本文深入解析了Spring Security中RememberMe服务的工作流程,包括将认证结果存入SecurityContext,通过PersistentTokenBasedRememberMeServices处理登录成功,生成并保存PersistentRememberMeToken,以及使用eventPublisher发布认证成功事件。
AbstractAuthenticationProcessingFilter#doFilter
-> AbstractRememberMeServices#loginSuccesssuccessfulAuthentication
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response, FilterChain chain, Authentication authResult)
throws IOException, ServletException {
SecurityContextHolder.getContext().setAuthentication(authResult);
rememberMeServices.loginSuccess(request, response, authResult);
// Fire event
if (this.eventPublisher != null) {
eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
authResult, this.getClass()));
}
successHandler.onAuthenticationSuccess(request, response, authResult);
}
从这个代码能看主要的流程:
- 把前面认证的结果放到全局变量SecurityContext中
- 调用rememberMeServices.loginSuccess
- 如果有eventPublisher ,推送事件
- 调用成功处理器。
在上面的第2步中,实质上PersistentTokenBasedRememberMeServices#onLoginSuccess
protected void onLoginSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication successfulAuthentication) {
String username = successfulAuthentication.getName();
PersistentRememberMeToken persistentToken = new PersistentRememberMeToken(
username, generateSeriesData(), generateTokenData(), new Date());
try {
tokenRepository.createNewToken(persistentToken);
addCookie(persistentToken, request, response);
}
}
调用jdbc插入token
public void createNewToken(PersistentRememberMeToken token) {
getJdbcTemplate().update(insertTokenSql, token.getUsername(), token.getSeries(),
token.getTokenValue(), token.getDate());
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
