在Spring Security上下文中，身份验证和授权有什么区别? [英] What is the difference between authentication and authorization in context of Spring Security?

问题描述

我正在研究一个Java spring boot项目，我正在尝试为使用JWT进行用户身份验证设置spring security，我正在关注的教程(以及我在互联网上找到的许多教程和项目)都在讨论.大约分为两个部分-身份验证和授权.

I'm working on a java spring boot project which I'm trying to get spring security set up for user authentication with JWT, the tutorial I'm following(and also many tutorials and projects I found on the internet) talks about two sections- authentication and authorization.

在大多数教程中，有两个过滤器类，一个处理身份验证，另一个处理授权！ (有些我发现只有一个扩展了 OncePerRequestFilter 类的类).

In most tutorials there are two filter classes one handles Authentication, and the other handles Authorization! (Some I have found with only one class which extends OncePerRequestFilter class).

在具有两个过滤器类的项目中， 身份验证筛选器类扩展了 UsernamePasswordAuthenticationFilter 类. 授权类扩展了 BasicAuthenticationFilter 类.

In those projects that have two filter classes, The Authentication filter class extends UsernamePasswordAuthenticationFilter class. Authorization class extends BasicAuthenticationFilter class.

是否有一种方法只能在项目中使用身份验证部分，还是应该在Spring Security中同时使用这两个类来设置用户身份验证?

Is there a way that I can only use authentication part in my project or should I use both classes to set up user authentication in spring security?

任何解释将不胜感激.

推荐答案

是否有一种方法只能在项目中使用身份验证部分，还是应该在Spring Security中同时使用这两个类来设置用户身份验证?

Is there a way that I can only use authentication part in my project or should I use both classes to set up user authentication in spring security?

不，没有仅认证部分的概念，您对Spring安全性有错误的认识，Spring Security完全是通过使用默认值或通过实现自定义配置来进行配置. (AuthenticationFilters，AuthenticationProviders，AuthenticationToken等)

No, there is no concept of only authentication part, you have wrong perception about spring security, spring security is all about configuration either by using default or by implementing your custom configurations. (AuthenticationFilters, AuthenticationProviders, AuthenticationToken etc)

---

Spring安全是关于身份验证和授权的，Spring安全是通过在web.xml中声明一个过滤器DelegatingFilterProxy来配置的(在Spring引导中，它将通过自动配置来完成).

---

Spring security is all about authentication and authorization, Spring security is configured by declaring a filter DelegatingFilterProxy in web.xml(In Spring boot it will be done by auto configuration).

Spring安全性在代理过滤器或Spring受管bean之前将 Wall ( HttpFireWall )放在您的应用程序之前.如果请求在身份验证和授权部分均成功，则该请求可以到达您的应用程序.

Spring security puts a WALL(HttpFireWall) before your application in terms of proxy filters or spring managed beans. Request can reach your application if it succeeds in both authentication and authorization part.

它将经历

• 凭据验证或
  
• 验证授权标头内容或
  
• 验证与请求关联的cookie(JSESSIONID cookie)，即会话
  
• 如果以上都不匹配，则用户被标识为匿名".

在此步骤中 Authentication 对象将被创建.从auth对象中可以获得

Here in this step Authentication object will be created. From auth object you can get

• 详细信息对象(有关身份验证请求的其他详细信息)
• 主要对象(UserDetails或AuthenticatedPrincipal或Principal)
• 凭据(通常是密码，但是可以与AuthenticationManager相关的任何内容)
• 授权授权人
的集合
• 和一个布尔值已验证.

• details object (additional details about the authentication request)
• principal object (UserDetails or AuthenticatedPrincipal or Principal)
• credentials(usually password, but could be anything relevant to the AuthenticationManager)
• collection of grantedAuthorites
• and a boolean authenticated.

在过滤器链中几乎排在最后的FilterSecurityInterceptor从SecurityContext获取Authentication对象并获得授权列表(已授予角色)，它将决定是否允许此请求到达是否请求资源，通过与HttpSecurityConfiguration中配置的允许的AntMatchers匹配来做出决定.

There will be FilterSecurityInterceptor which comes almost last in the filter chain which gets Authentication object from SecurityContext and gets granted authorities list(roles granted) and it will make a decision whether to allow this request to reach the requested resource or not, decision is made by matching with the allowed AntMatchers configured in HttpSecurityConfiguration.

考虑例外401-未经授权和403-禁止.这些决定将在过滤器链的最后完成.
401-未经授权:未经身份验证的用户尝试访问受保护的资源.
403-禁止访问:尝试访问受限资源的经过身份验证的用户.
未经身份验证的用户将被允许访问不受限制的资源，并且不会出现未经授权的错误，但此错误由AnonymousAuthenticationFilter处理，该错误为未经身份验证的用户设置了权限ROLE_ANONYMOUS.

Consider the exceptions 401-UnAuthorized and 403-Forbidden. These decisions will be done at the last in the filter chain
401-UnAuthorized: Un authenticated user trying to access secured resource.
403-Forbidden : Authenticated user trying to access restricted resource.
Un authenticated user will be allowed to access non restricted resources and he will not get UnAuthorized error but it is handled by AnonymousAuthenticationFilter which sets authority ROLE_ANONYMOUS for unauthenticated user.

_注意
下面给定的过滤器顺序.在哪里，
身份验证为@ order-4
授权为@ Order-9(最后)

_Note
Below given filter ordering. where,
Authentication is @order-4
Authorization is @Order-9(Last)

来自文档
Spring Security在多个区域中针对传入的请求对您定义的模式进行测试，以便确定应如何处理请求.当FilterChainProxy决定请求应通过哪个过滤器链时，以及FilterSecurityInterceptor决定将哪些安全性约束应用于请求时，就会发生这种情况.在针对您定义的模式进行测试时，了解该机制是什么以及使用哪个URL值非常重要.

过滤器订购
链中定义过滤器的顺序非常重要.不管您实际使用的是哪个过滤器，其顺序都应如下:
1. ChannelProcessingFilter ，因为它可能需要重定向到其他协议
2. SecurityContextPersistenceFilter ，因此可以在Web请求开始时在SecurityContextHolder中设置SecurityContext，并且在Web请求结束时可以将对SecurityContext的任何更改复制到HttpSession (准备与下一个Web请求一起使用)
3. ConcurrentSessionFilter ，因为它使用了SecurityContextHolder功能，但是需要更新SessionRegistry以反映来自委托人的持续请求
4. 身份验证处理机制-UsernamePasswordAuthenticationFilter，CasAuthenticationFilter，BasicAuthenticationFilter等-以便可以将SecurityContextHolder修改为包含有效的身份验证请求令牌
5. SecurityContextHolderAwareRequestFilter ，如果您正在使用它来将可识别Spring Security的HttpServletRequestWrapper安装到servlet容器中
6. RememberMeAuthenticationFilter ，因此，如果没有较早的身份验证处理机制更新SecurityContextHolder，并且该请求显示一个cookie，该cookie可以启用记住我"服务，则将保存一个合适的记住的Authentication对象.放在这里
7. AnonymousAuthenticationFilter ，这样，如果没有早期的身份验证处理机制更新SecurityContextHolder，则将在其中放置一个匿名身份验证对象
8. ExceptionTranslationFilter ，以捕获任何Spring Security异常，以便可以返回HTTP错误响应或可以启动适当的AuthenticationEntryPoint
9. FilterSecurityInterceptor ，以保护Web URI并在拒绝访问时引发异常

From Doc
Spring Security has several areas where patterns you have defined are tested against incoming requests in order to decide how the request should be handled. This occurs when the FilterChainProxy decides which filter chain a request should be passed through and also when the FilterSecurityInterceptor decides which security constraints apply to a request. It's important to understand what the mechanism is and what URL value is used when testing against the patterns that you define.

Filter Ordering
The order that filters are defined in the chain is very important. Irrespective of which filters you are actually using, the order should be as follows:
1. ChannelProcessingFilter, because it might need to redirect to a different protocol
2. SecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request, and any changes to the SecurityContext can be copied to the HttpSession when the web request ends (ready for use with the next web request)
3. ConcurrentSessionFilter, because it uses the SecurityContextHolder functionality but needs to update the SessionRegistry to reflect ongoing requests from the principal
4. Authentication processing mechanisms - UsernamePasswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter etc - so that the SecurityContextHolder can be modified to contain a valid Authentication request token
5. The SecurityContextHolderAwareRequestFilter, if you are using it to install a Spring Security aware HttpServletRequestWrapper into your servlet container
6. RememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a suitable remembered Authentication object will be put there
7. AnonymousAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, an anonymous Authentication object will be put there
8. ExceptionTranslationFilter, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriate AuthenticationEntryPoint can be launched
9. FilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied

_{只需要对春季安全性中的过滤器有所了解}

_{Just to give some idea of filters in spring security}

_{最后，如果您是Spring Security的新手.我的建议是尝试最多的示例，并在调试日志上花费更多的时间，并尝试了解流程.}

这篇关于在Spring Security上下文中，身份验证和授权有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！