SecurityContextHolder, to provide access to the SecurityContext.
SecurityContext: to hold the Authentication and possibly request-specific security information.
Authentication: 表示用户认证信息
GrantedAuthority: 当前用户拥有的权限,通过Authentication的getAuthorities()获取,是一个数组。
UserDetails: 定义了一些可以获取用户名、密码、权限等与认证相关的信息的方法,通过UserDetailsService的loadUserByUsername()方法进行加载。
UserDetailsService: org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl(通过数据库或内存获取UserDetails)
UserDetailsService->UserDetails
UserDetailsService->GrantedAuthority(role)
SecurityContextHolder->SecurityContext->Authentication(principal,)
加载用户dao相关:
UserDetailsService(接口):loadUserByUsername(String username) 子类
UserDetailsManager:(接口)changePassword(String oldPassword, String newPassword),createUser(UserDetails user),deleteUser(String username)等
CachingUserDetailsService:
InMemoryUserDetailsManager:
JdbcDaoImpl:
JdbcUserDetailsManager:
LdapUserDetailsManager:
LdapUserDetailsService:
用户信息相关:
UserDetails:(接口)getAuthorities(),getPassword(),getUsername(),isAccountNonExpired()等
InetOrgPerson:
LdapUserDetailsImpl:
LdapUserDetailsImpl:
Person:UserDetails implementation whose properties are based on the LDAP schema for Person.
User:(类)
认证相关:
Principal:(java.security)equals(Object another),getName()
Authentication:(接口)一旦一个request被认证,Authentication 就会被放入 thread-local SecurityContext managed by the SecurityContextHolder
SecurityContextHolder.getContext().setAuthentication(anAuthentication);显式认证,
Collection<? extends GrantedAuthority> getAuthorities(),getCredentials(), getDetails(),getPrincipal()
UsernamePasswordAuthenticationToken:for simple presentation of a username and password.
RememberMeAuthenticationToken:
OpenIDAuthenticationToken:
...
GrantedAuthority:(接口)getAuthority()该方法返回一个字符串,表示对应权限的字符串表示,如果对应权限不能用字符串表示,则应当返回null。
SimpleGrantedAuthority:为Authentication存放一个代表权限的字符串.
...
AuthenticationManager:(接口)处理一个Authentication request, Authentication authenticate(Authentication authentication)
ProviderManager:通过AuthenticationProvider列表来处理认证请求,List<AuthenticationProvider> getProviders()
authenticate(Authentication authentication)
AuthenticationProvider:(接口)
DaoAuthenticationProvider:从UserDetailsService获取一个user,getUserDetailsService(),
retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
异常相关:
AuthenticationException:
AuthenticationServiceException
过滤器相关:
Filter(javax.servlet):void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
GenericFilterBean
DelegatingFilterProxy:
OncePerRequestFilter:
FilterChainProxy:
AbstractAuthenticationProcessingFilter: attemptAuthentication (request,response),getFailureHandler(),getSuccessHandler()
successfulAuthentication(),unsuccessfulAuthentication()
CasAuthenticationFilter,
OpenIDAuthenticationFilter
UsernamePasswordAuthenticationFilter:getPasswordParameter() ,getUsernameParameter() ,obtainPassword( request) ,setDetails()
ExceptionTranslationFilter:Handles any AccessDeniedException and AuthenticationException thrown within the filter chain.
ConcurrentSessionFilter:determineExpiredUrl(HttpServletRequest request, SessionInformation info)
Hander相关:
AuthenticationSuccessHandler:(接口):onAuthenticationSuccess(request,response,authentication)
ForwardAuthenticationSuccessHandler:
SavedRequestAwareAuthenticationSuccessHandler:
SimpleUrlAuthenticationSuccessHandler:
Event相关:
InteractiveAuthenticationSuccessEvent
入口:
AuthenticationEntryPoint:
LoginUrlAuthenticationEntryPoint:UsernamePasswordAuthenticationFilter使用ExceptionTranslationFilter来重定向到登录页面
commence (request,response,authException)重定向方法,getLoginFormUrl()
Listener相关:
javax.servlet.http.HttpSessionListener
HttpSessionEventPublisher: sessionCreated(javax.servlet.http.HttpSessionEvent event),
sessionDestroyed(javax.servlet.http.HttpSessionEvent event)
Session相关:
SessionRegistry:(接口):getAllPrincipals() getAllSessions(), getSessionInformation(),registerNewSession()
SessionRegistryImpl:
SessionAuthenticationStrategy:(接口)A
CompositeSessionAuthenticationStrategySessionAuthenticationStrategy that accepts multiple SessionAuthenticationStrategy
implementations to delegate to. Each SessionAuthenticationStrategy is invoked in turn. The invocations are short circuited if any exception, (i.e. SessionAuthenticationException) is thrown.
ConcurrentSessionControlAuthenticationStrategy:控制用户可以同时登录的数量,就是控制一个用户可以同时创建几个session
SessionFixationProtectionStrategy:防止会话固定攻击
RegisterSessionAuthenticationStrategy:register a user with the SessionRegistry after successful Authentication.
匿名认证相关:
AuthenticationProvider
AnonymousAuthenticationProvider:authenticate(Authentication authentication), getKey()
Authentication:
AnonymousAuthenticationToken:Represents an anonymous Authentication,getPrincipal()
GenericFilterBean
AnonymousAuthenticationFilter: createAuthentication(HttpServletRequest request)
public String getCurrentUsername()
{
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (principal instanceof UserDetails)
{
return ((UserDetails) principal).getUsername();
}
if (principal instanceof Principal)
{
return ((Principal) principal).getName();
}
return String.valueOf(principal);
}
浙公网安备 33010602011771号