Login authentication is based on a filter chain

At the heart of Spring Security’s login authentication process is the filter chain. When a request arrives, it is processed in the order of the filter chain, authenticated by all the filter chains, and then the API interface is accessed.

SpringSecurity provides a variety of login authentication methods, which are implemented by a variety of filters, such as:

  • BasicAuthenticationFilter implementation is HttpBasic login authentication mode
  • User name password login authentication UsernamePasswordAuthenticationFilter implementation
  • RememberMeAuthenticationFilter can realize the function of login to the certification “remember me”
  • Message authentication code login authentication SmsCodeAuthenticationFilter implementation
  • Login authentication processing SocialAuthenticationFilter implement social media way
  • Oauth2AuthenticationProcessingFilter and Oauth2ClientAuthenticationProcessingFilter implement Oauth2 authentication methods

Depending on our implementation and configuration requirements, different filters will be loaded into the application.

Two, combined with the source code to explain the login verification process

Let’s take the user name and password login as an example to explain the login authentication process of Spring Security.

2.1 UsernamePasswordAuthenticationFilter

This filter encapsulates the basic user information (user name, password) and defines the information related to receiving the login form data. Such as:

  • The default form username password input box name is username, password
  • The default path for processing login requests is /login, using the POST method

2.2 AbstractAuthenticationProcessingFilter doFilter method validation process

UsernamePasswordAuthenticationFilter AbstractAuthenticationProcessingFilter inherited from the abstract class, the abstract class defines methods of dealing with the success and failure of verification.

2.3 Handler Generated after Authentication Succeeds and Handler generated after authentication fails

That is to say when we need a custom validation methods of dealing with the success or failure, to realize AuthenticationSuccessHandler or AuthenticationfailureHandler interface

Three, login verification internal details

3.1 Various authentication modes of ProviderManager

ProviderManager inherits from AuthenticationManager, which is the core class for login authentication. ProviderManager maintains multiple AuthenticationProviders for different types of login authentication. Such as:

  • RememberMeAuthenticationProvider defines the “remember me” functionality login validation logic
  • DaoAuthenticationProvider load database user information, the user password login authentication
Public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {... private List<AuthenticationProvider> providers; ...Copy the code

The following is the core source code for ProviderManager, which iterates through the AuthenticationProvider for different login authentications and only performs the specific login authentication logic if this approach is supported.

3.2 Login Authentication Interface AuthenticationProvider

public interface AuthenticationProvider { Authentication authenticate(Authentication var1) throws AuthenticationException; boolean supports(Class<? > var1); }Copy the code

The implementation class of the AuthenticationProvider defines the concrete login authentication logic

3.3 database to load user information DaoAuthenticationProvider

public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {Copy the code

Get user information source from the database

Therefore, when we need to load user information for login verification, we need to implement the UserDetailsService interface and rewrite the loadUserByUsername method. The parameter is the user name entered by the user. The return value is UserDetails.

We look forward to your attention

  • The blogger has recently written a new book: “SpringBoot Series – Chapter 16, Verse 97.”
  • This article is reprinted with a credit (must be accompanied by a link, not only the text) : Antetokounmpo blog.