Spring Security3源码分析-AnonymousAuthenticationFilter分析
2014-01-20 18:35
351 查看
AnonymousAuthenticationFilter过滤器对应的类路径为
org.springframework.security.web.authentication.AnonymousAuthenticationFilter
AnonymousAuthenticationFilter过滤器是在UsernamePasswordAuthenticationFilter、BasicAuthenticationFilter、RememberMeAuthenticationFilter这些过滤器后面的,所以如果这三个过滤器都没有认证成功,则为当前的SecurityContext中添加一个经过匿名认证的token,但是通过servlet的getRemoteUser等方法是获取不到登录账号的。因为SecurityContextHolderAwareRequestFilter过滤器在AnonymousAuthenticationFilter前面。
anonymous标签配置为。
这里username属性容易混淆,username默认为anonymousUser,实际上是注入到UserAttribute的password变量中的。
granted-authority属性注入到UserAttribute的authorities授权列表
org.springframework.security.web.authentication.AnonymousAuthenticationFilter
AnonymousAuthenticationFilter过滤器是在UsernamePasswordAuthenticationFilter、BasicAuthenticationFilter、RememberMeAuthenticationFilter这些过滤器后面的,所以如果这三个过滤器都没有认证成功,则为当前的SecurityContext中添加一个经过匿名认证的token,但是通过servlet的getRemoteUser等方法是获取不到登录账号的。因为SecurityContextHolderAwareRequestFilter过滤器在AnonymousAuthenticationFilter前面。
//省略了日志部分 public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { //applyAnonymousForThisRequest永远返回ture if (applyAnonymousForThisRequest((HttpServletRequest) req)) { //如果当前SecurityContext中没有认证实体 if (SecurityContextHolder.getContext().getAuthentication() == null) { //产生一个匿名认证实体,并保存到SecurityContext中 SecurityContextHolder.getContext().setAuthentication(createAuthentication((HttpServletRequest) req)); } else { } } chain.doFilter(req, res); } protected Authentication createAuthentication(HttpServletRequest request) { //产生匿名认证token,注意这里的key、userAttribute是通过解析标签注入的 AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key, userAttribute.getPassword(), userAttribute.getAuthorities()); auth.setDetails(authenticationDetailsSource.buildDetails(request)); return auth; }
anonymous标签配置为。
<anonymous granted-authority="ROLE_ANONYMOUS" enabled="true" username="test"/>
这里username属性容易混淆,username默认为anonymousUser,实际上是注入到UserAttribute的password变量中的。
granted-authority属性注入到UserAttribute的authorities授权列表
相关文章推荐
- Spring Security源码分析六:Spring Social社交登录源码解析
- Spring Security3源码分析-SSL支持
- Spring Security源码分析十:初识Spring Security OAuth2
- Spring Security3源码分析(9)-SecurityContextHolderAwareRequestFilter分析
- Spring Security源码分析四:Spring Social实现微信社交登录
- Spring Security源码分析十六:Spring Security项目实战
- title: Spring Security源码分析七:Spring Security 记住我
- Spring Security 源码分析(四):Spring Social实现微信社交登录
- SpringSecurity | spring security oauth2.0 配置源码分析(二)
- Spring Security源码分析十四:Spring Social 社交登录的绑定与解绑
- Spring Security3源码分析-FilterChainProxy初始化
- Spring Security3源码分析-CAS支持
- Spring Security源码分析三:Spring Social实现QQ社交登录
- spring security源码分析心得
- Spring Security源码分析六:Spring Social社交登录源码解析
- Spring Security源码分析七:Spring Security 记住我
- SpringSecurity | spring security oauth2.0 配置源码分析(一)
- Spring Security3源码分析-SecurityContextPersistenceFilter分
- Spring Security源码分析十二:Spring Security OAuth2基于JWT实现单点登录
- Spring Security3源码分析-认证授权分析