The nature of Spring Security
Spring Security is essentially a series of Filters, which are then inserted into the Filter Chain as a separate Filter, called FilterChainProxy. As shown in the figure.
In fact, there can be multiple Filter Chain under FilterChainProxy to verify different URLs, and the Filters owned in Filter Chain will automatically increase or decrease according to the defined service. So there is no need to display and define these Filters unless you want to implement your own logic.
Key categories
Authentication
Authentication is an interface used to represent user authentication information. Before the user logs in to authenticate, the relevant information will be encapsulated into an object of the Authentication specific implementation class. After the login authentication is successful, an Authentication object with more comprehensive information, including user permissions and other information will be generated, and then saved in the SecurityContext held by SecurityContextHolder for subsequent programs to call, such as authentication of access rights.
AuthenticationManager
The main interface used for verification is AuthenticationManager, which has only one method:
public interface AuthenticationManager { Authentication authentication(Authentication authentication) throws AuthenticationException;}There may be three situations after the authenticate() method is run:
Verification is successful and an Authentication with user information is returned.
Verification failed, and an AuthenticationException exception was thrown.
Unable to judge, return null.
ProviderManager
ProviderManager is the most common implementation of AuthenticationManager above. It does not handle verification by itself, but delegates the verification to the AuthenticationProvider list it configures, and then calls each AuthenticationProvider in turn for authentication. In this process, as long as an AuthenticationProvider is successfully authenticated, no more verification will be continued. This authentication result will be directly used as the authentication result of ProviderManager.
Certification process
Users log in with their username and password.
Spring Security encapsulates the obtained username and password into an Authentication interface implementation class, such as the commonly used UsernamePasswordAuthenticationToken.
Pass the Authentication object generated above to the AuthenticationManager implementation class ProviderManager for authentication.
ProviderManager calls each AuthenticationProvider in turn for authentication. After the authentication is successful, an Authentication object encapsulates user permissions and other information will be returned.
Assign the Authentication object returned by AuthenticationManager to the current SecurityContext.
Custom Verification
With the above knowledge reserves, you can customize the verification method. From the above, we can see that in fact, the AuthenticationProviders are actually used to perform verification operations. Therefore, if you want to customize the verification method, you only need to implement your own AuthenticationProvider and then add it to the ProviderManager.
Customize AuthenticationProvider
@Componentpublic class CustomAuthenticationProvider implements AuthenticationProvider { @Override public Authentication authentication(Authentication authentication) throws AuthenticationException { String name = authentication.getName(); String password = authentication.getCredentials().toString(); if (shouldAuthenticateAgainstThirdPartySystem()) { // use the credentials // and authenticate against the third-party system return new UsernamePasswordAuthenticationToken( name, password, new ArrayList<>()); } else { return null; } } @Override public boolean supports(Class<?> authentication) { return authentication.equals( UsernamePasswordAuthenticationToken.class); }}The supports() method accepts an authentication parameter to determine whether the authentication passed in is a type that the AuthenticationProvider can handle.
Register AuthenticationProvider
Now register the AuthenticationProvider you just created in the ProviderManager and all operations are completed.
@Configuration@EnableWebSecurity@ComponentScan("org.baeldung.security")public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private CustomAuthenticationProvider authProvider; @Override protected void configure( AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authProvider); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().authenticated() .and() .httpBasic(); }}Summarize
The above is the Spring Security verification process analysis and custom verification methods introduced to you by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. Thank you very much for your support to Wulin.com website!