Spring Security:身份验证入口AuthenticationEntryPoint介绍与Debug分析

本文介绍了Spring Security中的ExceptionTranslationFilter及其角色,重点解析了AuthenticationEntryPoint接口,包括BasicAuthenticationEntryPoint、DelegatingAuthenticationEntryPoint、DigestAuthenticationEntryPoint、Http403ForbiddenEntryPoint和LoginUrlAuthenticationEntryPoint的用法。通过对formLogin和Basic认证的Debug分析,展示了身份验证流程。文章适合对Spring Security感兴趣的开发者阅读。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

ExceptionTranslationFilter

ExceptionTranslationFilterSecurity Filter)允许将AccessDeniedExceptionAuthenticationException转换为HTTP响应。ExceptionTranslationFilter作为Security Filters之一插入到FilterChainProxy中。

在这里插入图片描述

  1. 首先,ExceptionTranslationFilter调用FilterChain.doFilter(request, response),即调用应用程序的其余部分(出现异常才执行自己的逻辑)。
    在这里插入图片描述
    在这里插入图片描述
  2. 如果用户未经身份验证或是身份验证异常,则启动身份验证。
    在这里插入图片描述
    1. 清除SecurityContextHolder的身份验证(SEC-112:清除SecurityContextHolder的身份验证,因为现有身份验证不再有效)。
    2. HttpServletRequest保存在RequestCache中。当用户成功进行身份验证时,RequestCache用于重现原始请求。
    3. AuthenticationEntryPoint用于从客户端请求凭据。例如,它可能会重定向到登录页面或发送WWW-Authenticate标头。
      在这里插入图片描述
  3. 否则,如果是AccessDeniedException,则拒绝访问。调用AccessDeniedHandler来处理拒绝的访问。
    在这里插入图片描述

想要了解Spring Security的过滤器链如何在Spring应用程序中发挥作用,可以阅读下面这篇博客:

AuthenticationEntryPoint

ExceptionTranslationFilter会使用AuthenticationEntryPoint启动身份验证方案。

public interface AuthenticationEntryPoint {
	/**
	 * 启动身份验证方案
	 * 实现应根据需要修改ServletResponse的标头以开始身份验证过程
	 */
	void commence(HttpServletRequest request, HttpServletResponse response,
			AuthenticationException authException) throws IOException, ServletException;
}

BasicAuthenticationEntryPoint

ExceptionTranslationFilter用于通过BasicAuthenticationFilter开始身份验证。一旦使用BASIC对用户代理进行身份验证,可以发送未经授权的 (401) 标头,最简单的方法是调用BasicAuthenticationEntryPoint类的commence方法。 这将向浏览器指示其凭据不再被授权,导致它提示用户再次登录。

public class BasicAuthenticationEntryPoint implements AuthenticationEntryPoint,
		InitializingBean {
	// 领域名称
	private String realmName;

	// 检查属性
	public void afterPropertiesSet() {
		Assert.hasText(realmName, "realmName must be specified");
	}

	public void commence(HttpServletRequest request, HttpServletResponse response,
			AuthenticationException authException) throws IOException {
		// 填充响应
		response.addHeader("WWW-Authenticate", "Basic realm="" + realmName + """);
		response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
	}
	...
}

DelegatingAuthenticationEntryPoint

AuthenticationEntryPoint实现,它根据RequestMatcher匹配(委托)一个具体的AuthenticationEntryPoint

public class DelegatingAuthenticationEntryPoint implements AuthenticationEntryPoint,
		InitializingBean {
	private final Log logger = LogFactory.getLog(getClass());

    // RequestMatcher与AuthenticationEntryPoint的映射
	private final LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints;
	// 默认AuthenticationEntryPoint
	private AuthenticationEntryPoint defaultEntryPoint;
    // 构造方法
	public DelegatingAuthenticationEntryPoint(
			LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints) {
		this.entryPoints = entryPoints;
	}

	public void commence(HttpServletRequest request, HttpServletResponse response,
			AuthenticationException authException) throws IOException, ServletException {
        // 遍历entryPoints
		for (RequestMatcher requestMatcher : entryPoints.keySet()) {
			if (logger.isDebugEnabled()) {
				logger.debug("Trying to match using " + requestMatcher);
			}
			// 如果RequestMatcher匹配请求
			if (requestMatcher.matches(request)) {
			    // 获取匹配请求的RequestMatcher对应的
以下是微信小程序使用Spring Security和JWT实现权限验证的Java代码示例: 1. 配置Spring Security 创建一个SecurityConfig类,配置Spring Security的基本设置和JWT过滤器: ```java @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint; @Autowired private JwtAuthorizationTokenFilter jwtAuthorizationTokenFilter; @Autowired private UserDetailsService userDetailsService; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.csrf().disable() .authorizeRequests() .antMatchers("/api/auth/**").permitAll() .anyRequest().authenticated() .and() .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); httpSecurity.addFilterBefore(jwtAuthorizationTokenFilter, UsernamePasswordAuthenticationFilter.class); httpSecurity.headers().cacheControl(); } @Override public void configure(WebSecurity webSecurity) throws Exception { webSecurity.ignoring().antMatchers(HttpMethod.POST, "/api/auth/login"); } } ``` 2. 创建JWT工具类 创建一个JwtTokenUtil类,用于处理JWT的生成、解析和验证: ```java @Component public class JwtTokenUtil { private static final Logger logger = LoggerFactory.getLogger(JwtTokenUtil.class); private static final String CLAIM_KEY_USERNAME = "sub"; private static final String CLAIM_KEY_CREATED = "iat"; private static final String CLAIM_KEY_EXPIRED = "exp"; @Value("${jwt.secret}") private String secret; @Value("${jwt.expiration}") private Long expiration; public String getUsernameFromToken(String token) { String username; try { final Claims claims = getClaimsFromToken(token); username = claims.getSubject(); } catch (Exception e) { username = null; } return username; } public Date getCreatedDateFromToken(String token) { Date created; try { final Claims claims = getClaimsFromToken(token); created = new Date((Long) claims.get(CLAIM_KEY_CREATED)); } catch (Exception e) { created = null; } return created; } public Date getExpirationDateFromToken(String token) { Date expiration; try { final Claims claims = getClaimsFromToken(token); expiration = claims.getExpiration(); } catch (Exception e) { expiration = null; } return expiration; } private Claims getClaimsFromToken(String token) { Claims claims; try { claims = Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody(); } catch (Exception e) { claims = null; } return claims; } private Date generateExpirationDate() { return new Date(System.currentTimeMillis() + expiration * 1000); } private Boolean isTokenExpired(String token) { final Date expiration = getExpirationDateFromToken(token); return expiration.before(new Date()); } public String generateToken(UserDetails userDetails) { Map<String, Object> claims = new HashMap<>(); claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername()); claims.put(CLAIM_KEY_CREATED, new Date()); return generateToken(claims); } private String generateToken(Map<String, Object> claims) { return Jwts.builder() .setClaims(claims) .setExpiration(generateExpirationDate()) .signWith(SignatureAlgorithm.HS512, secret) .compact(); } public Boolean canTokenBeRefreshed(String token) { return !isTokenExpired(token); } public String refreshToken(String token) { String refreshedToken; try { final Claims claims = getClaimsFromToken(token); claims.put(CLAIM_KEY_CREATED, new Date()); refreshedToken = generateToken(claims); } catch (Exception e) { refreshedToken = null; } return refreshedToken; } public Boolean validateToken(String token, UserDetails userDetails) { JwtUser user = (JwtUser) userDetails; final String username = getUsernameFromToken(token); return ( username.equals(user.getUsername()) && !isTokenExpired(token)); } } ``` 3. 创建JWT过滤器 创建一个JwtAuthorizationTokenFilter类,用于处理JWT的解析和验证: ```java @Component public class JwtAuthorizationTokenFilter extends OncePerRequestFilter { private final Logger logger = LoggerFactory.getLogger(this.getClass()); @Autowired private JwtTokenUtil jwtTokenUtil; @Autowired private UserDetailsService userDetailsService; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { logger.debug("processing authentication for '{}'", request.getRequestURL()); final String requestHeader = request.getHeader("Authorization"); String username = null; String authToken = null; if (requestHeader != null && requestHeader.startsWith("Bearer ")) { authToken = requestHeader.substring(7); try { username = jwtTokenUtil.getUsernameFromToken(authToken); } catch (IllegalArgumentException e) { logger.error("an error occured during getting username from token", e); } catch (ExpiredJwtException e) { logger.warn("the token is expired and not valid anymore", e); } } else { logger.warn("couldn't find bearer string, will ignore the header"); } logger.debug("checking authentication for user '{}'", username); if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) { UserDetails userDetails = this.userDetailsService.loadUserByUsername(username); if (jwtTokenUtil.validateToken(authToken, userDetails)) { UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); logger.info("authenticated user '{}', setting security context", username); SecurityContextHolder.getContext().setAuthentication(authentication); } } chain.doFilter(request, response); } } ``` 4. 创建JWT用户类 创建一个JwtUser类,实现Spring Security的UserDetails接口: ```java public class JwtUser implements UserDetails { private final Long id; private final String username; private final String password; private final Collection<? extends GrantedAuthority> authorities; private final boolean enabled; private final Date lastPasswordResetDate; public JwtUser( Long id, String username, String password, Collection<? extends GrantedAuthority> authorities, boolean enabled, Date lastPasswordResetDate ) { this.id = id; this.username = username; this.password = password; this.authorities = authorities; this.enabled = enabled; this.lastPasswordResetDate = lastPasswordResetDate; } @JsonIgnore public Long getId() { return id; } @Override public String getUsername() { return username; } @JsonIgnore @Override public boolean isAccountNonExpired() { return true; } @JsonIgnore @Override public boolean isAccountNonLocked() { return true; } @JsonIgnore @Override public boolean isCredentialsNonExpired() { return true; } @JsonIgnore @Override public String getPassword() { return password; } @Override public Collection<? extends GrantedAuthority> getAuthorities() { return authorities; } @Override public boolean isEnabled() { return enabled; } @JsonIgnore public Date getLastPasswordResetDate() { return lastPasswordResetDate; } } ``` 5. 创建登录控制器 创建一个AuthController类,用于处理用户登录和令牌的生成: ```java @RestController @RequestMapping("/api/auth") public class AuthController { private final Logger logger = LoggerFactory.getLogger(this.getClass()); @Autowired private AuthenticationManager authenticationManager; @Autowired private JwtTokenUtil jwtTokenUtil; @Autowired private UserDetailsService userDetailsService; @PostMapping("/login") public ResponseEntity<?> createAuthenticationToken(@RequestBody JwtAuthenticationRequest authenticationRequest) throws AuthenticationException { logger.info("authenticating user '{}'", authenticationRequest.getUsername()); final Authentication authentication = authenticationManager.authenticate( new UsernamePasswordAuthenticationToken( authenticationRequest.getUsername(), authenticationRequest.getPassword() ) ); SecurityContextHolder.getContext().setAuthentication(authentication); final UserDetails userDetails = userDetailsService.loadUserByUsername(authenticationRequest.getUsername()); final String token = jwtTokenUtil.generateToken(userDetails); return ResponseEntity.ok(new JwtAuthenticationResponse(token)); } } ``` 6. 创建异常处理器 创建一个JwtAuthenticationEntryPoint类,用于处理不允许访问的请求: ```java @Component public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint { private final Logger logger = LoggerFactory.getLogger(this.getClass()); @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { logger.error("unauthorized error: {}", authException.getMessage()); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized"); } } ``` 7. 创建请求对象 创建一个JwtAuthenticationRequest类,用于保存用户登录请求: ```java public class JwtAuthenticationRequest implements Serializable { private static final long serialVersionUID = -8445943548965154778L; @NotBlank private String username; @NotBlank private String password; public JwtAuthenticationRequest() { super(); } public JwtAuthenticationRequest(String username, String password) { this.setUsername(username); this.setPassword(password); } public String getUsername() { return this.username; } public void setUsername(String username) { this.username = username; } public String getPassword() { return this.password; } public void setPassword(String password) { this.password = password; } } ``` 8. 创建响应对象 创建一个JwtAuthenticationResponse类,用于保存令牌响应: ```java public class JwtAuthenticationResponse implements Serializable { private static final long serialVersionUID = 1250166508152483573L; private final String token; public JwtAuthenticationResponse(String token) { this.token = token; } public String getToken() { return this.token; } } ``` 以上是微信小程序使用Spring Security和JWT实现权限验证的Java代码示例,希望能对你有所帮助。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值