Spring-Security中默认的AuthenticationManager是什么?如何验证? [英] What is the default AuthenticationManager in Spring-Security? How does it authenticate?

问题描述

我定义了以下bean:

I have the following bean defined:

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider
        user-service-ref="userDetailsService" />
</sec:authentication-manager>

我猜这里Spring使用了AuthenticationManager的一些默认实现.

I guess here Spring uses some default implementation of AuthenticationManager.

在我的Java代码中，我有:

In my Java code I have:

@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager; // specific for Spring Security

public boolean login(String username, String password) {
    try {
        Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
        if (authenticate.isAuthenticated()) {
            SecurityContextHolder.getContext().setAuthentication(authenticate);             
            return true;
        }
    }
    catch (AuthenticationException e) {         
    }
    return false;
}

在此调用AuthenticationManager.authenticate(...).但是我想知道默认情况下Spring使用的AuthenticationManager的实现以及它的authenticate(...)进行身份验证(即，确保用户名与密码匹配)的作用.

Here AuthenticationManager.authenticate(...) is called. But I would like to know which implementation of AuthenticationManager Spring uses by default, and what its authenticate(...) does in order to authenticate (i.e., make sure that username matches password).

您能解释一下吗?

推荐答案

AuthenticationManager实际上只是身份验证提供程序的容器，为所有人提供了一致的接口.在大多数情况下，默认AuthenticationManager绰绰有余.

The AuthenticationManager is really just a container for authentication providers, giving a consistent interface to them all. In most cases, the default AuthenticationManager is more than sufficient.

致电时

.authenticate(new UsernamePasswordAuthenticationToken(username, password))`

它将UsernamePasswordAuthenticationToken传递给默认的AuthenticationProvider，它将使用userDetailsService根据用户名获取用户，并将该用户的密码与身份验证令牌中的密码进行比较.

it is passing the UsernamePasswordAuthenticationToken to the default AuthenticationProvider, which will use the userDetailsService to get the user based on username and compare that user's password with the one in the authentication token.

通常，AuthenticationManager将某种AuthenticationToken传递给每个AuthenticationProviders，他们分别进行检查，并且，如果可以使用它进行身份验证，则返回"Authenticated"， 未经身份验证"或无法身份验证"(这表明提供者不知道如何处理令牌，因此它继续处理令牌)

In general, the AuthenticationManager passes some sort of AuthenticationToken to the each of it's AuthenticationProviders and they each inspect it and, if they can use it to authenticate, they return with an indication of "Authenticated", "Unauthenticated", or "Could not authenticate" (which indicates the provider did not know how to handle the token, so it passed on processing it)

此机制允许您插入其他身份验证方案，例如针对LDAP或Active Directory服务器或OpenID进行身份验证，并且是Spring Security框架内的主要扩展点之一.

This is the mechanism that allows you to plug in other authentication schemes, like authenticating against an LDAP or Active Directory server, or OpenID, and is one of the main extension points within the Spring Security framework.

这篇关于Spring-Security中默认的AuthenticationManager是什么?如何验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！