Spring 安全认证逻辑
[英]Spring Security authenticate logic
问题描述
Endpoint security in Spring security is achieved with a list of filters. 
Spring 安全性中的端点安全性通过过滤器列表实现。 I need one clarification.我需要澄清一下。
Suppose a filter has successfully authenticated a request and set the the authentication object in the security context.假设过滤器已成功验证请求并在安全上下文中设置验证 object。 That filter also has called filterchain.dofilter().该过滤器还调用了 filterchain.dofilter()。 Assume that the authentication.isAuthenticated() returns true - the filter has already set it.假设 authentication.isAuthenticated() 返回 true - 过滤器已经设置了它。
If the authentication object in the security context returns true if isAuthenticated() is called, will the subsequent filters ignore authentication process (means they won't call authenticationmanager.authenticate())?如果调用 isAuthenticated() 时安全上下文中的身份验证 object 返回 true,那么后续过滤器是否会忽略身份验证过程(意味着它们不会调用 authenticationmanager.authenticate())? Or will they still call authenticationmanager.authenticate () even if the isAuthenticated() returns true on the authentication object retrieved from the security context?或者即使 isAuthenticated() 在从安全上下文中检索到的身份验证 object 上返回 true,他们仍然会调用 authenticationmanager.authenticate () 吗? Assume that the request path matches with the filter configuration (that means subsequent filters also will see the request as the request servlet path matches their configuration)假设请求路径与过滤器配置匹配(这意味着后续过滤器也会看到请求,因为请求 servlet 路径与它们的配置匹配)
Thanks in advance.提前致谢。
1 个解决方案
解决方案1
2 已采纳 2021-01-15 07:51:23
I'll try to answer as detailed as possible.我会尽量详细回答。
First of all, it's true that Spring Security uses a filter chain, but usually, the authentication starts from one of the filters in the chain.首先,Spring Security 确实使用过滤器链,但通常,身份验证从链中的一个过滤器开始。 If you authenticate your users in multiple ways, then you need to implement multiple authentication providers (AuthenticationProvider).如果您以多种方式对用户进行身份验证,那么您需要实现多个身份验证提供程序(AuthenticationProvider)。 Take a look at figure 1. The authentication starts from the filter level and the responsibility is taken by a manager, named AuthenticationManager.看一下图 1。身份验证从过滤器级别开始,由一个名为 AuthenticationManager 的管理器负责。 The manager finds an AuthenticationProvider that fits.经理找到适合的 AuthenticationProvider。 Figure 1图1
In certain cases, you might want to implement multiple authentication filters.在某些情况下,您可能希望实现多个身份验证过滤器。 Say you have a custom multi-factor authentication (MFA) solution.假设您有一个自定义的多因素身份验证 (MFA) 解决方案。 But it is you who decides which filters are skipped.但决定跳过哪些过滤器的是您。 By default, the request follows each filter in the chain.默认情况下,请求遵循链中的每个过滤器。
You can design a filter to be skipped if you implement the OncePerRequestFilter and override the shouldNotFilter() method to tell the filter when it doesn't apply.如果您实现了 OncePerRequestFilter 并覆盖 shouldNotFilter() 方法以告诉过滤器何时不适用,则可以设计一个要跳过的过滤器。
In conclusion:综上所述:
- to implement authentication in multiple ways you use authentication providers以多种方式实施身份验证,您使用身份验证提供程序
- the subsequent filters will see the request unless you explicitly make them skip it除非您明确让他们跳过它,否则后续过滤器将看到该请求
- I do also recommend you the first part of the book I wrote on Spring Security - Spring Security in Action.我还向您推荐我写的关于 Spring Security - Spring Security in Action 的书的第一部分。 You'll find a more detailed description on how authentication, authorization and the filter chain works.您将找到有关身份验证、授权和过滤器链如何工作的更详细说明。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.