Spring Security3源码分析(11)-BasicAuthenticationFilter分析

BasicAuthenticationFilter过滤器对应的类路径为 

org.springframework.security.web.authentication.www.BasicAuthenticationFilter 

Basic验证方式相比较而言用的不是太多。spring security也支持basic的方式,配置如下 

Xml代码  

  1. <security:http auto-config=“true”>  
  2.     <!– <security:form-login login-page=”/login.jsp”/>–>  
  3.     <security:http-basic/>  
  4.     <security:logout logout-success-url=“/login.jsp” invalidate-session=“true”/>  
  5.     <security:intercept-url pattern=“/login.jsp*” filters=“none”/>  
  6.     <security:intercept-url pattern=“/admin.jsp*” access=“ROLE_ADMIN”/>  
  7.     <security:intercept-url pattern=“/index.jsp*” access=“ROLE_USER,ROLE_ADMIN”/>  
  8.     <security:intercept-url pattern=“/**” access=“ROLE_USER,ROLE_ADMIN”/>  
  9. </security:http>  

如果选择basic方式,需要把form-login标签的定义给注释掉。 

接下来看BasicAuthenticationFilter的执行过程 

Java代码  

  1. public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)  
  2.         throws IOException, ServletException {  
  3.     final boolean debug = logger.isDebugEnabled();  
  4.     final HttpServletRequest request = (HttpServletRequest) req;  
  5.     final HttpServletResponse response = (HttpServletResponse) res;  
  6.     //basic登录时,会产生Authorization的header信息  
  7.      //Authorization的值是Basic eXVxaW5nc29uZzox  
  8.     //eXVxaW5nc29uZzox是经过base编码的一串字符  
  9.     String header = request.getHeader(“Authorization”);  
  10.     if ((header != null) && header.startsWith(“Basic “)) {  
  11.         byte[] base64Token = header.substring(6).getBytes(“UTF-8”);  
  12.         //经过base解码后,token值为username:password这种方式  
  13.         String token = new String(Base64.decode(base64Token), getCredentialsCharset(request));  
  14.         String username = “”;  
  15.         String password = “”;  
  16.         int delim = token.indexOf(“:”);  
  17.   
  18.         if (delim != –1) {  
  19.             username = token.substring(0, delim);  
  20.             password = token.substring(delim + 1);  
  21.         }  
  22.   
  23.         if (debug) {  
  24.             logger.debug(“Basic Authentication Authorization header found for user ‘” + username + “‘”);  
  25.         }  
  26.         //下面的执行过程基本和login方式一样,认证、授权等过程  
  27.         if (authenticationIsRequired(username)) {  
  28.             UsernamePasswordAuthenticationToken authRequest =  
  29.                     new UsernamePasswordAuthenticationToken(username, password);  
  30.             authRequest.setDetails(authenticationDetailsSource.buildDetails(request));  
  31.   
  32.             Authentication authResult;  
  33.   
  34.             try {  
  35.                 authResult = authenticationManager.authenticate(authRequest);  
  36.             } catch (AuthenticationException failed) {  
  37.                 // Authentication failed  
  38.                 if (debug) {  
  39.                     logger.debug(“Authentication request for user: “ + username + ” failed: “ + failed.toString());  
  40.                 }  
  41.   
  42.                 SecurityContextHolder.getContext().setAuthentication(null);  
  43.   
  44.                 rememberMeServices.loginFail(request, response);  
  45.   
  46.                 onUnsuccessfulAuthentication(request, response, failed);  
  47.   
  48.                 if (ignoreFailure) {  
  49.                     chain.doFilter(request, response);  
  50.                 } else {  
  51.                     authenticationEntryPoint.commence(request, response, failed);  
  52.                 }  
  53.   
  54.                 return;  
  55.             }  
  56.   
  57.             // Authentication success  
  58.             if (debug) {  
  59.                 logger.debug(“Authentication success: “ + authResult.toString());  
  60.             }  
  61.   
  62.             SecurityContextHolder.getContext().setAuthentication(authResult);  
  63.   
  64.             rememberMeServices.loginSuccess(request, response, authResult);  
  65.   
  66.             onSuccessfulAuthentication(request, response, authResult);  
  67.         }  
  68.     }  
  69.   
  70.     chain.doFilter(request, response);  
  71. }  
    原文作者:Spring Boot
    原文地址: https://blog.csdn.net/benjamin_whx/article/details/39204683
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞