Spring源代码解析(九)：Spring Acegi框架鉴权的实现

简单分析一下Spring Acegi的源代码实现：
Servlet.Filter的实现AuthenticationProcessingFilter启动Web页面的验证过程 - 在AbstractProcessingFilter定义了整个验证过程的模板：

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //这里检验是不是符合ServletRequest/SevletResponse的要求 if (!(request instanceof HttpServletRequest)) { throw new ServletException("Can only process HttpServletRequest"); } if (!(response instanceof HttpServletResponse)) { throw new ServletException("Can only process HttpServletResponse"); } HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; //根据HttpServletRequest和HttpServletResponse来进行验证 if (requiresAuthentication(httpRequest, httpResponse)) { if (logger.isDebugEnabled()) { logger.debug("Request is to process authentication"); } //这里定义Acegi中的Authentication对象来持有相关的用户验证信息 Authentication authResult; try { onPreAuthentication(httpRequest, httpResponse); //这里的具体验证过程委托给子类完成，比如AuthenticationProcessingFilter来完成基于Web页面的用户验证 authResult = attemptAuthentication(httpRequest); } catch (AuthenticationException failed) { // Authentication failed unsuccessfulAuthentication(httpRequest, httpResponse, failed); return; } // Authentication success if (continueChainBeforeSuccessfulAuthentication) { chain.doFilter(request, response); } //完成验证后的后续工作，比如跳转到相应的页面 successfulAuthentication(httpRequest, httpResponse, authResult); return; } chain.doFilter(request, response); }


在AuthenticationProcessingFilter中的具体验证过程是这样的：

public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException { //这里从HttpServletRequest中得到用户验证的用户名和密码 String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } //这里根据得到的用户名和密码去构造一个Authentication对象提供给AuthenticationManager进行验证，里面包含了用户的用户名和密码信息 UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); // Place the last username attempted into HttpSession for views request.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY, username); // Allow subclasses to set the "details" property setDetails(request, authRequest); //这里启动AuthenticationManager进行验证过程 return this.getAuthenticationManager().authenticate(authRequest); }


在Acegi框架中，进行验证管理的主要类是AuthenticationManager,我们看看它是怎样进行验证管理的 - 验证的调用入口是authenticate在AbstractAuthenticationManager的实现中：
//这是进行验证的函数，返回一个Authentication对象来记录验证的结果，其中包含了用户的验证信息，权限配置等，同时这个Authentication会以后被授权模块使用

//如果验证失败，那么在验证过程中会直接抛出异常 public final Authentication authenticate(Authentication authRequest) throws AuthenticationException { try {//这里是实际的验证处理，我们下面使用ProviderManager来说明具体的验证过程，传入的参数authRequest里面已经包含了从HttpServletRequest中得到的用户输入的用户名和密码 Authentication authResult = doAuthentication(authRequest); copyDetails(authRequest, authResult); return authResult; } catch (AuthenticationException e) { e.setAuthentication(authRequest); throw e; } }


在ProviderManager中进行实际的验证工作，假设这里使用数据库来存取用户信息：

public Authentication doAuthentication(Authentication authentication) throws AuthenticationException { //这里取得配置好的provider链的迭代器，在配置的时候可以配置多个provider,这里我们配置的是DaoAuthenticationProvider来说明, 它使用数据库来保存用户的用户名和密码信息。 Iterator iter = providers.iterator(); Class toTest = authentication.getClass(); AuthenticationException lastException = null; while (iter.hasNext()) { AuthenticationProvider provider = (AuthenticationProvider) iter.next(); if (provider.supports(toTest)) { logger.debug("Authentication attempt using " + provider.getClass().getName()); //这个result包含了验证中得到的结果信息 Authentication result = null; try {//这里是provider进行验证处理的过程 result = provider.authenticate(authentication); sessionController.checkAuthenticationAllowed(result); } catch (AuthenticationException ae) { lastException = ae; result = null; } if (result != null) { sessionController.registerSuccessfulAuthentication(result); publishEvent(new AuthenticationSuccessEvent(result)); return result; } } } if (lastException == null) { lastException = new ProviderNotFoundException(messages.getMessage("ProviderManager.providerNotFound", new Object[] {toTest.getName()}, "No AuthenticationProvider found for {0}")); } // 这里发布事件来通知上下文的监听器 String className = exceptionMappings.getProperty(lastException.getClass().getName()); AbstractAuthenticationEvent event = null; if (className != null) { try { Class clazz = getClass().getClassLoader().loadClass(className); Constructor constructor = clazz.getConstructor(new Class[] { Authentication.class, AuthenticationException.class }); Object obj = constructor.newInstance(new Object[] {authentication, lastException}); Assert.isInstanceOf(AbstractAuthenticationEvent.class, obj, "Must be an AbstractAuthenticationEvent"); event = (AbstractAuthenticationEvent) obj; } catch (ClassNotFoundException ignored) {} catch (NoSuchMethodException ignored) {} catch (IllegalAccessException ignored) {} catch (InstantiationException ignored) {} catch (InvocationTargetException ignored) {} } if (event != null) { publishEvent(event); } else { if (logger.isDebugEnabled()) { logger.debug("No event was found for the exception " + lastException.getClass().getName()); } } // Throw the exception throw lastException; }


我们下面看看在DaoAuthenticationProvider是怎样从数据库中取出对应的验证信息进行用户验证的，在它的基类AbstractUserDetailsAuthenticationProvider定义了验证的处理模板：

public Authentication authenticate(Authentication authentication) throws AuthenticationException { Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication, messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports", "Only UsernamePasswordAuthenticationToken is supported")); // 这里取得用户输入的用户名 String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName(); // 如果配置了缓存，从缓存中去取以前存入的用户验证信息 - 这里是UserDetail，是服务器端存在数据库里的用户信息，这样就不用每次都去数据库中取了 boolean cacheWasUsed = true; UserDetails user = this.userCache.getUserFromCache(username); //没有取到，设置标志位，下面会把这次取到的服务器端用户信息存入缓存中去 if (user == null) { cacheWasUsed = false; try {//这里是调用UserDetailService去取用户数据库里信息的地方 user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication); } catch (UsernameNotFoundException notFound) { if (hideUserNotFoundExceptions) { throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } else { throw notFound; } } Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract"); } if (!user.isAccountNonLocked()) { throw new LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked", "User account is locked")); } if (!user.isEnabled()) { throw new DisabledException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled", "User is disabled")); } if (!user.isAccountNonExpired()) { throw new AccountExpiredException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired", "User account has expired")); } // This check must come here, as we don't want to tell users // about account status unless they presented the correct credentials try {//这里是验证过程，在retrieveUser中从数据库中得到用户的信息，在additionalAuthenticationChecks中进行对比用户输入和服务器端的用户信息 //如果验证通过，那么构造一个Authentication对象来让以后的授权使用，如果验证不通过，直接抛出异常结束鉴权过程 additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication); } catch (AuthenticationException exception) { if (cacheWasUsed) { // There was a problem, so try again after checking // we're using latest data (ie not from the cache) cacheWasUsed = false; user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication); additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication); } else { throw exception; } } if (!user.isCredentialsNonExpired()) { throw new CredentialsExpiredException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.credentialsExpired", "User credentials have expired")); } //根据前面的缓存结果决定是不是要把当前的用户信息存入缓存以供下次验证使用 if (!cacheWasUsed) { this.userCache.putUserInCache(user); } Object principalToReturn = user; if (forcePrincipalAsString) { principalToReturn = user.getUsername(); } //最后返回Authentication记录了验证结果供以后的授权使用 return createSuccessAuthentication(principalToReturn, authentication, user); } //这是是调用UserDetailService去加载服务器端用户信息的地方，从什么地方加载要看设置，这里我们假设由JdbcDaoImp来从数据中进行加载 protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { UserDetails loadedUser; //这里调用UserDetailService去从数据库中加载用户验证信息，同时返回从数据库中返回的信息，这些信息放到了UserDetails对象中去了 try { loadedUser = this.getUserDetailsService().loadUserByUsername(username); } catch (DataAccessException repositoryProblem) { throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem); } if (loadedUser == null) { throw new AuthenticationServiceException( "UserDetailsService returned null, which is an interface contract violation"); } return loadedUser; }


下面我们重点分析一下JdbcDaoImp这个类来看看具体是怎样从数据库中得到用户信息的：

public class JdbcDaoImpl extends JdbcDaoSupport implements UserDetailsService { //~ Static fields/initializers ===================================================================================== //这里是预定义好的对查询语句，对应于默认的数据库表结构，也可以自己定义查询语句对应特定的用户数据库验证表的设计 public static final String DEF_USERS_BY_USERNAME_QUERY = "SELECT username,password,enabled FROM users WHERE username = ?"; public static final String DEF_AUTHORITIES_BY_USERNAME_QUERY = "SELECT username,authority FROM authorities WHERE username = ?"; //~ Instance fields ================================================================================================ //这里使用Spring JDBC来进行数据库操作 protected MappingSqlQuery authoritiesByUsernameMapping; protected MappingSqlQuery usersByUsernameMapping; private String authoritiesByUsernameQuery; private String rolePrefix = ""; private String usersByUsernameQuery; private boolean usernameBasedPrimaryKey = true; //~ Constructors =================================================================================================== //在初始化函数中把查询语句设置为预定义的