javajohn

acegi 源碼學習之用戶登錄篇

一、查看 applicationContext-acegi-security.xml 配置文件，涉及到登錄的配置為：

?1 ．

< bean id = "authenticationProcessingFilter" class = "org.javajohn.test.plugins.security.UserAuthenticationProcessingFilter" >

??????? < property name = "authenticationManager" ref = "authenticationManager" />

??????? < property name = "authenticationFailureUrl" >

??????????? < value > /login.jsp?login_error=1 </ value >

??????? </ property >

??????? < property name = "defaultTargetUrl" >

??????????? < value > /index.jsp </ value >

??????? </ property >

??????? < property name = "filterProcessesUrl" >

??????????? < value > /j_acegi_security_check </ value >

??????? </ property >

??????? < property name = "userManager" ref = "userManager" />

??????? < property name = "rememberMeServices" ref = "rememberMeServices" />

??????? < property name = "exceptionMappings" >

??????????? < value >

??????????????? org.acegisecurity.AuthenticationException=/login.jsp?login_error=user_psw_error

??????????????? org.acegisecurity.concurrent.ConcurrentLoginException=/login.jsp?login_error=too_many_user_error

??????? ???? </ value >

??????? </ property >

</ bean >

?

?

2 ． < bean id = "authenticationManager"

?????? class = "org.acegisecurity.providers.ProviderManager" >

?????? < property name = "providers" >

?????????? < list >

????????????? < ref local = "daoAuthenticationProvider" />

????????????? < bean class = "org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider" >

????????????????? < property name = "key" value = "javajohnKey" />

????????????? </ bean >

????????????? < bean class = "org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider" >

????????????????? < property name = "key" value = "javajohnKey" />

????????????? </ bean >

?????????? </ list >

?????? </ property > ??

??? </ bean >

?

3 ．

< bean id = "daoAuthenticationProvider" class = "org.acegisecurity.providers.dao.DaoAuthenticationProvider" >

?????? < property name = "userDetailsService" ref = "jdbcDaoImpl" />

?????? < property name = "userCache" >

?????????? < bean class = "org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache" >

????????????? < property name = "cache" >

????????????????? < bean class = "org.springframework.cache.ehcache.EhCacheFactoryBean" >

???????????????????? < property name = "cacheManager" >

???????????????????????? < bean class = "org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />

???????????????????? </ property >

???????????????????? < property name = "cacheName" value = "userCache" />

????????????????? </ bean >

????????????? </ property >

?????????? </ bean >

?????? </ property >

?????? < property name = "passwordEncoder" ref = "passwordEncoder" />

??? </ bean >

?

?

4 ． < bean id = "jdbcDaoImpl"

????????? class = "org.acegisecurity.userdetails.jdbc.JdbcDaoImpl" >

??????? < property name = "dataSource" ref = "dataSource" />

??????? < property name = "usersByUsernameQuery" >

??????????? < value >

??????????????? select loginid,passwd,1 from users where status='1' and loginid = ?

??????????? </ value >

??????? </ property >

??????? < property name = "authoritiesByUsernameQuery" >

??????????? < value >

??????????????? select u.loginid,p.name from

??????????????? users u,roles r,permissions p,user_role ur,role_permis rp

??????????????? where

??????????????? u.id=ur.user_id and

??????????????? r.id=ur.role_id and

??????????????? p.id=rp.permis_id and

??????????????? r.id=rp.role_id and

??????????????? p.status='1' and u.loginid=?

??????????? </ value >

??????? </ property >

</ bean >

?

?

二、程序流程：

1 ．登錄的時候執(zhí)行的過濾為 authenticationProcessingFilter ，查看其實現(xiàn)為 org.bookStore.test.plugins.security.UserAuthenticationProcessingFilter ，該類繼承自 org.acegisecurity.ui.webapp.AuthenticationProcessingFilter ，又繼承自 org.acegisecurity.ui.AbstractProcessingFilter ，這時候看到了 doFilter() 該方法取了 web 層傳過來的 request 和 response ，然后對登錄路徑執(zhí)行了判斷等操作，接下來執(zhí)行至 authResult = attemptAuthentication(httpRequest);

2 ．從類繼承關(guān)系上找到該方法的實現(xiàn)來自 AuthenticationProcessingFilter ，執(zhí)行的邏輯為先取出 web 層傳過來的用戶名和密碼接著將得到的信息包裝為 UsernamePasswordAuthenticationToken ：

public UsernamePasswordAuthenticationToken(Object principal, Object credentials) {

??? super ( null );

??? this . principal = principal;????

??? this . credentials = credentials;

??? setAuthenticated( false );

}

3 ．接下來執(zhí)行了 setDetails(request, authRequest); 將 request 實例賦給 authRequest 的屬性。

4 ．調(diào)用 authenticationManager 的 authenticate(authRequest) 方法。

5 ．程序轉(zhuǎn)至 authenticationManager 內(nèi)執(zhí)行。該類繼承自 org.acegisecurity. AbstractAuthenticationManager ，執(zhí)行方法 authenticate(authRequest) ：

public final Authentication authenticate(Authentication authRequest)

??? throws AuthenticationException {

??? try {

??????? Authentication authResult = doAuthentication(authRequest);

??????? copyDetails(authRequest, authResult);

?

??????? return authResult;

??? } catch (AuthenticationException e) {

??????? e.setAuthentication(authRequest);

??????? throw e;

??? }

}

doAuthentication(authRequest) 來自 ProviderManager 該方法執(zhí)行了其 providers 中的方法 authenticate(Authentication authentication)

6 ．此方法中調(diào)用了 retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication) 該方法內(nèi)按 web 層用戶輸入的用戶名和密碼從數(shù)據(jù)庫內(nèi)比較是否有該用戶，如果有則將其 user 表內(nèi)對應(yīng)的信息包裝為 UserDetail( 接口 , 實際為 User 的實例 ) 的 List 對象，并將該用戶相應(yīng)的權(quán)限包裝為 GrantedAuthorityImpl 對象的 List 集合對象。至此程序返回至（ 3. ）繼續(xù)執(zhí)行

7 ．繼續(xù)執(zhí)行 org.acegisecurity.ui.AbstractProcessingFilter 的 successfulAuthentication(

HttpServletRequest request,

HttpServletResponse response,

Authentication authResult){

??? ......

SecurityContextHolder.getContext().setAuthentication(authResult);// 將包裝好的 UsernamePasswordAuthenticationToken 對象保存至系統(tǒng)上下文

......

}

8 ．登錄執(zhí)行完畢。