BasicAuthenticationFilter过滤器对应的类路径为
org.springframework.security.web.authentication.www.BasicAuthenticationFilter
Basic验证方式相比较而言用的不是太多。spring security也支持basic的方式,配置如下
<security:http auto-config="true">
<!-- <security:form-login login-page="/login.jsp"/>-->
<security:http-basic/>
<security:logout logout-success-url="/login.jsp" invalidate-session="true"/>
<security:intercept-url pattern="/login.jsp*" filters="none"/>
<security:intercept-url pattern="/admin.jsp*" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/index.jsp*" access="ROLE_USER,ROLE_ADMIN"/>
<security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN"/>
</security:http>
如果选择basic方式,需要把form-login标签的定义给注释掉。
接下来看BasicAuthenticationFilter的执行过程
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
final boolean debug = logger.isDebugEnabled();
final HttpServletRequest request = (HttpServletRequest) req;
final HttpServletResponse response = (HttpServletResponse) res;
//basic登录时,会产生Authorization的header信息
//Authorization的值是Basic eXVxaW5nc29uZzox
//eXVxaW5nc29uZzox是经过base编码的一串字符
String header = request.getHeader("Authorization");
if ((header != null) && header.startsWith("Basic ")) {
byte[] base64Token = header.substring(6).getBytes("UTF-8");
//经过base解码后,token值为username:password这种方式
String token = new String(Base64.decode(base64Token), getCredentialsCharset(request));
String username = "";
String password = "";
int delim = token.indexOf(":");
if (delim != -1) {
username = token.substring(0, delim);
password = token.substring(delim + 1);
}
if (debug) {
logger.debug("Basic Authentication Authorization header found for user '" + username + "'");
}
//下面的执行过程基本和login方式一样,认证、授权等过程
if (authenticationIsRequired(username)) {
UsernamePasswordAuthenticationToken authRequest =
new UsernamePasswordAuthenticationToken(username, password);
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
Authentication authResult;
try {
authResult = authenticationManager.authenticate(authRequest);
} catch (AuthenticationException failed) {
// Authentication failed
if (debug) {
logger.debug("Authentication request for user: " + username + " failed: " + failed.toString());
}
SecurityContextHolder.getContext().setAuthentication(null);
rememberMeServices.loginFail(request, response);
onUnsuccessfulAuthentication(request, response, failed);
if (ignoreFailure) {
chain.doFilter(request, response);
} else {
authenticationEntryPoint.commence(request, response, failed);
}
return;
}
// Authentication success
if (debug) {
logger.debug("Authentication success: " + authResult.toString());
}
SecurityContextHolder.getContext().setAuthentication(authResult);
rememberMeServices.loginSuccess(request, response, authResult);
onSuccessfulAuthentication(request, response, authResult);
}
}
chain.doFilter(request, response);
}
分享到:
相关推荐
Spring Security-3.0.1 中文官方文档(翻译版) 这次发布的Spring Security-3.0.1 是一个bug fix 版,主要是对3.0 中存在的一些问题进 行修 正。文档中没有添加新功能的介绍,但是将之前拼写错误的一些类名进行...
[输入图片说明](https://gitee.com/uploads/images/2018/0211/154308_9576ce90_130820.png "jwt-3.png") 4.用登录成功后拿到的token再次请求/users/userList接口 4.1将请求中的XXXXXX替换成拿到的token ...
3. Spring Security 4.2的新特性 27 3.1 Web改进 27 3.2配置改进 28 3.3杂项 28 4.样品和指南(从这里开始) 28 5. Java配置 29 5.1 Hello Web安全Java配置 29 5.1.1 AbstractSecurityWebApplicationInitializer 31 ...
1.1. Spring Security是什么? 1.2. 历史 1.3. 发行版本号 1.4. 获得Spring Security 1.4.1. 项目模块 1.4.1.1. Core - spring-security-core.jar 1.4.1.2. Web - spring-security-web.jar 1.4.1.3. Config -...
1.1. Spring Security是什么? 1.2. 历史 1.3. 发行版本号 1.4. 获得Spring Security 1.4.1. 项目模块 1.4.1.1. Core - spring-security-core.jar 1.4.1.2. Web - spring-security-web.jar 1.4.1.3. ...
Security 有两种认证方式: httpbasic formLogin 默认的,如上边那种方式 同样,Security 也提供两种过滤器类: UsernamePasswordAuthenticationFilter 表示表单登陆过滤器 BasicAuthenticationFilter 表示 ...
基本身份验证过滤器 一个简单的Play Framework 2.4过滤器,可提供基本身份验证 正在安装 ... 全局标度 ...object Global extends WithFilters(BasicAuthenticationFilter()) with GlobalSettings Appli
服务器在收到这样的请求时,到达BasicAuthenticationFilter过滤器,将提取“authorization”的Header值,并使用用于验证用户身份的相同算法Base64进行解码。 解码结果与登录验证的用户名密码匹配,匹配成功则...