1. 程式人生 > >Spring security 核心元件

Spring security 核心元件

AuthenticationManager 和 AuthenticationProvider

  • AuthenticationManager

Authentication authenticate(Authentication authentication) throws AuthenticationException;

  • AuthenticationProvider
Authentication authenticate(Authentication authentication) throws AuthenticationException;

boolean supports(Class<?> authentication);

ProviderManager 委託給已配置的 AuthenticationProvider列表

按所示順序(使用List暗示)進行嘗試,每個提供程式都可以嘗試進行身份驗證,或者通過簡單地返回null來跳過身份驗證。如果所有實現都返回null,則ProviderManager將丟擲ProviderNotFoundException

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <constructor-arg>
	<list>
	    <ref local="daoAuthenticationProvider"/>
	    <ref local="anonymousAuthenticationProvider"/>
	    <ref local="ldapAuthenticationProvider"/>
	</list>
    </constructor-arg>
</bean>

UserDetailService

In-Memory

<user-service id="userDetailsService">
    <user name="jimi" password="{noop}jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
    <user name="bob" password="{noop}bobspassword" authorities="ROLE_USER" />
</user-service>

Password Encoding

DelegatingPasswordEncoder

PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();

String idForEncode = "bcrypt";
Map encoders = new HashMap<>();
encoders.put(idForEncode, new BCryptPasswordEncoder());
encoders.put("noop", NoOpPasswordEncoder.getInstance());
encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
encoders.put("scrypt", new SCryptPasswordEncoder());
encoders.put("sha256", new StandardPasswordEncoder());

PasswordEncoder passwordEncoder =
    new DelegatingPasswordEncoder(idForEncode, encoders);

BCryptPasswordEncoder

// Create an encoder with strength 16
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(16);
String result = encoder.encode("myPassword");
assertTrue(encoder.matches("myPassword", result));

Pbkdf2PasswordEncoder

// Create an encoder with all the defaults
Pbkdf2PasswordEncoder encoder = new Pbkdf2PasswordEncoder();
String result = encoder.encode("myPassword");
assertTrue(encoder.matches("myPassword", result));

SCryptPasswordEncoder

DelegatingFilterProxy 過濾鏈

  • ChannelProcessingFilter,因為它可能需要重定向到不同的協議
  • SecurityContextPersistenceFilter,因此可以在Web請求開始時在SecurityContextHolder中設定SecurityContext,並且當Web請求結束時(可以使用下一個Web請求準備好),可以將對SecurityContext的任何更改複製到HttpSession。
  • ConcurrentSessionFilter,因為它使用SecurityContextHolder功能並需要更新SessionRegistry以反映來自主體的持續請求
  • 身份驗證處理機制 -UsernamePasswordAuthenticationFilter,CasAuthenticationFilter,BasicAuthenticationFilter等 - 以便可以修改SecurityContextHolder以包含有效的Authentication請求令牌
  • SecurityContextHolderAwareRequestFilter,如果您使用它將Spring安全感知HttpServletRequestWrapper安裝到您的servlet容器中
  • JaasApiIntegrationFilter,如果JaasAuthenticationToken位於SecurityContextHolder中,則會將FilterChain作為JaasAuthenticationToken中的Subject進行處理
  • RememberMeAuthenticationFilter,這樣如果沒有更早的身份驗證處理機制更新SecurityContextHolder,並且請求提供了一個啟用記住我服務的cookie,那麼一個合適的記憶Authentication物件將放在那裡
  • AnonymousAuthenticationFilter,這樣如果沒有早期的身份驗證處理機制更新SecurityContextHolder,那麼匿名身份驗證物件將被放在那裡
  • ExceptionTranslationFilter,用於捕獲任何Spring Security異常,以便可以返回HTTP錯誤響應或啟動相應的AuthenticationEntryPoint
  • FilterSecurityInterceptor,用於保護Web URI並在訪問被拒絕時引發異常