Spring Security verification process analysis and custom verification methods, springsecurity

Spring Security verification process analysis and custom verification methods, springsecurity

Essence of Spring Security

Spring Security is essentially a series of filters, which are inserted into the Filter Chain in the form of an independent Filter. Its name is FilterChainProxy. .

 

In fact, there can be multiple Filter chains under FilterChainProxy to verify different URLs. The filters in the Filter Chain will be automatically increased or decreased according to the defined service. So no need to display and define these filters, unless you want to implement your own logic.

 

Key

Authentication

Authentication is an interface used to indicate user Authentication information. Prior to user logon Authentication, the related information is encapsulated as an object of the Authentication implementation class, after successful login Authentication, an Authentication object with more comprehensive information, including user permissions and other information will be generated, and stored in the SecurityContext held by SecurityContextHolder for subsequent programs to call, for example, access permission authentication.

AuthenticationManager

The main interface used for verification is AuthenticationManager, which has only one method:

public interface AuthenticationManager { Authentication authenticate(Authentication authentication) throws AuthenticationException;}

There may be three situations after the authenticate () method is run:

If the verification succeeds, an Authentication with user information is returned.

Authentication failed. An AuthenticationException is thrown.

Unable to judge. null is returned.

ProviderManager

ProviderManager is the most common implementation of AuthenticationManager. It delegates the authentication to the configured AuthenticationProvider list instead of processing the authentication by itself, and then calls each AuthenticationProvider for authentication in turn, in this process, as long as one AuthenticationProvider is successfully verified, no more verification will be performed and the authentication result will be taken directly as the authentication result of ProviderManager.

 

Authentication process

The user logs on with the user name and password.

Spring Security encapsulates the obtained user name and password into an implementation class of the Authentication interface, such as the commonly used UsernamePasswordAuthenticationToken.

Pass the Authentication object generated above to the implementation class ProviderManager of AuthenticationManager for Authentication.

ProviderManager calls each AuthenticationProvider for Authentication in turn. After successful Authentication, A Authentication object that encapsulates user permissions and other information is returned.

Grant the Authentication object returned by AuthenticationManager to the current SecurityContext.

Custom Verification

With the above knowledge reserves, you can customize verification methods. We can see from the above that, in fact, the actual authentication operations are one by one AuthenticationProvider, so if you want to customize the authentication method, you only need to implement an AuthenticationProvider and add it to ProviderManager.

Custom AuthenticationProvider

@Componentpublic class CustomAuthenticationProvider implements AuthenticationProvider { @Override public Authentication authenticate(Authentication authentication)  throws AuthenticationException { String name = authentication.getName(); String password = authentication.getCredentials().toString(); if (shouldAuthenticateAgainstThirdPartySystem()) {  // use the credentials  // and authenticate against the third-party system  return new UsernamePasswordAuthenticationToken(  name, password, new ArrayList<>()); } else {  return null; } } @Override public boolean supports(Class<?> authentication) { return authentication.equals(  UsernamePasswordAuthenticationToken.class); }}

The supports () method accepts an authentication parameter to determine whether the passed authentication is a type that the AuthenticationProvider can process.

Register AuthenticationProvider

Now register the newly created AuthenticationProvider with ProviderManager, and all the operations will be completed.

@Configuration@EnableWebSecurity@ComponentScan("org.baeldung.security")public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private CustomAuthenticationProvider authProvider; @Override protected void configure( AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authProvider); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().authenticated()  .and()  .httpBasic(); }}

Summary

The above is a small series of Spring Security verification process analysis and custom verification methods, I hope to help you, if you have any questions, please leave a message, the editor will reply to you in a timely manner. Thank you very much for your support for the help House website!