UsernamePasswordAuthenticationFilter中的authenticationManager到底是谁注入的

继承关系

UsernamePasswordAuthenticationFilter继承至AbstractAuthenticationProcessingFilter,里面有个 AuthenticationManager认证管理的属性,那么这个属性是谁注入进来的,是全局的authenticationManager 还是局部的authenticationManager吗?接下来分析一下。

java 复制代码
public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean
      implements ApplicationEventPublisherAware, MessageSourceAware {
       // 认证管理器
       private AuthenticationManager authenticationManager;
   }

FormLoginConfigurer

UsernamePasswordAuthenticationFilter是由FormLoginConfigurer配置类构建的

FormLoginConfigurer实际上实现了SecurityConfigurer接口。我们知道httpSecurity在调用build()方法构建过滤器链的时候,会调用父类的doBuild方法

ini 复制代码
@Override
protected final O doBuild() throws Exception {
   synchronized (this.configurers) {
      this.buildState = BuildState.INITIALIZING;
      beforeInit();
      init();
      this.buildState = BuildState.CONFIGURING;
      beforeConfigure();
      configure();
      this.buildState = BuildState.BUILDING;
      O result = performBuild();
      this.buildState = BuildState.BUILT;
      return result;
   }
}

里面有两个关键步骤 叫beforeConfigure();和 configure();

beforeConfigure()

httpSecurity重写了beforeConfigure()方法 如下:总结起来就是构建一个局部的AuthenticationManager放入共享对象,留着后续这个httpSecurity的构建过程中使用

scss 复制代码
@Override
protected void beforeConfigure() throws Exception {
   
   if (this.authenticationManager != null) {
      setSharedObject(AuthenticationManager.class, this.authenticationManager);
   }
   else {
      ObservationRegistry registry = getObservationRegistry();
      // 最终会调用getAuthenticationRegistry从SharedObject拿到属于自己的那个局部的AuthenticationManagerBuilder进行构建一个独立的认证管理器
      AuthenticationManager manager = getAuthenticationRegistry().build();
      if (!registry.isNoop() && manager != null) {
         setSharedObject(AuthenticationManager.class, new ObservationAuthenticationManager(registry, manager));
      }
      else {
         //最后将这个认证管理器放入共享对象中 留着后续configure的时候用到
         setSharedObject(AuthenticationManager.class, manager);
      }
   }
}
csharp 复制代码
private AuthenticationManagerBuilder getAuthenticationRegistry() {
   return getSharedObject(AuthenticationManagerBuilder.class);
}

configure()

configure()方法就是从configurers中获取所有的SecurityConfigurer<O, B> configurer,依次调用他们的configure方法,

swift 复制代码
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = new LinkedHashMap<>();

private void configure() throws Exception {
   Collection<SecurityConfigurer<O, B>> configurers = getConfigurers();
   for (SecurityConfigurer<O, B> configurer : configurers) {
      configurer.configure((B) this);
   }
}

private Collection<SecurityConfigurer<O, B>> getConfigurers() {
   List<SecurityConfigurer<O, B>> result = new ArrayList<>();
   for (List<SecurityConfigurer<O, B>> configs : this.configurers.values()) {
      result.addAll(configs);
   }
   return result;
}

我们上面看继承关系的时候看到FormLoginConfigurer实际上实现了SecurityConfigurer接口,所以他就是其中一个,会调用FormLoginConfigurer的configure()

从中我们看到这个代码 this.authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class))

也就是说configure方法就是用来配置UsernamePasswordAuthenticationFilter的属性的,其中的AuthenticationManager的属性就是这步配置的,从上一步的共享对象中获取到认证管理器

kotlin 复制代码
@Override
public void configure(B http) throws Exception {
   PortMapper portMapper = http.getSharedObject(PortMapper.class);
   if (portMapper != null) {
      this.authenticationEntryPoint.setPortMapper(portMapper);
   }
   RequestCache requestCache = http.getSharedObject(RequestCache.class);
   if (requestCache != null) {
      this.defaultSuccessHandler.setRequestCache(requestCache);
   }
   this.authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));
   this.authFilter.setAuthenticationSuccessHandler(this.successHandler);
   this.authFilter.setAuthenticationFailureHandler(this.failureHandler);
   if (this.authenticationDetailsSource != null) {
      this.authFilter.setAuthenticationDetailsSource(this.authenticationDetailsSource);
   }
   SessionAuthenticationStrategy sessionAuthenticationStrategy = http
      .getSharedObject(SessionAuthenticationStrategy.class);
   if (sessionAuthenticationStrategy != null) {
      this.authFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);
   }
   RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);
   if (rememberMeServices != null) {
      this.authFilter.setRememberMeServices(rememberMeServices);
   }
   SecurityContextConfigurer securityContextConfigurer = http.getConfigurer(SecurityContextConfigurer.class);
   if (securityContextConfigurer != null && securityContextConfigurer.isRequireExplicitSave()) {
      SecurityContextRepository securityContextRepository = securityContextConfigurer
         .getSecurityContextRepository();
      this.authFilter.setSecurityContextRepository(securityContextRepository);
   }
   this.authFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
   F filter = postProcess(this.authFilter);
   http.addFilter(filter);
}

总结 也就是说我们实际在表单登录的时候里面认证用到的实际是局部创建的这个认证管理器,但是我们知道认证管理器的实现类是providerManager,providerManager在认证的时候需要依赖providers维护的实际提供者来进行认证,但是我们局部的认证管理器在创建的时候没有提供合适的providers,这个集合为空,实际也不是为空,里面有个AnonymousAuthenticationProvider,但是它不支持UsernamePasswordToken的认证, AnonymousAuthenticationProvider什么时候放进去的我们后面再说。所以最后调用parent全局的认证管理器来进行验证

java 复制代码
public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {

   private static final Log logger = LogFactory.getLog(ProviderManager.class);

   private AuthenticationEventPublisher eventPublisher = new NullEventPublisher();

   private List<AuthenticationProvider> providers = Collections.emptyList();

   protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();

   private AuthenticationManager parent;
相关推荐
callJJ3 分钟前
从 0 开始理解 Spring 的核心思想 —— IoC 和 DI(2)
java·开发语言·后端·spring·ioc·di
wangjialelele5 分钟前
Linux中的线程
java·linux·jvm·c++
谷咕咕8 分钟前
windows下python3,LLaMA-Factory部署以及微调大模型,ollama运行对话,开放api,java,springboot项目调用
java·windows·语言模型·llama
没有bug.的程序员37 分钟前
MVCC(多版本并发控制):InnoDB 高并发的核心技术
java·大数据·数据库·mysql·mvcc
在下村刘湘1 小时前
maven pom文件中<dependencyManagement><dependencies><dependency> 三者的区别
java·maven
不务专业的程序员--阿飞2 小时前
JVM无法分配内存
java·jvm·spring boot
你的人类朋友2 小时前
JWT的组成
后端
李昊哲小课2 小时前
Maven 完整教程
java·maven
Lin_Aries_04212 小时前
容器化简单的 Java 应用程序
java·linux·运维·开发语言·docker·容器·rpc
脑花儿2 小时前
ABAP SMW0下载Excel模板并填充&&剪切板方式粘贴
java·前端·数据库