The first exploration of spring-security login certification

First of all, I hope that the spring-security framework does not understand the novice download git source code. Introduced into the project. This passage is to watch the source while chatting. will also start the next project to verify their own assumptions.

spring-security Login Authentication configuration items are as follows:

<Form-loginLogin-page= "/login.jsp"Authentication-failure-url= "/login.jsp?error=true"Default-target-url= "/index.ht"Username-parameter= "username"Password-parameter= "Password"Login-processing-url= "/j_spring_security_check"/> <LogoutLogout-url= "/logout.ht"/>

See this configuration, in fact, it is roughly understood. This is like configuring a control with the UserName parameter named "Name" and password "password"

Then verify the user password, through the page to jump to index.ht

The Spring-security framework maintains a filter chain to provide services, and the <form-login/> login configuration item actually creates a filter named Usernamepasswordauthenticationfilter.

These filters provided by the framework also include filters for <custom-filter/> configuration. are executed in strict order by Kana. The custom filters are described in more detail later.

Usernamepasswordauthenticationfilter:

As we configured these parameters, there will also be a default configuration such as

Usernameparameter = Spring_security_form_username_key = "J_username",

Passwordparameter= "J_password"

Default Accept Form Request Address: J_spring_security_check,

These configurable parameters will have default parameters. These parameters are read after Initializing Spring root webapplicationcontext, and the XML configuration file is loaded and parsed. Then initialize the IOC container. form the filter chain mentioned above.

Simply say the parsing XML process:

Httpsecuritybeandefinitionparser.parse () {Filterchains.add (Createfilterchain (element, PC));}

The Createfilterchain method invokes the constructor method of Authenticationconfigbuilder to initialize various filter createformloginfilter (Sessionstrategy, authent Icationmanager); This is the parsing method for the login configuration information XML.

Securitynamespacehandler.parse (element element, ParserContext pc)  //Key code: String name = Pc.getdelegate (). Getlocalname (Element); Beandefinitionparser parser = parsers.get (name); By the name of the configuration item. The specific implementation of subclasses is performed from the reference of the parent class by implementing the self-beandefinitionparser interface in the policy mode to the dedicated parser. Call the Parse () method of these subclasses eg:remembermebeandefinitionparser,logoutbeandefinitionparser, etc.,

error code does not need to look

<form-login/> parsing in Formloginbeandefinitionparser, get the parameters of the configuration item, and then initialize a filter.

I do not know why this analytic method did not implement Beandefinitionparser. I didn't want to put the code on. More want to be willing to read the person himself to download the source to see.

Login:

The Usernamepasswordauthenticationfilter.attemptauthentication () method gets the name from request password

Then construct a new Usernamepasswordauthenticationtoken (Password,username)

Then call the interface Authenticationmanager.authenticate () ( An implementation class Providermanager authentication method in the authentication management class )

This is how we configure the Authentication management class AuthenticationManager, giving it an ID for the User-service bean, which the userdetailprovider bean needs to implement

The Userdetailsservice interface provides a loaduserbyusername () method to get the user by user name.

Configuration items:

<alias= "AuthenticationManager"><security: Authentication-provider user-service-ref= "Userdetailprovider"/> </security:authentication-manager>
<bean id= "Userdetailprovider" class= "Com.hotent.web.security.provider.UserAuthProvider"/>

Then the List<authenticationprovider> providers authentication strategy from Providermanager is taken out for authentication (virtual)

Abstractuserdetailsauthenticationprovider. Authenticate ()

Retrieveuser ()//Call subclass Daoauthenticationprovider Implementation method

Daoauthenticationprovider.retrieveuser () Gets the user through the Userdetailprovider.loaduserbyusername (username) I previously configured,

Then Preauthenticationchecks.check (user); Verify that the user is available, locked, expired

Then call the Additionalauthenticationchecks () method to verify the password.

Then I couldn't log on until I found the encryption type with no password configured. A random document was found. With the next, incredibly found not start, Sister's. Fortunately I am more witty, found the XSD checksum file

Successfully found the correct configuration method, under the Authentication-provider element, there is a password-encoder xs:element

This element has a attribute<xs:attributegroup ref= "security:password-encoder.attlist"/> This must be all the encryption types supported by Spring-security. Then the XML is changed into this.

The final AuthenticationManager is configured as follows

<Security:authentication-manageralias= "AuthenticationManager"><!--Identification Management class -          <Security:authentication-providerUser-service-ref= "Userdetailprovider">             <Security:password-encoderHash= "sha-256"/>         </Security:authentication-provider>      </Security:authentication-manager>

In fact, very few people are so silly to check the properties from the verification file. Except for people like me wit to two. In fact, the official documents are very clear. But I am too lazy to look at the attitude of inquiry.

Password verification passed. You can do it.

Many times, we want to do more expansion, such as adding some U-shield such as password, SMS verification. Verification code.  Then to implement, you can add some custom filters, you can rewrite some methods, and so on, the initial exploration, I am not clear enough. But these are a little bit troublesome.

In fact, if you check the user yourself. Then the user login information into the SecurityContext inside can also be arbitrary.

Such as. No part of the above to verify the user, verification code, number of attempts, etc...

Key code Authentication auth = authenticationmanager.authenticate (authrequest);

@Resource (name = "AuthenticationManager")
Private AuthenticationManager AuthenticationManager = null;

Injected AuthenticationManager is actually written before the Providermanager he walked the following method. The default j_username is used because the username parameter is not configured

Naturally, it is also not worth the value.

Have a spare time to continue

The first exploration of spring-security login certification