执行Spring Security的顺序 [英] Spring Security Sequence of execution

问题描述

我无法找出何时何地完全认证管理器通过弹簧安全执行。我的意思是有这些如下顺序执行certian过滤器：

  FIRST
 -  CHANNEL_FILTER
 -  CONCURRENT_SESSION_FILTER
 -  SECURITY_CONTEXT_FILTER
 -  LOGOUT_FILTER
 -  X509_FILTER -  pre_AUTH_FILTER
 -  CAS_FILTER
 -  FORM_LOGIN_FILTER
 -  OPENID_FILTER
 -  BASIC_AUTH_FILTER
 -  SERVLET_API_SUPPORT_FILTER
 -  REMEMBER_ME_FILTER
 -  ANONYMOUS_FILTER -  EXCEPTION_TRANSLATION_FILTER
 -  SESSION_MANAGEMENT_FILTER
 -  FILTER_SECURITY_INTERCEPTOR
 -  SWITCH_USER_FILTER
 -  LAST
 

但是，当确切身份验证提供者进行身份验证提供的用户名和密码，我的意思是问之后，这些过滤器下面是身份验证提供被执行。

问候
Jayendra

解决方案

从的 Spring Security的文档：

  

这是过滤器链中定义的顺序是非常重要的。
  其中不管你实际使用过滤器，顺序应该
  如下所示：

  
  

  

1. ChannelProcessingFilter ，因为它可能需要重定向到其他协议。


  

2. SecurityContextPersistenceFilter ，这样SecurityContext可以在SecurityContextHolder中在web请求的开始设立，并
     到SecurityContext的任何修改可以被复制到HttpSession
     当web请求结束（准备下一个web请求使用）


  

3. ConcurrentSessionFilter ，因为它使用SecurityContextHolder功能，但是需要更新SessionRegistry来
     从主体正在进行的请求。


  

4. 认证处理机制 - UsernamePasswordAut​​henticationFilter，CasAuthenticationFilter，
     BasicAuthenticationFilter一样等等 - 这样SecurityContextHolder可以
     被修改为包含一个有效的认证请求令牌


  

5. 的SecurityContextHolderAwareRequestFilter ，如果你用它来安装一个弹簧安全认识了HttpServletRequestWrapper到您的
     servlet容器


  

6. RememberMeAuthenticationFilter ，这样如果之前的验证执行机制没有更新SecurityContextHolder中，
     并且请求presents一个cookie，使记得，我的服务，
     发生，合适想起Authentication对象会被放
     有


  

7. AnonymousAuthenticationFilter ，这样如果之前的验证执行机制没有更新SecurityContextHolder中，
     一个匿名Authentication对象会被放在那里


  

8. 的ExceptionTranslationFilter ，用来捕捉Spring Security异常，这样要么可以返回一个HTTP错误响应或
     适当的AuthenticationEntryPoint。


  

9. FilterSecurityInterceptor ，以保护网络URI和时访问被拒绝引发异常


  

所以，认证管理器在步骤4名为如果你看的<一个源$ C ​​$ C href=\"http://docs.spring.io/autorepo/docs/spring-security/3.2.3.RELEASE/apidocs/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.html\"相对=nofollow> UsernamePasswordAut​​henticationFilter 你会看到类似这样的：

 公开验证attemptAuthentication（HttpServletRequest的请求，
        HttpServletResponse的响应）抛出的AuthenticationException {
    // ...
    返回this.getAuthenticationManager（）验证（authRequest）。
}
 

I am not able to find out where and when exactly the authentication manager is executed by spring security. I mean there are certian filters which are executed sequentially as below:

  FIRST
- CHANNEL_FILTER
- CONCURRENT_SESSION_FILTER
- SECURITY_CONTEXT_FILTER
- LOGOUT_FILTER
- X509_FILTER

- PRE_AUTH_FILTER
- CAS_FILTER
- FORM_LOGIN_FILTER
- OPENID_FILTER
- BASIC_AUTH_FILTER
- SERVLET_API_SUPPORT_FILTER
- REMEMBER_ME_FILTER
- ANONYMOUS_FILTER

- EXCEPTION_TRANSLATION_FILTER
- SESSION_MANAGEMENT_FILTER
- FILTER_SECURITY_INTERCEPTOR
- SWITCH_USER_FILTER
- LAST

But when exactly authentication provider authenticates the provided username and password, i mean to ask after which these below filters is the authentication provider is executed .

Regards Jayendra

解决方案

From Spring Security documentation:

The order that filters are defined in the chain is very important. Irrespective of which filters you are actually using, the order should be as follows:

1. ChannelProcessingFilter, because it might need to redirect to a different protocol

2. SecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request, and any changes to the SecurityContext can be copied to the HttpSession when the web request ends (ready for use with the next web request)

3. ConcurrentSessionFilter, because it uses the SecurityContextHolder functionality but needs to update the SessionRegistry to reflect ongoing requests from the principal

4. Authentication processing mechanisms - UsernamePasswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter etc - so that the SecurityContextHolder can be modified to contain a valid Authentication request token

5. The SecurityContextHolderAwareRequestFilter, if you are using it to install a Spring Security aware HttpServletRequestWrapper into your servlet container

6. RememberMeAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, and the request presents a cookie that enables remember-me services to take place, a suitable remembered Authentication object will be put there

7. AnonymousAuthenticationFilter, so that if no earlier authentication processing mechanism updated the SecurityContextHolder, an anonymous Authentication object will be put there

8. ExceptionTranslationFilter, to catch any Spring Security exceptions so that either an HTTP error response can be returned or an appropriate AuthenticationEntryPoint can be launched

9. FilterSecurityInterceptor, to protect web URIs and raise exceptions when access is denied

So the authentication manager is called at step 4. If you look at the source code of UsernamePasswordAuthenticationFilter you will see something like:

public Authentication attemptAuthentication(HttpServletRequest request,
        HttpServletResponse response) throws AuthenticationException {
    // ...
    return this.getAuthenticationManager().authenticate(authRequest);
}

这篇关于执行Spring Security的顺序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！