Analysis of spring security verification process and custom verification method
The essence of spring security
Spring security is essentially a series of filters, which are then inserted into the filter chain in the form of an independent filter, which is called filterchainproxy. As shown in the figure.
In fact, there can be multiple filter chains under the filterchainproxy to verify different URLs, and the filters in the filter chain will be automatically increased or decreased according to the defined services. Therefore, there is no need to define these filters unless you want to implement your own logic.
Key class
Authentication
Authentication is an interface used to represent user authentication information. Before user login authentication, relevant information will be encapsulated as an object of authentication implementation class. After successful login authentication, an authentication object with more comprehensive information and user permissions will be generated, Then save it in the securitycontext held by the securitycontextholder for subsequent programs to call, such as authentication of access rights.
AuthenticationManager
The main interface used for authentication is AuthenticationManager, which has only one method:
There may be three situations after the authenticate () method is run:
If the authentication is successful, an authentication with user information is returned.
Authentication failed, throwing an authenticationexception.
Unable to determine, null is returned.
ProviderManager
Providermanager is the most common implementation of the above AuthenticationManager. It does not handle authentication by itself, but delegates authentication to its configured authenticationprovider list, and then calls each authenticationprovider for authentication in turn. In this process, as long as one authenticationprovider is verified successfully, no more authentication will be performed, The authentication result will be directly used as the authentication result of providermanager.
Certification process
The user logs in with a user name and password.
Spring security encapsulates the obtained user name and password into an implementation class of the authentication interface, such as the commonly used usernamepasswordauthenticationtoken.
Pass the authentication object generated above to the implementation class providermanager of AuthenticationManager for authentication.
Providermanager calls each authenticationprovider to authenticate in turn. After successful authentication, an authentication object encapsulating user permissions and other information is returned.
Assign the authentication object returned by the AuthenticationManager to the current securitycontext.
Custom validation
With the above knowledge reserve, you can customize the verification method. It can be seen from the above that in fact, authentication providers are actually used for authentication operations. Therefore, if you want to customize the authentication method, you only need to implement your own authenticationprovider and then add it to the providermanager.
Custom authenticationprovider
The supports () method accepts an authentication parameter to determine whether the incoming authentication is a type that the authenticationprovider can handle.
Register authenticationprovider
Now register the newly created authenticationprovider with providermanager, and all operations are completed.
summary
The above is the spring security verification process analysis and user-defined verification methods introduced by Xiaobian. I hope it will be helpful to you. If you have any questions, please leave me a message, and Xiaobian will reply to you in time. Thank you very much for your support for the programming tips website!