UsernamePasswordAuthenticationFilter中的authenticationManager到底是谁注入的

继承关系

UsernamePasswordAuthenticationFilter继承至AbstractAuthenticationProcessingFilter,里面有个 AuthenticationManager认证管理的属性,那么这个属性是谁注入进来的,是全局的authenticationManager 还是局部的authenticationManager吗?接下来分析一下。

java 复制代码
public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean
      implements ApplicationEventPublisherAware, MessageSourceAware {
       // 认证管理器
       private AuthenticationManager authenticationManager;
   }

FormLoginConfigurer

UsernamePasswordAuthenticationFilter是由FormLoginConfigurer配置类构建的

FormLoginConfigurer实际上实现了SecurityConfigurer接口。我们知道httpSecurity在调用build()方法构建过滤器链的时候,会调用父类的doBuild方法

ini 复制代码
@Override
protected final O doBuild() throws Exception {
   synchronized (this.configurers) {
      this.buildState = BuildState.INITIALIZING;
      beforeInit();
      init();
      this.buildState = BuildState.CONFIGURING;
      beforeConfigure();
      configure();
      this.buildState = BuildState.BUILDING;
      O result = performBuild();
      this.buildState = BuildState.BUILT;
      return result;
   }
}

里面有两个关键步骤 叫beforeConfigure();和 configure();

beforeConfigure()

httpSecurity重写了beforeConfigure()方法 如下:总结起来就是构建一个局部的AuthenticationManager放入共享对象,留着后续这个httpSecurity的构建过程中使用

scss 复制代码
@Override
protected void beforeConfigure() throws Exception {
   
   if (this.authenticationManager != null) {
      setSharedObject(AuthenticationManager.class, this.authenticationManager);
   }
   else {
      ObservationRegistry registry = getObservationRegistry();
      // 最终会调用getAuthenticationRegistry从SharedObject拿到属于自己的那个局部的AuthenticationManagerBuilder进行构建一个独立的认证管理器
      AuthenticationManager manager = getAuthenticationRegistry().build();
      if (!registry.isNoop() && manager != null) {
         setSharedObject(AuthenticationManager.class, new ObservationAuthenticationManager(registry, manager));
      }
      else {
         //最后将这个认证管理器放入共享对象中 留着后续configure的时候用到
         setSharedObject(AuthenticationManager.class, manager);
      }
   }
}
csharp 复制代码
private AuthenticationManagerBuilder getAuthenticationRegistry() {
   return getSharedObject(AuthenticationManagerBuilder.class);
}

configure()

configure()方法就是从configurers中获取所有的SecurityConfigurer<O, B> configurer,依次调用他们的configure方法,

swift 复制代码
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = new LinkedHashMap<>();

private void configure() throws Exception {
   Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();
   for (SecurityConfigurer<O, B> configurer : configurers) {
      configurer.configure((B) this);
   }
}

private Collection<SecurityConfigurer<O, B>> getConfigurers() {
   List<SecurityConfigurer<O, B>> result = new ArrayList<>();
   for (List<SecurityConfigurer<O, B>> configs : this.configurers.values()) {
      result.addAll(configs);
   }
   return result;
}

我们上面看继承关系的时候看到FormLoginConfigurer实际上实现了SecurityConfigurer接口,所以他就是其中一个,会调用FormLoginConfigurer的configure()

从中我们看到这个代码 this.authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class))

也就是说configure方法就是用来配置UsernamePasswordAuthenticationFilter的属性的,其中的AuthenticationManager的属性就是这步配置的,从上一步的共享对象中获取到认证管理器

kotlin 复制代码
@Override
public void configure(B http) throws Exception {
   PortMapper portMapper = http.getSharedObject(PortMapper.class);
   if (portMapper != null) {
      this.authenticationEntryPoint.setPortMapper(portMapper);
   }
   RequestCache requestCache = http.getSharedObject(RequestCache.class);
   if (requestCache != null) {
      this.defaultSuccessHandler.setRequestCache(requestCache);
   }
   this.authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
   this.authFilter.setAuthenticationSuccessHandler(this.successHandler);
   this.authFilter.setAuthenticationFailureHandler(this.failureHandler);
   if (this.authenticationDetailsSource != null) {
      this.authFilter.setAuthenticationDetailsSource(this.authenticationDetailsSource);
   }
   SessionAuthenticationStrategy sessionAuthenticationStrategy = http
      .getSharedObject(SessionAuthenticationStrategy.class);
   if (sessionAuthenticationStrategy != null) {
      this.authFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);
   }
   RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);
   if (rememberMeServices != null) {
      this.authFilter.setRememberMeServices(rememberMeServices);
   }
   SecurityContextConfigurer securityContextConfigurer = http.getConfigurer(SecurityContextConfigurer.class);
   if (securityContextConfigurer != null && securityContextConfigurer.isRequireExplicitSave()) {
      SecurityContextRepository securityContextRepository = securityContextConfigurer
         .getSecurityContextRepository();
      this.authFilter.setSecurityContextRepository(securityContextRepository);
   }
   this.authFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
   F filter = postProcess(this.authFilter);
   http.addFilter(filter);
}

总结 也就是说我们实际在表单登录的时候里面认证用到的实际是局部创建的这个认证管理器,但是我们知道认证管理器的实现类是providerManager,providerManager在认证的时候需要依赖providers维护的实际提供者来进行认证,但是我们局部的认证管理器在创建的时候没有提供合适的providers,这个集合为空,实际也不是为空,里面有个AnonymousAuthenticationProvider,但是它不支持UsernamePasswordToken的认证, AnonymousAuthenticationProvider什么时候放进去的我们后面再说。所以最后调用parent全局的认证管理器来进行验证

java 复制代码
public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {

   private static final Log logger = LogFactory.getLog(ProviderManager.class);

   private AuthenticationEventPublisher eventPublisher = new NullEventPublisher();

   private List<AuthenticationProvider> providers = Collections.emptyList();

   protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

   private AuthenticationManager parent;
相关推荐
A尘埃1 小时前
智慧零售全渠道业务中台系统
java·零售
尘鹄1 小时前
go 初始化组件最佳实践
后端·设计模式·golang
墩墩分墩1 小时前
【Go语言入门教程】 Go语言的起源与技术特点:从诞生到现代编程利器(一)
开发语言·后端·golang·go
一个松3 小时前
【无标题】
spring boot
程序员爱钓鱼4 小时前
Go语言实战案例- 开发一个ToDo命令行工具
后端·google·go
小wanga5 小时前
C++知识
java·开发语言·c++
学渣676565 小时前
文件传输工具rsync|rust开发环境安装|Ascend实验相关命令
开发语言·后端·rust
我是渣哥5 小时前
Java String vs StringBuilder vs StringBuffer:一个性能优化的探险故事
java·开发语言·jvm·后端·算法·职场和发展·性能优化
工一木子5 小时前
深入Java并发:锁机制原理剖析与性能优化实战
java·性能优化·并发·