1 package org.springframework.security.web.authentication;
2
3 import java.io.IOException;
4 import javax.servlet.FilterChain;
5 import javax.servlet.ServletException;
6 import javax.servlet.ServletRequest;
7 import javax.servlet.ServletResponse;
8 import javax.servlet.http.HttpServletRequest;
9 import javax.servlet.http.HttpServletResponse;
10 import org.springframework.context.ApplicationEventPublisher;
11 import org.springframework.context.ApplicationEventPublisherAware;
12 import org.springframework.context.MessageSource;
13 import org.springframework.context.MessageSourceAware;
14 import org.springframework.context.support.MessageSourceAccessor;
15 import org.springframework.security.authentication.AuthenticationDetailsSource;
16 import org.springframework.security.authentication.AuthenticationManager;
17 import org.springframework.security.authentication.InternalAuthenticationServiceException;
18 import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
19 import org.springframework.security.core.Authentication;
20 import org.springframework.security.core.AuthenticationException;
21 import org.springframework.security.core.SpringSecurityMessageSource;
22 import org.springframework.security.core.context.SecurityContextHolder;
23 import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
24 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
25 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
26 import org.springframework.security.web.util.matcher.RequestMatcher;
27 import org.springframework.util.Assert;
28 import org.springframework.web.filter.GenericFilterBean;
29
30 public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware, MessageSourceAware {
31 protected ApplicationEventPublisher eventPublisher;//应用事件发布者
32 protected AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();//身份验证详细信息源
33 private AuthenticationManager authenticationManager;//认证管理器
34 protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();//消息源访问器
35 private RememberMeServices rememberMeServices = new NullRememberMeServices();//记住我的服务
36 private RequestMatcher requiresAuthenticationRequestMatcher;//请求匹配器
37 private boolean continueChainBeforeSuccessfulAuthentication = false;//成功认证前的继续链
38 private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();//会话认证策略
39 private boolean allowSessionCreation = true;//允许会话创建
40 private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();//身份验证成功处理程序
41 private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();//身份验证失败处理程序
42
43 protected AbstractAuthenticationProcessingFilter(String defaultFilterProcessesUrl) {//默认过滤处理的url
44 this.setFilterProcessesUrl(defaultFilterProcessesUrl);
45 }
46
47 protected AbstractAuthenticationProcessingFilter(RequestMatcher requiresAuthenticationRequestMatcher) {//请求匹配器
48 Assert.notNull(requiresAuthenticationRequestMatcher, "requiresAuthenticationRequestMatcher cannot be null");
49 this.requiresAuthenticationRequestMatcher = requiresAuthenticationRequestMatcher;
50 }
51
52 public void afterPropertiesSet() {//属性集之后
53 Assert.notNull(this.authenticationManager, "authenticationManager must be specified");
54 }
55
56 public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
57 HttpServletRequest request = (HttpServletRequest)req;
58 HttpServletResponse response = (HttpServletResponse)res;
59 if (!this.requiresAuthentication(request, response)) {
60 chain.doFilter(request, response);
61 } else {
62 if (this.logger.isDebugEnabled()) {
63 this.logger.debug("Request is to process authentication");
64 }
65
66 Authentication authResult;
67 try {
68 authResult = this.attemptAuthentication(request, response);
69 if (authResult == null) {
70 return;
71 }
72
73 this.sessionStrategy.onAuthentication(authResult, request, response);
74 } catch (InternalAuthenticationServiceException var8) {
75 this.logger.error("An internal error occurred while trying to authenticate the user.", var8);
76 this.unsuccessfulAuthentication(request, response, var8);
77 return;
78 } catch (AuthenticationException var9) {
79 this.unsuccessfulAuthentication(request, response, var9);
80 return;
81 }
82
83 if (this.continueChainBeforeSuccessfulAuthentication) {
84 chain.doFilter(request, response);
85 }
86
87 this.successfulAuthentication(request, response, chain, authResult);
88 }
89 }
90
91 protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {//是否需要认证
//请求匹配器与请求路劲是否匹配,如果匹配返回真,如果不匹配返回假
92 return this.requiresAuthenticationRequestMatcher.matches(request);
93 }
94 //认证逻辑的方法,由子类实现
95 public abstract Authentication attemptAuthentication(HttpServletRequest var1, HttpServletResponse var2) throws AuthenticationException, IOException, ServletException;
96 //认证成功
97 protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
98 if (this.logger.isDebugEnabled()) {
99 this.logger.debug("Authentication success. Updating SecurityContextHolder to contain: " + authResult);
100 }
101
102 SecurityContextHolder.getContext().setAuthentication(authResult);
103 this.rememberMeServices.loginSuccess(request, response, authResult);
104 if (this.eventPublisher != null) {
//交互式认证成功事件
105 this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
106 }
107
108 this.successHandler.onAuthenticationSuccess(request, response, authResult);
109 }
110 //没有认证成功
111 protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
112 SecurityContextHolder.clearContext();
113 if (this.logger.isDebugEnabled()) {
114 this.logger.debug("Authentication request failed: " + failed.toString(), failed);
115 this.logger.debug("Updated SecurityContextHolder to contain null Authentication");
116 this.logger.debug("Delegating to authentication failure handler " + this.failureHandler);
117 }
118
119 this.rememberMeServices.loginFail(request, response);
120 this.failureHandler.onAuthenticationFailure(request, response, failed);
121 }
122 //get认证管理器
123 protected AuthenticationManager getAuthenticationManager() {
124 return this.authenticationManager;
125 }
126 //set认证管理器
127 public void setAuthenticationManager(AuthenticationManager authenticationManager) {
128 this.authenticationManager = authenticationManager;
129 }
130 //设置过滤器处理的url
131 public void setFilterProcessesUrl(String filterProcessesUrl) {
132 this.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(filterProcessesUrl));
133 }
134 //设置需要认证请求匹配器
135 public final void setRequiresAuthenticationRequestMatcher(RequestMatcher requestMatcher) {
136 Assert.notNull(requestMatcher, "requestMatcher cannot be null");
137 this.requiresAuthenticationRequestMatcher = requestMatcher;
138 }
139 //get记住我的服务
140 public RememberMeServices getRememberMeServices() {
141 return this.rememberMeServices;
142 }
143 //set记住我的服务
144 public void setRememberMeServices(RememberMeServices rememberMeServices) {
145 Assert.notNull(rememberMeServices, "rememberMeServices cannot be null");
146 this.rememberMeServices = rememberMeServices;
147 }
148 //set 是否跳出 链 在认证成功前
149 public void setContinueChainBeforeSuccessfulAuthentication(boolean continueChainBeforeSuccessfulAuthentication) {
150 this.continueChainBeforeSuccessfulAuthentication = continueChainBeforeSuccessfulAuthentication;
151 }
152 //set 应用事件发布者
153 public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
154 this.eventPublisher = eventPublisher;
155 }
156 //set 身份认证详细信息源
157 public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
158 Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
159 this.authenticationDetailsSource = authenticationDetailsSource;
160 }
161 //set 消息源访问器
162 public void setMessageSource(MessageSource messageSource) {
163 this.messages = new MessageSourceAccessor(messageSource);
164 }
165 // get 允许会话创建
166 protected boolean getAllowSessionCreation() {
167 return this.allowSessionCreation;
168 }
169 //set 允许会话创建
170 public void setAllowSessionCreation(boolean allowSessionCreation) {
171 this.allowSessionCreation = allowSessionCreation;
172 }
173 //set 会话认证策略
174 public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionStrategy) {
175 this.sessionStrategy = sessionStrategy;
176 }
177 //set 认证成功的处理程序
178 public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler) {
179 Assert.notNull(successHandler, "successHandler cannot be null");
180 this.successHandler = successHandler;
181 }
182 // set 认证失败的处理程序
183 public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler) {
184 Assert.notNull(failureHandler, "failureHandler cannot be null");
185 this.failureHandler = failureHandler;
186 }
187 //get 认证成功的处理程序
188 protected AuthenticationSuccessHandler getSuccessHandler() {
189 return this.successHandler;
190 }
191 //get 认证失败的处理程序
192 protected AuthenticationFailureHandler getFailureHandler() {
193 return this.failureHandler;
194 }
195 }
