前言
现在流行的通用授权框架有apache的shiro和spring家族的spring security,在涉及今天的微服务鉴权时,需要利用我们的授权框架搭建自己的鉴权服务,今天总理了spring security。
spring security 主要实现了authentication(认证,解决who are you? ) 和 access control(访问控制,也就是what are you allowed to do?,也称为authorization)。spring security在架构上将认证与授权分离,并提供了扩展点。
核心对象
主要代码在spring-security-core包下面。要了解spring security,需要先关注里面的核心对象。
securitycontextholder, securitycontext 和 authentication
securitycontextholder 是 securitycontext的存放容器,默认使用threadlocal 存储,意味securitycontext在相同线程中的方法都可用。
securitycontext主要是存储应用的principal信息,在spring security中用authentication 来表示。
获取principal:
|
1
2
3
4
5
6
7
|
object principal = securitycontextholder.getcontext().getauthentication().getprincipal();if (principal instanceof userdetails) {string username = ((userdetails)principal).getusername();} else {string username = principal.tostring();} |
在spring security中,可以看一下authentication定义:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
public interface authentication extends principal, serializable { collection<? extends grantedauthority> getauthorities(); /** * 通常是密码 */ object getcredentials(); /** * stores additional details about the authentication request. these might be an ip * address, certificate serial number etc. */ object getdetails(); /** * 用来标识是否已认证,如果使用用户名和密码登录,通常是用户名 */ object getprincipal(); /** * 是否已认证 */ boolean isauthenticated(); void setauthenticated(boolean isauthenticated) throws illegalargumentexception;} |
在实际应用中,通常使用usernamepasswordauthenticationtoken:
|
1
2
3
4
5
|
public abstract class abstractauthenticationtoken implements authentication, credentialscontainer { }public class usernamepasswordauthenticationtoken extends abstractauthenticationtoken {} |
一个常见的认证过程通常是这样的,创建一个usernamepasswordauthenticationtoken,然后交给authenticationmanager认证(后面详细说明),认证通过则通过securitycontextholder存放authentication信息。
|
1
2
3
4
5
|
usernamepasswordauthenticationtoken authenticationtoken = new usernamepasswordauthenticationtoken(loginvm.getusername(), loginvm.getpassword());authentication authentication = this.authenticationmanager.authenticate(authenticationtoken);securitycontextholder.getcontext().setauthentication(authentication); |
userdetails与userdetailsservice
userdetails 是spring security里的一个关键接口,他用来表示一个principal。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
public interface userdetails extends serializable { /** * 用户的授权信息,可以理解为角色 */ collection<? extends grantedauthority> getauthorities(); /** * 用户密码 * * @return the password */ string getpassword(); /** * 用户名 * */ string getusername(); boolean isaccountnonexpired(); boolean isaccountnonlocked(); boolean iscredentialsnonexpired(); boolean isenabled();} |
userdetails提供了认证所需的必要信息,在实际使用里,可以自己实现userdetails,并增加额外的信息,比如email、mobile等信息。
在authentication中的principal通常是用户名,我们可以通过userdetailsservice来通过principal获取userdetails:
|
1
2
3
|
public interface userdetailsservice { userdetails loaduserbyusername(string username) throws usernamenotfoundexception;} |
grantedauthority
在userdetails里说了,grantedauthority可以理解为角色,例如 role_administrator or role_hr_supervisor。
小结
- securitycontextholder, 用来访问 securitycontext.
- securitycontext, 用来存储authentication .
- authentication, 代表凭证.
- grantedauthority, 代表权限.
- userdetails, 用户信息.
- userdetailsservice,获取用户信息.
authentication认证
authenticationmanager
实现认证主要是通过authenticationmanager接口,它只包含了一个方法:
|
1
2
3
4
|
public interface authenticationmanager { authentication authenticate(authentication authentication) throws authenticationexception;} |
authenticate()方法主要做三件事:
- 如果验证通过,返回authentication(通常带上authenticated=true)。
- 认证失败抛出authenticationexception
- 如果无法确定,则返回null
authenticationexception是运行时异常,它通常由应用程序按通用方式处理,用户代码通常不用特意被捕获和处理这个异常。
authenticationmanager的默认实现是providermanager,它委托一组authenticationprovider实例来实现认证。
authenticationprovider和authenticationmanager类似,都包含authenticate,但它有一个额外的方法supports,以允许查询调用方是否支持给定authentication类型:
|
1
2
3
4
5
|
public interface authenticationprovider { authentication authenticate(authentication authentication) throws authenticationexception; boolean supports(class<?> authentication);} |
providermanager包含一组authenticationprovider,执行authenticate时,遍历providers,然后调用supports,如果支持,则执行遍历当前provider的authenticate方法,如果一个provider认证成功,则break。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
public authentication authenticate(authentication authentication) throws authenticationexception { class<? extends authentication> totest = authentication.getclass(); authenticationexception lastexception = null; authentication result = null; boolean debug = logger.isdebugenabled(); for (authenticationprovider provider : getproviders()) { if (!provider.supports(totest)) { continue; } if (debug) { logger.debug("authentication attempt using " + provider.getclass().getname()); } try { result = provider.authenticate(authentication); if (result != null) { copydetails(authentication, result); break; } } catch (accountstatusexception e) { prepareexception(e, authentication); // sec-546: avoid polling additional providers if auth failure is due to // invalid account status throw e; } catch (internalauthenticationserviceexception e) { prepareexception(e, authentication); throw e; } catch (authenticationexception e) { lastexception = e; } } if (result == null && parent != null) { // allow the parent to try. try { result = parent.authenticate(authentication); } catch (providernotfoundexception e) { // ignore as we will throw below if no other exception occurred prior to // calling parent and the parent // may throw providernotfound even though a provider in the child already // handled the request } catch (authenticationexception e) { lastexception = e; } } if (result != null) { if (erasecredentialsafterauthentication && (result instanceof credentialscontainer)) { // authentication is complete. remove credentials and other secret data // from authentication ((credentialscontainer) result).erasecredentials(); } eventpublisher.publishauthenticationsuccess(result); return result; } // parent was null, or didn't authenticate (or throw an exception). if (lastexception == null) { lastexception = new providernotfoundexception(messages.getmessage( "providermanager.providernotfound", new object[] { totest.getname() }, "no authenticationprovider found for {0}")); } prepareexception(lastexception, authentication); throw lastexception; } |
从上面的代码可以看出, providermanager有一个可选parent,如果parent不为空,则调用parent.authenticate(authentication)
authenticationprovider
authenticationprovider有多种实现,大家最关注的通常是daoauthenticationprovider,继承于abstractuserdetailsauthenticationprovider,核心是通过userdetails来实现认证,daoauthenticationprovider默认会自动加载,不用手动配。
先来看abstractuserdetailsauthenticationprovider,看最核心的authenticate:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
public authentication authenticate(authentication authentication) throws authenticationexception { // 必须是usernamepasswordauthenticationtoken assert.isinstanceof(usernamepasswordauthenticationtoken.class, authentication, messages.getmessage( "abstractuserdetailsauthenticationprovider.onlysupports", "only usernamepasswordauthenticationtoken is supported")); // 获取用户名 string username = (authentication.getprincipal() == null) ? "none_provided" : authentication.getname(); boolean cachewasused = true; // 从缓存获取 userdetails user = this.usercache.getuserfromcache(username); if (user == null) { cachewasused = false; try { // retrieveuser 抽象方法,获取用户 user = retrieveuser(username, (usernamepasswordauthenticationtoken) authentication); } catch (usernamenotfoundexception notfound) { logger.debug("user '" + username + "' not found"); if (hideusernotfoundexceptions) { throw new badcredentialsexception(messages.getmessage( "abstractuserdetailsauthenticationprovider.badcredentials", "bad credentials")); } else { throw notfound; } } assert.notnull(user, "retrieveuser returned null - a violation of the interface contract"); } try { // 预先检查,defaultpreauthenticationchecks,检查用户是否被lock或者账号是否可用 preauthenticationchecks.check(user); // 抽象方法,自定义检验 additionalauthenticationchecks(user, (usernamepasswordauthenticationtoken) authentication); } catch (authenticationexception exception) { if (cachewasused) { // there was a problem, so try again after checking // we're using latest data (i.e. not from the cache) cachewasused = false; user = retrieveuser(username, (usernamepasswordauthenticationtoken) authentication); preauthenticationchecks.check(user); additionalauthenticationchecks(user, (usernamepasswordauthenticationtoken) authentication); } else { throw exception; } } // 后置检查 defaultpostauthenticationchecks,检查iscredentialsnonexpired postauthenticationchecks.check(user); if (!cachewasused) { this.usercache.putuserincache(user); } object principaltoreturn = user; if (forceprincipalasstring) { principaltoreturn = user.getusername(); } return createsuccessauthentication(principaltoreturn, authentication, user); } |
上面的检验主要基于userdetails实现,其中获取用户和检验逻辑由具体的类去实现,默认实现是daoauthenticationprovider,这个类的核心是让开发者提供userdetailsservice来获取userdetails以及 passwordencoder来检验密码是否有效:
|
1
2
|
private userdetailsservice userdetailsservice;private passwordencoder passwordencoder; |
看具体的实现,retrieveuser,直接调用userdetailsservice获取用户:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
protected final userdetails retrieveuser(string username, usernamepasswordauthenticationtoken authentication) throws authenticationexception { userdetails loadeduser; try { loadeduser = this.getuserdetailsservice().loaduserbyusername(username); } catch (usernamenotfoundexception notfound) { if (authentication.getcredentials() != null) { string presentedpassword = authentication.getcredentials().tostring(); passwordencoder.ispasswordvalid(usernotfoundencodedpassword, presentedpassword, null); } throw notfound; } catch (exception repositoryproblem) { throw new internalauthenticationserviceexception( repositoryproblem.getmessage(), repositoryproblem); } if (loadeduser == null) { throw new internalauthenticationserviceexception( "userdetailsservice returned null, which is an interface contract violation"); } return loadeduser; } |
再来看验证:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
protected void additionalauthenticationchecks(userdetails userdetails, usernamepasswordauthenticationtoken authentication) throws authenticationexception { object salt = null; if (this.saltsource != null) { salt = this.saltsource.getsalt(userdetails); } if (authentication.getcredentials() == null) { logger.debug("authentication failed: no credentials provided"); throw new badcredentialsexception(messages.getmessage( "abstractuserdetailsauthenticationprovider.badcredentials", "bad credentials")); } // 获取用户密码 string presentedpassword = authentication.getcredentials().tostring(); // 比较passwordencoder后的密码是否和userdetails的密码一致 if (!passwordencoder.ispasswordvalid(userdetails.getpassword(), presentedpassword, salt)) { logger.debug("authentication failed: password does not match stored value"); throw new badcredentialsexception(messages.getmessage( "abstractuserdetailsauthenticationprovider.badcredentials", "bad credentials")); } } |
小结:要自定义认证,使用daoauthenticationprovider,只需要为其提供passwordencoder和userdetailsservice就可以了。
定制 authentication managers
spring security提供了一个builder类authenticationmanagerbuilder,借助它可以快速实现自定义认证。
看官方源码说明:
securitybuilder used to create an authenticationmanager . allows for easily building in memory authentication, ldap authentication, jdbc based authentication, adding userdetailsservice , and adding authenticationprovider's.
authenticationmanagerbuilder可以用来build一个authenticationmanager,可以创建基于内存的认证、ldap认证、 jdbc认证,以及添加userdetailsservice和authenticationprovider。
简单使用:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
@configuration@enablewebsecurity@enableglobalmethodsecurity(prepostenabled = true, securedenabled = true)public class applicationsecurity extends websecurityconfigureradapter { public securityconfiguration(authenticationmanagerbuilder authenticationmanagerbuilder, userdetailsservice userdetailsservice,tokenprovider tokenprovider,corsfilter corsfilter, securityproblemsupport problemsupport) { this.authenticationmanagerbuilder = authenticationmanagerbuilder; this.userdetailsservice = userdetailsservice; this.tokenprovider = tokenprovider; this.corsfilter = corsfilter; this.problemsupport = problemsupport; } @postconstruct public void init() { try { authenticationmanagerbuilder .userdetailsservice(userdetailsservice) .passwordencoder(passwordencoder()); } catch (exception e) { throw new beaninitializationexception("security configuration failed", e); } } @override protected void configure(httpsecurity http) throws exception { http .addfilterbefore(corsfilter, usernamepasswordauthenticationfilter.class) .exceptionhandling() .authenticationentrypoint(problemsupport) .accessdeniedhandler(problemsupport) .and() .csrf() .disable() .headers() .frameoptions() .disable() .and() .sessionmanagement() .sessioncreationpolicy(sessioncreationpolicy.stateless) .and() .authorizerequests() .antmatchers("/api/register").permitall() .antmatchers("/api/activate").permitall() .antmatchers("/api/authenticate").permitall() .antmatchers("/api/account/reset-password/init").permitall() .antmatchers("/api/account/reset-password/finish").permitall() .antmatchers("/api/profile-info").permitall() .antmatchers("/api/**").authenticated() .antmatchers("/management/health").permitall() .antmatchers("/management/**").hasauthority(authoritiesconstants.admin) .antmatchers("/v2/api-docs/**").permitall() .antmatchers("/swagger-resources/configuration/ui").permitall() .antmatchers("/swagger-ui/index.html").hasauthority(authoritiesconstants.admin) .and() .apply(securityconfigureradapter()); }} |
授权与访问控制
一旦认证成功,我们可以继续进行授权,授权是通过accessdecisionmanager来实现的。框架有三种实现,默认是affirmativebased,通过accessdecisionvoter决策,有点像providermanager委托给authenticationproviders来认证。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
public void decide(authentication authentication, object object, collection<configattribute> configattributes) throws accessdeniedexception { int deny = 0; // 遍历decisionvoter for (accessdecisionvoter voter : getdecisionvoters()) { // 投票 int result = voter.vote(authentication, object, configattributes); if (logger.isdebugenabled()) { logger.debug("voter: " + voter + ", returned: " + result); } switch (result) { case accessdecisionvoter.access_granted: return; case accessdecisionvoter.access_denied: deny++; break; default: break; } } // 一票否决 if (deny > 0) { throw new accessdeniedexception(messages.getmessage( "abstractaccessdecisionmanager.accessdenied", "access is denied")); } // to get this far, every accessdecisionvoter abstained checkallowifallabstaindecisions(); } |
来看accessdecisionvoter:
|
1
2
3
4
|
boolean supports(configattribute attribute);boolean supports(class<?> clazz);int vote(authentication authentication, s object, collection<configattribute> attributes); |
object是用户要访问的资源,configattribute则是访问object要满足的条件,通常payload是字符串,比如role_admin 。所以我们来看下rolevoter的实现,其核心就是从authentication提取出grantedauthority,然后和configattribute比较是否满足条件。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
public boolean supports(configattribute attribute) { if ((attribute.getattribute() != null) && attribute.getattribute().startswith(getroleprefix())) { return true; } else { return false; } } public boolean supports(class<?> clazz) { return true; }public int vote(authentication authentication, object object, collection<configattribute> attributes) { if(authentication == null) { return access_denied; } int result = access_abstain; // 获取grantedauthority信息 collection<? extends grantedauthority> authorities = extractauthorities(authentication); for (configattribute attribute : attributes) { if (this.supports(attribute)) { // 默认拒绝访问 result = access_denied; // attempt to find a matching granted authority for (grantedauthority authority : authorities) { // 判断是否有匹配的 authority if (attribute.getattribute().equals(authority.getauthority())) { // 可访问 return access_granted; } } } } return result; } |
这里要疑问,configattribute哪来的?其实就是上面applicationsecurity的configure里的。
web security 如何实现
web层中的spring security(用于ui和http后端)基于servlet filters,下图显示了单个http请求的处理程序的典型分层。
spring security通过filterchainproxy作为单一的filter注册到web层,proxy内部的filter。
filterchainproxy相当于一个filter的容器,通过virtualfilterchain来依次调用各个内部filter
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
public void dofilter(servletrequest request, servletresponse response, filterchain chain) throws ioexception, servletexception { boolean clearcontext = request.getattribute(filter_applied) == null; if (clearcontext) { try { request.setattribute(filter_applied, boolean.true); dofilterinternal(request, response, chain); } finally { securitycontextholder.clearcontext(); request.removeattribute(filter_applied); } } else { dofilterinternal(request, response, chain); } } private void dofilterinternal(servletrequest request, servletresponse response, filterchain chain) throws ioexception, servletexception { firewalledrequest fwrequest = firewall .getfirewalledrequest((httpservletrequest) request); httpservletresponse fwresponse = firewall .getfirewalledresponse((httpservletresponse) response); list<filter> filters = getfilters(fwrequest); if (filters == null || filters.size() == 0) { if (logger.isdebugenabled()) { logger.debug(urlutils.buildrequesturl(fwrequest) + (filters == null ? " has no matching filters" : " has an empty filter list")); } fwrequest.reset(); chain.dofilter(fwrequest, fwresponse); return; } virtualfilterchain vfc = new virtualfilterchain(fwrequest, chain, filters); vfc.dofilter(fwrequest, fwresponse); } private static class virtualfilterchain implements filterchain { private final filterchain originalchain; private final list<filter> additionalfilters; private final firewalledrequest firewalledrequest; private final int size; private int currentposition = 0; private virtualfilterchain(firewalledrequest firewalledrequest, filterchain chain, list<filter> additionalfilters) { this.originalchain = chain; this.additionalfilters = additionalfilters; this.size = additionalfilters.size(); this.firewalledrequest = firewalledrequest; } public void dofilter(servletrequest request, servletresponse response) throws ioexception, servletexception { if (currentposition == size) { if (logger.isdebugenabled()) { logger.debug(urlutils.buildrequesturl(firewalledrequest) + " reached end of additional filter chain; proceeding with original chain"); } // deactivate path stripping as we exit the security filter chain this.firewalledrequest.reset(); originalchain.dofilter(request, response); } else { currentposition++; filter nextfilter = additionalfilters.get(currentposition - 1); if (logger.isdebugenabled()) { logger.debug(urlutils.buildrequesturl(firewalledrequest) + " at position " + currentposition + " of " + size + " in additional filter chain; firing filter: '" + nextfilter.getclass().getsimplename() + "'"); } nextfilter.dofilter(request, response, this); } } } |
参考
https://spring.io/guides/topicals/spring-security-architecture/
https://docs.spring.io/spring-security/site/docs/5.0.5.release/reference/htmlsingle/#overall-architecture
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,如果有疑问大家可以留言交流,谢谢大家对服务器之家的支持。
原文链接:http://www.cnblogs.com/xiaoqi/p/spring-security.html
