[10] AnonymousAuthenticationFilter

最新推荐文章于 2024-12-06 10:43:36 发布
原创 最新推荐文章于 2024-12-06 10:43:36 发布 · 2.6w 阅读 · 0 ·
CC 4.0 BY-SA版权

本文深入解析AnonymousAuthenticationFilter工作原理,阐述其如何在SecurityContext中创建匿名身份认证信息,包括使用UUID作为key,设置principal为“anonymousUser”,以及授予ROLE_ANONYMOUS权限。

AnonymousAuthenticationFilter

介绍

该过滤器功能比较简单,请求经过过滤器时,判断一下SecurityContext上下文中身份认证信息是否为null,如果为null,则创建一个匿名的身份认证信息并放到SecurityContext上下文环境中。

代码分析

请求经过AnonymousAuthenticationFilter时,当SecurityContext上下文中身份认证信息是否为null时,则创建匿名的身份认证信息,由3个主要字段组从1. key是一个UUID 2.principal=“anonymousUser” 3.authorities包含一个ROLE_ANONYMOUS,代码如下:

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {

    if (SecurityContextHolder.getContext().getAuthentication() == null) {
        //上下文中身份认证信息为空,创建匿名的身份认证信息并设置到上下文认证环境中
        SecurityContextHolder.getContext().setAuthentication(
                createAuthentication((HttpServletRequest) req));
		...
    }
	...
    chain.doFilter(req, res);
}

protected Authentication createAuthentication(HttpServletRequest request) {
    //1. key是一个UUID 2.principal="anonymousUser" 3.authorities包含一个ROLE_ANONYMOUS
    AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key,
            principal, authorities);
    //WebAuthenticationDetailsSource是WebAuthenticationDetailsSource实例,buildDetails()也十分简单,获取了request的remoteAddress以及sessionId
    auth.setDetails(authenticationDetailsSource.buildDetails(request));

    return auth;
}
spring security原理和机制 | Spring Boot 35
学Java,找哪吒
06-25 5万+
一、SpringSecurity 框架简介 Spring 是非常流行和成功的 Java 应用开发框架,Spring Security 正是 Spring 家族中的 成员。Spring Security 基于 Spring 框架,提供了一套 Web 应用安全性的完整解决方 案。 正如你可能知道的关于安全方面的两个主要区域是“认证”和“授权”(或者访问控 制),一般来说,Web 应用的安全性包括用户认证(Authentication)和用户授权 (Authorization)两个部分,这两点也是 Spring
浅析Spring Security 的认证过程及相关过滤器
qq_44005305的博客
02-09 558
上一篇文章浅析Spring Security 核心组件中介绍了Spring Security的基本组件,有了前面的基础,这篇文章就来详细分析下Spring Security的认证过程。Spring Security 的核心之一就是它的过滤器链,我们就从它的过滤器链入手,下图是Spring Security 过滤器链的一个执行过程,本文将依照该过程来逐步的剖析其认证过程。
Spring Security详解(三)认证之核心过滤器
Jagger的博客
06-22 7596
这章主要用来分析Spring Security中的过滤器链包含了哪些关键的过滤器,并且各自的作用是什么。 3 核心过滤器 3.1 概述 Filter顺序 Spring Security的官方文档向我们提供了filter的顺序,无论实际应用中你用到了哪些,整体的顺序是保持不变的: - ChannelProcessingFilter,重定向到其他协议的过滤器。也就是说如果你访问的...
Spring Security 如何允许对同一地址进行匿名和身份验证访问
m13012606980的专栏
09-28 3040
场景描述 可能在开发过程中设置了一个匿名访问地址,但这个地址我们同时也想让它能够进行身份验证访问。就比如一个地址你把它分享出去就可以匿名访问,但如果这个地址如果没有被分享出去在系统内部或者在app中就可以进行身份验证访问。 遇到的问题 Spring Security 版本:4.1.0.RELEASE。现在版本到 5.5.2 为啥不用最新的,我只能说我也想。 Spring Security中默认对匿名访问的设置是如果你当前请求的地址为匿名访问设置,并且没有携带token的话,Spring Security会在
springSecurity -------AnonymousAuthenticationFilter
wangtao753的博客
06-13 2228
描述:AnonymousAuthenticationFilter:springsecurity在配置一些url可在未登录未授权的时候默认给他授权通过,可在配置文件中指定一些url赋予permitAll()方法即可使用该过滤器,接下来我们从源码的角度来看看这个过滤器具体是怎么工作的 AnonymousAuthenticationFilter public class AnonymousAuthenticationFilter extends GenericFilterBean implements Initi
AnonymousAuthenticationFilter匿名身份过滤器
2401_85480529的博客
09-18 1095
Spring Security 中的匿名身份过滤器()的主要作用是为未认证的用户分配一个匿名身份,避免未登录用户在访问资源时出现错误,并为权限控制提供统一的身份管理。通过,你可以在安全配置中为匿名用户设置不同的访问权限,从而保障系统的安全性和用户体验。
2025-06-10 14:49:19,740 INFO Root WebApplicationContext: initialization completed in 2972 ms 2025-06-10 14:49:25,224 INFO Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@f73dcd6, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@5c87bfe2, org.springframework.security.web.context.SecurityContextPersistenceFilter@4879f0f2, org.springframework.security.web.header.HeaderWriterFilter@75f5fd58, org.springframework.security.web.csrf.CsrfFilter@7446d8d5, org.springframework.security.web.authentication.logout.LogoutFilter@1fdfafd2, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@354fc8f0, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4678a2eb, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2fea7088, org.springframework.security.web.session.SessionManagementFilter@306851c7, org.springframework.security.web.access.ExceptionTranslationFilter@4fbda97b] 2025-06-10 14:49:25,510 INFO Adding welcome page: class path resource [static/index.html] 2025-06-10 14:49:25,850 INFO Exposing 1 endpoint(s) beneath base path '/actuator' 2025-06-10 14:49:25,868 WARN You are asking Spring Security to ignore Ant [pattern='/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead. 2025-06-10 14:49:25,869 INFO Will not secure Ant [pattern='/**'] 2025-06-10 14:49:25,869 WARN You are asking Spring Security to ignore Mvc [pattern='/prometheus']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead. 2025-06-10 14:49:25,870 INFO Will not secure Mvc [pattern='/prometheus'] 2025-06-10 14:49:25,870 WARN You are asking Spring Security to ignore Mvc [pattern='/prometheus/namespaceId/{namespaceId}']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead. 2025-06-10 14:49:25,871 INFO Will not secure Mvc [pattern='/prometheus/namespaceId/{namespaceId}'] 2025-06-10 14:49:25,871 WARN You are asking Spring Security to ignore Mvc [pattern='/prometheus/namespaceId/{namespaceId}/service/{service}']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead. 2025-06-10 14:49:25,871 INFO Will not secure Mvc [pattern='/prometheus/namespaceId/{namespaceId}/service/{service}'] 2025-06-10 14:49:25,941 INFO Tomcat started on port(s): 8848 (http) with context path '/nacos' 2025-06-10 14:49:25,956 INFO No TaskScheduler/ScheduledExecutorService bean found for scheduled processing 2025-06-10 14:49:25,972 INFO Nacos started successfully in stand alone mode. use embedded storage 该启动日志是否开启鉴权
06-11
- `AnonymousAuthenticationFilter`:匿名访问控制 - `ExceptionTranslationFilter`:异常处理[^1] 2. **端点显式放行警告** ```log 2025-06-10 14:49:25,868 WARN You are asking Spring Security to ignore ...
2025-07-17 10:42:54,903 WARN There are no [com.alibaba.nacos.config.server.model.event.LocalDataChangeEvent] publishers for this event, please register 2025-07-17 10:42:54,904 WARN There are no [com.alibaba.nacos.config.server.model.event.LocalDataChangeEvent] publishers for this event, please register 2025-07-17 10:43:01,400 INFO Initializing ExecutorService 'applicationTaskExecutor' 2025-07-17 10:43:01,683 INFO Adding welcome page: class path resource [static/index.html] 2025-07-17 10:43:02,355 INFO Creating filter chain: Ant [pattern='/**'], [] 2025-07-17 10:43:02,412 INFO Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7493d937, org.springframework.security.web.context.SecurityContextPersistenceFilter@2262f0d8, org.springframework.security.web.header.HeaderWriterFilter@1f172892, org.springframework.security.web.csrf.CsrfFilter@223967ea, org.springframework.security.web.authentication.logout.LogoutFilter@c497a55, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@59e082f8, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@656ec00d, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5dc7841c, org.springframework.security.web.session.SessionManagementFilter@2bdb5e0f, org.springframework.security.web.access.ExceptionTranslationFilter@719c1faf] 2025-07-17 10:43:02,647 INFO Initializing ExecutorService 'taskScheduler' 2025-07-17 10:43:02,701 INFO Exposing 16 endpoint(s) beneath base path '/actuator' 2025-07-17 10:43:02,986 INFO Tomcat started on port(s): 8848 (http) with context path '/nacos' 2025-07-17 10:43:02,997 INFO Nacos started successfully in stand alone mode. use embedded storage
07-18
Nacos 是一个动态服务发现、配置管理和服务管理平台,广泛用于微服务架构中。在 Nacos 启动过程中,有时会在日志中看到类似 `There are no LocalDataChangeEvent publishers for this event, please register` 的...
2025-06-10 15:03:45,131 INFO Root WebApplicationContext: initialization completed in 2983 ms 2025-06-10 15:03:50,852 INFO Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@58ebfd03, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@5b07730f, org.springframework.security.web.context.SecurityContextPersistenceFilter@5c3b6c6e, org.springframework.security.web.header.HeaderWriterFilter@502f1f4c, org.springframework.security.web.csrf.CsrfFilter@a8e6492, org.springframework.security.web.authentication.logout.LogoutFilter@41813449, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@75f5fd58, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@306851c7, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1fdfafd2, org.springframework.security.web.session.SessionManagementFilter@75c9e76b, org.springframework.security.web.access.ExceptionTranslationFilter@27305e6] 2025-06-10 15:03:51,269 INFO Adding welcome page: class path resource [static/index.html] 2025-06-10 15:03:51,758 INFO Exposing 1 endpoint(s) beneath base path '/actuator' 2025-06-10 15:03:51,790 WARN You are asking Spring Security to ignore Ant [pattern='/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead. 2025-06-10 15:03:51,791 INFO Will not secure Ant [pattern='/**'] 2025-06-10 15:03:51,792 WARN You are asking Spring Security to ignore Mvc [pattern='/prometheus']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead. 2025-06-10 15:03:51,794 INFO Will not secure Mvc [pattern='/prometheus'] 2025-06-10 15:03:51,796 WARN You are asking Spring Security to ignore Mvc [pattern='/prometheus/namespaceId/{namespaceId}']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead. 2025-06-10 15:03:51,796 INFO Will not secure Mvc [pattern='/prometheus/namespaceId/{namespaceId}'] 2025-06-10 15:03:51,797 WARN You are asking Spring Security to ignore Mvc [pattern='/prometheus/namespaceId/{namespaceId}/service/{service}']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead. 2025-06-10 15:03:51,798 INFO Will not secure Mvc [pattern='/prometheus/namespaceId/{namespaceId}/service/{service}'] 2025-06-10 15:03:51,876 INFO Tomcat started on port(s): 8848 (http) with context path '/nacos' 2025-06-10 15:03:51,897 INFO No TaskScheduler/ScheduledExecutorService bean found for scheduled processing 2025-06-10 15:03:51,920 INFO Nacos started successfully in stand alone mode. use embedded storage 这是未设置nacos.core.auth.enabled=false 的nacos启动日志
06-11
2025-06-10 14:49:25,870 WARN You are asking Spring Security to ignore Mvc [pattern='/prometheus']... ``` **关键问题**:`/**` 全局放行使鉴权失效(建议改用`permitAll()`精控放行)[^1] 3. **放行路径...
2025-11-07 10:50:46,725 INFO Will secure any request with [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@5d0b0cb9, org.springframework.security.web.context.SecurityContextPersistenceFilter@796f632b, org.springframework.security.web.header.HeaderWriterFilter@6a5e167a, org.springframework.security.web.csrf.CsrfFilter@32eae6f2, org.springframework.security.web.authentication.logout.LogoutFilter@1c067c0d, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@cedee22, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@233db8e9, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7f7b6639, org.springframework.security.web.session.SessionManagementFilter@5a917723, org.springframework.security.web.access.ExceptionTranslationFilter@1faf386c]
最新发布
11-08
7. **AnonymousAuthenticationFilter**:如果请求在经过前面的过滤器后仍未经过身份验证,该过滤器会为请求添加一个匿名身份验证令牌,这样后续的过滤器可以以统一的方式处理已认证和未认证的请求。 ```plaintext ...
Spring常用过滤器(Filter)-AnonymousAuthenticationFilter
Liang的博客
11-04 1219
1.2.2 具体来说,当请求经过AnonymousAuthenticationFilter时,如果该请求中没有经过身份认证的Authentication对象,则AnonymousAuthenticationFilter会为该请求生成一个匿名的Authentication对象,即AnonymousAuthenticationToken。这个特殊的Authentication对象表示该用户的身份是匿名的,但仍然有一个可追踪的身份标识。通过检查用户的角色,可以控制匿名用户的访问权限。
SpringBoot3-Security 之匿名认证过滤器 AnonymousAuthenticationFilter
qq_45090949的博客
12-06 508
本文主要研究匿名认证过滤器。
12、spring security拦截器之AnonymousAuthenticationFilter
u012153127的博客
06-26 1032
AnonymousAuthenticationFilter:如果当前安全上下文的Authentication为空,则创建一个匿名的Authentication用户 public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException //判断SecurityContext中的Authentication是否为空 i
AnonymousAuthenticationFilter详解
小汤圆
08-11 1694
匿名认证过滤器,可能有人会想:匿名了还有身份?我自己对于Anonymous匿名身份的理解是Spirng Security为了整体逻辑的统一性,即使是未通过认证的用户,也给予了一个匿名身份。而AnonymousAuthenticationFilter该过滤器的位置也是非常的科学的,它位于常用的身份认证过滤器(如UsernamePasswordAuthenticationFilter、BasicAuthenticationFilter、RememberMeAuthenticationFilter)之后,意味着只
Spring Security Web 5.1.2 源码解析 -- AnonymousAuthenticationFilter
Details Inside Spring
12-08 1086
概述 此过滤器过滤请求,检测SecurityContextHolder中是否存在Authentication对象,如果不存在,说明 用户尚未登录,此时为其提供一个匿名Authentication对象:AnonymousAuthentication。 注意:在整个请求处理的开始,无论当前请求所对应的session中用户是否已经登录,SecurityContextPersistenceFilter ...
Spring Security3源码分析(12)-AnonymousAuthenticationFilter分析
Benjamin
09-11 1530
AnonymousAuthenticationFilter过滤器对应的类路径为  org.springframework.security.web.authentication.AnonymousAuthenticationFilter  AnonymousAuthenticationFilter过滤器是在UsernamePasswordAuthenticationFilter、BasicAu
springsecurity 源码解读之 AnonymousAuthenticationFilter
weixin_33841722的博客
04-03 787
我们知道springsecutity 是通过一系列的 过滤器实现的,我们可以看看这系列的过滤器到底长成什么样子呢? 一堆过滤器,这个过滤器的设计设计上是 责任链设计模式。 这里我们可以看到有一个AnonymousAuthenticationFilter 过滤器。 顾名思义我们知道这个是一个叫 匿名登录人过滤器,他的作用是什么呢? 我们看看代码 ,他做了什么? if (apply...
聊一聊源码学习,AnonymousAuthenticationFilter如何初始化
kiranet的专栏
09-08 3005
关于Spring Security的过滤器分析,在kirito的https://mp.weixin.qq.com/s?__biz=MzUzNTY4NTYxMA==&mid=2247484293&idx=2&sn=62ca751be311ba6ddcdf2790bd0c4ac6&chksm=fa80f300cdf77a16c7f0e38200dcc3fe8010bbc...
Spring Security之匿名用户
热门推荐
来啊 快活啊
06-13 1万+
Spring Security为我们提供了一个匿名用户的功能,我们可以基于此很容易的实现匿名用户的单独控制,使我们的站点轻松拥有游客用户的功能;如果开启了匿名用户的功能,按照Spring Security Filter的执行顺序,AnonymousAuthenticationFilter在ExceptionTranslationFilter的前面,在各种认证机制和RememberMeAuthenti
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值