AI 助理
文档备案控制台
开发者社区 数据库 文章 正文

认证源码分析与自定义后端认证逻辑

2025-12-30 78
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
本文涉及的产品
PolarClaw,2核4GB
RDS AI 助手,专业版
RDS MySQL DuckDB 分析主实例,集群系列 4核8GB
简介: 本文深入分析Spring Security认证流程,从UsernamePasswordAuthenticationFilter切入,详解AuthenticationManager、ProviderManager及AbstractUserDetailsAuthenticationProvider的认证机制,最终实现自定义UserDetailsService,完成基于数据库的用户认证逻辑。

1.认证流程分析

UsernamePasswordAuthenticationFilter

先看主要负责认证的过滤器UsernamePasswordAuthenticationFilter,有删减,注意注释。

public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter
{
    public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
    public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
    private String usernameParameter = "username";
    private String passwordParameter = "password";
    private boolean postOnly = true;
    
    public UsernamePasswordAuthenticationFilter() {
        super(new AntPathRequestMatcher("/login", "POST"));
    }
    
    public Authentication attemptAuthentication(HttpServletRequest request, 
                                                HttpServletResponse response) throws AuthenticationException {
        //必须为POST请求
        if (this.postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " +
                                                     request.getMethod());
        } else {
            
            String username = this.obtainUsername(request);
            String password = this.obtainPassword(request);
            
            if (username == null) {
                username = "";
            }
            
            if (password == null) {
                password = "";
            }
            
            username = username.trim();
            
            //将填写的用户名和密码封装到了UsernamePasswordAuthenticationToken中
            UsernamePasswordAuthenticationToken authRequest = new
            UsernamePasswordAuthenticationToken(username, password);
            
            this.setDetails(request, authRequest);
            //调用AuthenticationManager对象实现认证
            return this.getAuthenticationManager().authenticate(authRequest);
        }
    }
}

AuthenticationManager

由上面源码得知,真正认证操作在AuthenticationManager里面!

public class ProviderManager implements AuthenticationManager, MessageSourceAware,
InitializingBean {
    
    private static final Log logger = LogFactory.getLog(ProviderManager.class);
    private AuthenticationEventPublisher eventPublisher;
    private List<AuthenticationProvider> providers;
    protected MessageSourceAccessor messages;
    private AuthenticationManager parent;
    private boolean eraseCredentialsAfterAuthentication;
    
    //注意AuthenticationProvider这个对象,SpringSecurity针对每一种认证,什么qq登录啊,
    //用户名密码登陆啊,微信登录啊都封装了一个AuthenticationProvider对象。
    public ProviderManager(List<AuthenticationProvider> providers) {
        this(providers, (AuthenticationManager)null);
    }
    
    public Authentication authenticate(Authentication authentication) throws
    AuthenticationException {
        
        Class<? extends Authentication> toTest = authentication.getClass();
        AuthenticationException lastException = null;
        AuthenticationException parentException = null;
        Authentication result = null;
        Authentication parentResult = null;
        boolean debug = logger.isDebugEnabled();
        Iterator var8 = this.getProviders().iterator();
        
        //循环所有AuthenticationProvider,匹配当前认证类型。
        while(var8.hasNext()) {
            AuthenticationProvider provider = (AuthenticationProvider)var8.next();
            if (provider.supports(toTest)) {
                if (debug) {
                    logger.debug("Authentication attempt using " +
                                 provider.getClass().getName());
                }
                try {
                    //找到了对应认证类型就继续调用AuthenticationProvider对象完成认证业务。
                    result = provider.authenticate(authentication);
                    if (result != null) {
                        this.copyDetails(authentication, result);
                        break;
                    }
                } catch (AccountStatusException var13) {
                    this.prepareException(var13, authentication);
                    throw var13;
                } catch (InternalAuthenticationServiceException var14) {
                    this.prepareException(var14, authentication);
                    throw var14;
                } catch (AuthenticationException var15) {
                    lastException = var15;
                }
            }
        }
        
        if (result == null && this.parent != null) {
            try {
                result = parentResult = this.parent.authenticate(authentication);
            } catch (ProviderNotFoundException var11) {
            } catch (AuthenticationException var12) {
                parentException = var12;
                lastException = var12;
            }
        }
        
        if (result != null) {
            if (this.eraseCredentialsAfterAuthentication && result instanceof
                CredentialsContainer) {
                ((CredentialsContainer)result).eraseCredentials();
            }
            if (parentResult == null) {
                this.eventPublisher.publishAuthenticationSuccess(result);
            }
            return result;
        } else {
            if (lastException == null) {
                lastException = new
                ProviderNotFoundException(this.messages.getMessage("ProviderManager.providerNotFound", new
                                                                   Object[]{toTest.getName()}, "No AuthenticationProvider found for {0}"));
            }
            if (parentException == null) {
                this.prepareException((AuthenticationException)lastException, authentication);
            }
            throw lastException;
        }
    }
}

AbstractUserDetailsAuthenticationProvider

咱们继续再找到AuthenticationProvider的实现类AbstractUserDetailsAuthenticationProvider:

public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
    private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword";
    private PasswordEncoder passwordEncoder;
    private volatile String userNotFoundEncodedPassword;
    private UserDetailsService userDetailsService;
    private UserDetailsPasswordService userDetailsPasswordService;
    protected final UserDetails retrieveUser(String username,
                                             UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
        this.prepareTimingAttackProtection();
        try {
            //重点来了!主要就在这里了!
            //可别忘了,咱们为什么要翻源码,是想用自己数据库中的数据实现认证操作啊!
            //UserDetails就是SpringSecurity自己的用户对象。
            //this.getUserDetailsService()其实就是得到UserDetailsService的一个实现类
            //loadUserByUsername里面就是真正的认证逻辑
            //也就是说我们可以直接编写一个UserDetailsService的实现类,告诉SpringSecurity就可以了!
            //loadUserByUsername方法中只需要返回一个UserDetails对象即可
            UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
            //若返回null,就抛出异常,认证失败。
            if (loadedUser == null) {
                throw new InternalAuthenticationServiceException("UserDetailsService returned
                                                                 null, which is an interface contract violation");
            } else {
                //若有得到了UserDetails对象,返回即可。
                return loadedUser;
            }
        } catch (UsernameNotFoundException var4) {
            this.mitigateAgainstTimingAttack(authentication);
            throw var4;
        } catch (InternalAuthenticationServiceException var5) {
            throw var5;
        } catch (Exception var6) {
            throw new InternalAuthenticationServiceException(var6.getMessage(), var6);
        }
    }
}

AbstractUserDetailsAuthenticationProvider

按理说到此已经知道自定义认证方法的怎么写了,但咱们把返回的流程也大概走一遍,上面不是说到返回了一个 UserDetails对象对象吗?

跟着它就又回到AbstractUserDetailsAuthenticationProvider对象中authenticate方法最后一行了。

public abstract class AbstractUserDetailsAuthenticationProvider implements
AuthenticationProvider, InitializingBean, MessageSourceAware {
   
    public Authentication authenticate(Authentication authentication) throws
    AuthenticationException {
        //最后一行返回值,调用了createSuccessAuthentication方法,此方法就在下面!
        return this.createSuccessAuthentication(principalToReturn, authentication, user);
    }
    
    //咿!?怎么又封装了一次UsernamePasswordAuthenticationToken,开局不是已经封装过了吗?
    protected Authentication createSuccessAuthentication(Object principal, 
                                                         Authentication authentication, 
                                                         UserDetails user) {
        //那就从构造方法点进去看看,这才干啥了。
        UsernamePasswordAuthenticationToken result = new
        UsernamePasswordAuthenticationToken(principal, authentication.getCredentials(),
                                            this.authoritiesMapper.mapAuthorities(user.getAuthorities()));
        result.setDetails(authentication.getDetails());
        return result;
    }
}

UsernamePasswordAuthenticationToken

来到UsernamePasswordAuthenticationToken对象发现里面有两个构造方法

public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {
   
    private static final long serialVersionUID = 510L;
    private final Object principal;
    private Object credentials;
    
    //认证成功前,调用的是这个带有两个参数的。
    public UsernamePasswordAuthenticationToken(Object principal, 
                                               Object credentials) {
        super((Collection)null);
        this.principal = principal;
        this.credentials = credentials;
        this.setAuthenticated(false);
    }
    
    //认证成功后,调用的是这个带有三个参数的。
    public UsernamePasswordAuthenticationToken(Object principal, 
                                               Object credentials,
                                               Collection<? extends GrantedAuthority> authorities) {
        //看看父类干了什么!
        super(authorities);
        this.principal = principal;
        this.credentials = credentials;
        super.setAuthenticated(true);
  }
}

AbstractAuthenticationToken

再点进去super(authorities)看看:

public abstract class AbstractAuthenticationToken implements Authentication,
CredentialsContainer {
    
    private final Collection<GrantedAuthority> authorities;
    private Object details;
    private boolean authenticated = false;
    
    public AbstractAuthenticationToken(Collection<? extends GrantedAuthority> authorities) {
        
        //这时两个参数那个分支!
        if (authorities == null) {
            this.authorities = AuthorityUtils.NO_AUTHORITIES;
        } else {
            //三个参数的,看这里!
            Iterator var2 = authorities.iterator();
            //原来是多个了添加权限信息的步骤
            GrantedAuthority a;
            do {
                if (!var2.hasNext()) {
                    ArrayList<GrantedAuthority> temp = new ArrayList(authorities.size());
                    temp.addAll(authorities);
                    this.authorities = Collections.unmodifiableList(temp);
                    return;
                }
                a = (GrantedAuthority)var2.next();
            } while(a != null);
            //若没有权限信息,是会抛出异常的!
            throw new IllegalArgumentException("Authorities collection cannot contain any null
            elements");
        }
    }
}

由此,咱们需要牢记自定义认证业务逻辑返回的UserDetails对象中一定要放置权限信息! 现在可以结束源码分析了?先不要着急! 咱们回到最初的地方UsernamePasswordAuthenticationFilter,你看好看了,这可是个过滤器,咱们分析这么 久,都没提到doFilter方法,你不觉得心里不踏实?可是这里面也没有doFilter呀?那就从父类找!

AbstractAuthenticationProcessingFilter

点开AbstractAuthenticationProcessingFilter,删掉不必要的代码!

public abstract class AbstractAuthenticationProcessingFilter 
extends GenericFilterBean
implements ApplicationEventPublisherAware, MessageSourceAware {
    
    //doFilter再次!
    public void doFilter(ServletRequest req, 
                         ServletResponse res, 
                         FilterChain chain) throws IOException, ServletException {
        
        HttpServletRequest request = (HttpServletRequest)req;
        HttpServletResponse response = (HttpServletResponse)res;
        
        if (!this.requiresAuthentication(request, response)) {
            chain.doFilter(request, response);
        } else {
            
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Request is to process authentication");
            }
            
            Authentication authResult;
            try {
                authResult = this.attemptAuthentication(request, response);
                if (authResult == null) {
                    return;
                }
                this.sessionStrategy.onAuthentication(authResult, request, response);
            } catch (InternalAuthenticationServiceException var8) {
                this.logger.error("An internal error occurred while trying to authenticate the
                user.", var8);
                this.unsuccessfulAuthentication(request, response, var8);
                return;
            } catch (AuthenticationException var9) {
                this.unsuccessfulAuthentication(request, response, var9);
                return;
            }
            if (this.continueChainBeforeSuccessfulAuthentication) {
                chain.doFilter(request, response);
            }
            this.successfulAuthentication(request, response, chain, authResult);
        }
    }
    
    protected boolean requiresAuthentication(HttpServletRequest request, 
                                             HttpServletResponse response) {
        return this.requiresAuthenticationRequestMatcher.matches(request);
    }
    
    //成功走successfulAuthentication
    protected void successfulAuthentication(HttpServletRequest request, 
                                            HttpServletResponse response, 
                                            FilterChain chain, 
                                            Authentication authResult) throws IOException, ServletException {
        
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Authentication success. Updating SecurityContextHolder to
                              contain: " + authResult);
        }
        
        //认证成功,将认证信息存储到SecurityContext中!
        SecurityContextHolder.getContext().setAuthentication(authResult);
        //登录成功调用rememberMeServices
        this.rememberMeServices.loginSuccess(request, response, authResult);
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(new
                                             InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
        }
        this.successHandler.onAuthenticationSuccess(request, response, authResult);
    }
    
    //失败走unsuccessfulAuthentication
    protected void unsuccessfulAuthentication(HttpServletRequest request, 
                                              HttpServletResponse response, 
                                              AuthenticationException failed) throws IOException, ServletException {
        SecurityContextHolder.clearContext();
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Authentication request failed: " + failed.toString(), failed);
            this.logger.debug("Updated SecurityContextHolder to contain null Authentication");
            this.logger.debug("Delegating to authentication failure handler " +
                              this.failureHandler);
        }
        this.rememberMeServices.loginFail(request, response);
        this.failureHandler.onAuthenticationFailure(request, response, failed);
    }
}

可见AbstractAuthenticationProcessingFilter这个过滤器对于认证成功与否,做了两个分支,成功执行 successfulAuthentication,失败执行unsuccessfulAuthentication。

在successfulAuthentication内部,将认证信息存储到了SecurityContext中。并调用了loginSuccess方法,这就是常见的“记住我”功能!此功能具体应用,咱们后续再研究!

2.自定义认证实现流程

1.实现UserDetailService与自定义逻辑

自定义用户类需要实现UserDetails接口,并实现接口的方法,所以我们编写下述代码。

package com.yzxb.SpringSecurity.service;
import com.yzxb.SpringSecurity.pojo.Role;
import com.yzxb.SpringSecurity.pojo.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
@Service
public class MyUserService implements UserDetailsService {
    @Override
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException {
        // 1-本地mysql用户存在性查询
        User user = selectUserFromDb();
        if (Objects.isNull(user)) {
            throw new UsernameNotFoundException("用户不存在");
        }
        // 2-本地查询权限
        List<Role> roles = selectAuthFromDb();
        // 3-设置权限信息
        user.setRoles(roles);
        // 4-返回权限合集
        return user;
    }
    /**
     * TODO 如果需要调用数据库查询,这里接入orm持久层框架即可
     * @return 用户本地权限合集
     */
    private List<Role> selectAuthFromDb() {
        return new ArrayList<>();
    }
    /**
     * TODO 如果需要调用数据库查询,这里接入orm持久层框架即可
     * @return  本地用户信息
     */
    private User selectUserFromDb() {
        return new User();
    }
}

2.注册自定义实现类

package com.yzxb.SpringSecurity.config;
import com.yzxb.SpringSecurity.service.MyUserService;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import javax.annotation.Resource;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Resource
    private MyUserService myUserService;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and().formLogin().loginPage("/login.html")
                .loginProcessingUrl("/doLogin")
                .defaultSuccessUrl("/demo/index ")
                .failureUrl("/login.html")
                .usernameParameter("uname")
                .passwordParameter("passwd")
                .permitAll()
                .and()
                .csrf()
                .disable();
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(myUserService);
    }
}

改完的效果如下图

然后重启项目,就可以实现自定义的数据库认证逻辑。

3.完整代码获取

文章标签:
数据库
Java
开发工具
安全
存储
游客rptpd75w3yo66
目录
相关文章
游客rptpd75w3yo66
|
4月前
|
微服务 监控
认识Seata
Seata是阿里巴巴开源的分布式事务解决方案,通过事务协调者(TC)、事务管理器(TM)和资源管理器(RM)协同工作,实现全局事务一致性。支持XA、AT、TCC、SAGA四种模式,其中AT为默认模式,具备最终一致性与低侵入性,广泛应用于微服务架构中。
游客rptpd75w3yo66
356 1
认识Seata
游客rptpd75w3yo66
|
4月前
|
Java Spring UED
Spring Cloud熔断降级
熔断降级是应对服务雪崩的核心手段。熔断通过断路器统计异常或慢请求比例,超阈值后拦截所有请求,防止系统崩溃;降级则在调用失败时返回默认数据或友好提示,提升用户体验。二者结合,在服务异常时快速熔断并触发降级逻辑。断路器有closed、open、half-open三种状态,实现自动恢复机制,保障系统稳定性。
游客rptpd75w3yo66
165 0
Spring Cloud熔断降级
游客rptpd75w3yo66
|
4月前
|
Java 调度
什么是分片广播任务
本文介绍XXL-JOB的分片广播机制,通过集群执行器动态分片处理任务。调度中心为每个执行器分配分片参数,实现任务并行处理,提升效率。适用于大数据量分布式场景,支持动态扩容,每台机器处理部分数据,显著降低耗时。开发时可通过`getShardIndex()`和`getShardTotal()`获取分片信息,灵活控制业务逻辑。
游客rptpd75w3yo66
309 3
游客rptpd75w3yo66
|
4月前
|
应用服务中间件 微服务
微服务雪崩问题
高并发下商品服务占用过多Tomcat连接,可能导致接口延迟或阻塞,进而影响依赖它的购物车服务,引发连锁反应。若不加控制,将导致整个微服务集群雪崩。微服务保护旨在防止此类级联失败,保障系统稳定。
游客rptpd75w3yo66
118 1
游客rptpd75w3yo66
|
4月前
|
缓存 NoSQL 关系型数据库
【高并发实战】Redis缓存穿透、击穿、雪崩:3大经典的“炸库”危机与自救指南
本文详解缓存穿透、击穿、雪崩三大问题:穿透是查不存在的数据,击穿是热点Key失效被高并发冲击,雪崩是大量Key同时过期或Redis故障。结合比喻与解决方案,助你彻底理解并防范数据库风险。
游客rptpd75w3yo66
470 0
游客rptpd75w3yo66
|
4月前
|
运维 监控 Java
【Linux基础】开发日常:盘点后端开发中最高频使用的10个Linux命令
本文为后端开发者整理了日常运维中最常用的10个Linux命令,涵盖文件查看、日志监控、进程管理、网络排查等核心场景。从`ls`、`cd`到`tail`、`grep`,再到`ps`、`netstat`、`top`等,结合实际案例讲解高频用法,助你高效应对服务器操作,提升开发效率。
游客rptpd75w3yo66
299 1
游客rptpd75w3yo66
|
4月前
|
安全 Java 开发工具
工程搭建与验证
本文介绍如何使用阿里云脚手架快速搭建Spring Boot工程,并整合Spring Security实现基础安全控制。包含工程创建、代码导入、Web依赖配置、访问接口开发及Security默认登录验证,附完整代码仓库地址。
游客rptpd75w3yo66
255 0
游客rptpd75w3yo66
|
4月前
|
运维 监控 Shell
【自动化运维】告别手动搬运!编写Shell脚本自动备份与清理日志
本文介绍如何通过Shell脚本结合Crontab,实现服务器日志的自动备份与清理。每天凌晨2点自动压缩昨日日志并保存至备份目录,同时删除7天前的旧备份,防止磁盘占满。脚本具备目录创建、压缩打包、错误提示和日志记录功能,操作安全可靠,适合Linux运维新手实践自动化管理。
游客rptpd75w3yo66
520 0
游客rptpd75w3yo66
|
4月前
|
SQL 关系型数据库 MySQL
【SQL优化】不再抓瞎!手把手教你读懂MySQL Explain执行计划
本文详解MySQL执行计划工具EXPLAIN,教你读懂其输出的“天书”表格。重点掌握四个核心指标:`type`(访问类型)、`key`(实际使用索引)、`Extra`(额外信息)和`rows`(扫描行数)。通过实战案例解析慢查询成因与优化方案,助你快速定位SQL性能瓶颈,写出高效数据库查询。
游客rptpd75w3yo66
499 0
游客rptpd75w3yo66
|
4月前
|
弹性计算 安全 Linux
【安全硬核】3分钟学会配置Linux防火墙:Firewalld实战指南
本文介绍Linux服务器防火墙Firewalld的使用,作为云安全组后的第二道防线。涵盖启停服务、开放/关闭端口、查看状态、IP白名单设置等核心操作,并强调与阿里云安全组协同配置的重要性,助力构建生产环境的纵深防御体系。(238字)
游客rptpd75w3yo66
646 0