.Try{#5.If1No validation passed, the parent type is usedAuthenticationManagerTo verifyResult=Parent.Authenticate(Authentication);}Catch(ProvidernotfoundexceptionE){Ignore as we'll throw below if no other exception occurred prior toCalling parent and the parentMay throw Providernotfound even though a provider in the child alreadyHandled the request}Catch(AuthenticationexceptionE){Lastexception=E;}}#6.Whether to wipe out sensitive informationIf(Result!=Null){If(Erasecredentialsafterauthentication&&(ResultinstanceofCredentialscontainer)){Authentication is complete. Remove credentials and other secret dataFrom authentication((Credentialscontainer)Result).Erasecredentials();}Eventpublisher.Publishauthenticationsuccess(Result);ReturnResult;}Parent is null, or didn ' t authenticate (or throw an exception).If(Lastexception==Null){Lastexception= new providernotfoundexception(messages.  GetMessage("Providermanager.providernotfound",new Object[] { totest.  GetName() },"No Authenticationprovider found for {0}");} prepareexception(lastexception, authentication);  Throw lastexception;}              
Description

1. Iterate through all the Providers, then execute the Provider validation method in turn
   • If a Provider validation succeeds, the step out of the loop no longer performs subsequent validation;
   • If the validation succeeds, the returned result is further encapsulated as a authentication Token by the authentication object, such as Usernamepasswordauthenticationtoken, Remembermeauthenticationtoken and so on; These authentication tokens are also inherited from authentication objects;
2. If the #1 does not have any Provider validation succeeded, it attempts to authenticate with its parent authentication Manager;
3. Whether you need to erase sensitive information such as passwords;

Spring Security Principle and application