学步园

1.在Acegi中是由认证管理器确定用户身份。一个认证管理器由借口AuthenticationManager实现。

public interface AuthenticationManager {<br /> // ~Methods ================================================================== </p> <p> /** * /**<br /> * 尝试验证用户身份，如果验证成功，将返回一个含授权的完整的Authentication对象。<br /> * 一个AuthenticationManager必须按照下面的规则处理异常：<br /> * 如果账号是不被允许的必须抛出DisabledException，AuthenticationManager能检测到这个状态。<br /> * 如果账号已经被锁定必须抛出LockedException，AuthenticationManager能够检测被锁定的账号。<br /> * 如果取到的是非法的信任状(credential?)必须抛出BadCredentialsException。同时上述的2种异常也是可选<br /> * 的，AuthenticationManager必须总是检测信任状(credential)。<br /> * 异常必须被检测，如果有上述的异常出现须抛出异常。<br /> * 如果一个账号是不被允许的或是被锁定的，认证请求会立即被拒绝，信任状的检测不会发生。<br /> * 这防止了对不被允许账号和被锁定的账号的信任状检测。<br /> *<br /> * @param authentication the authentication request object<br /> *<br /> * @return a fully authenticated object including credentials<br /> *<br /> * @throws AuthenticationException if authentication fails<br /> */<br /> public Authentication authenticate(Authentication authentication)<br /> throws AuthenticationException;<br /> }

2.Authentication 继承了java.security.Principal，Principal实现了简单的主体(Principal)定义。

public interface Authentication extends Principal, Serializable {<br /> // ~Methods ================================================================== </p> <p> /** */ /**<br /> * 通过AuthenticationManager设置Principal的授权信息。<br /> * 注意：当Class状态为valid时，除非Value已经被可信任的AuthenticationManager设置t过，否则对Class<br /> * 不起作用。(此句存疑 Note that classes should not rely on this value as being valid unless it has<br /> * been set by AuthenticationManager)<br /> * Authentication的实现类需要确保修改返回的数足不会影响Authentication Object的状态。(比如返回一个<br /> * 数组的copy)。<br /> *<br /> * @return the authorities granted to the principal, or null if authentication has not been completed<br /> */<br /> public GrantedAuthority[] getAuthorities();</p> <p> /** */ /**<br /> * 信任状证明Principal的身份是合法的。它经常是密码，但是也可以是任何与AuthenticationManager<br /> * 相关的东西。<br /> *<br /> * @return the credentials that prove the identity of the Principal<br /> */<br /> public Object getCredentials();</p> <p> /** */ /**<br /> * 储存认证请求的额外信息。有可能是IP地址，证件号码等。<br /> *<br /> * @return additional details about the authentication request, or null if not used<br /> */<br /> public Object getDetails();</p> <p> /** */ /**<br /> * 返回一个已经通过验证的Principal(这通常是一个用户名)。<br /> *<br /> * @return the Principal being authenticated<br /> */<br /> public Object getPrincipal();</p> <p> /** */ /**<br /> * AbstractSecurityInterceptor将认证令牌交给AuthenticationManager。如果认证成功AuthenticaionManager<br /> * 会返回一个不变的认证令牌(返回true)。<br /> * 返回"true"会改善性能，因为不再是每一个请求都需要调用AuthenticationManager。<br /> * 由于安全上的考虑，实现这个接口返回true的时候需要十分的小心。除非他们不再变化或者有什么途径<br /> * 确保属性在最初的初始化后不再变化。<br /> *<br /> * @return true if the token has been authenticated and the AbstractSecurityInterceptor<br /> * does not need to represent the token for re-authentication to the AuthenticationManager<br /> */<br /> public boolean isAuthenticated();</p> <p> /** */ /**<br /> * 详情参阅isAuthenticate()方法<br /> * 参数为true的情况下，如果某个实现希望拒绝一个调用，那么将抛出一个IllegalArgumentException异常。<br /> *<br /> * @param isAuthenticated true if the token should be trusted (which may result in an exception) or<br /> * false if the token should not be trusted<br /> *<br /> * @throws IllegalArgumentException if an attempt to make the authentication token trusted (by<br /> * passing true as the argument) is rejected due to the implementation being immutable or<br /> * implementing its own alternative approach to isAuthenticated()}<br /> */<br /> public void setAuthenticated( boolean isAuthenticated)<br /> throws IllegalArgumentException;<br /> }<br />

3.Acegi提供了一个能适应大多数情况的ProviderManager，实现了AuthenticationManager, ProviderManager继承抽象类AbstractAuthenticationManager：

public abstract class AbstractAuthenticationManager implements AuthenticationManager {<br /> // ~Methods ================================================================== </p> <p> /** */ /**<br /> * 实现通过调用抽象方法doAuthentication()进行工作。<br /> * 如果doAuthentication()方法抛出AuthenticationException异常，验证失败。<br /> *<br /> * @param authRequest the authentication request object<br /> *<br /> * @return a fully authenticated object including credentials<br /> *<br /> * @throws AuthenticationException if authentication fails<br /> */<br /> public final Authentication authenticate(Authentication authRequest)<br /> throws AuthenticationException {<br /> try {<br /> Authentication authResult = doAuthentication(authRequest);<br /> copyDetails(authRequest, authResult);</p> <p> return authResult;<br /> } catch (AuthenticationException e) {<br /> e.setAuthentication(authRequest);<br /> throw e;<br /> }<br /> } </p> <p> /** */ /**<br /> * 在目标Authentication的detail没有被设置的情况下从源Authentication复制detail信息。<br /> *<br /> * @param source source authentication<br /> * @param dest the destination authentication object<br /> */<br /> private void copyDetails(Authentication source, Authentication dest) {<br /> if ((dest instanceof AbstractAuthenticationToken) && (dest.getDetails() == null )) {<br /> AbstractAuthenticationToken token = (AbstractAuthenticationToken) dest;</p> <p> token.setDetails(source.getDetails());<br /> }<br /> } </p> <p> /** */ /**<br /> * 具体的实现通过覆写此方法提供认证服务，此方法的约束详见AuthenticationManager的authenticate()方法<br /> *<br /> * @param authentication the authentication request object<br /> *<br /> * @return a fully authenticated object including credentials<br /> *<br /> * @throws AuthenticationException if authentication fails<br /> */<br /> protected abstract Authentication doAuthentication(Authentication authentication)<br /> throws AuthenticationException;<br /> }<br />

/**<br /> * 认证请求重复的通过一组AuthenticationProviders容器进行认证。<br /> * 可以通过配置ConcurrentSessionController来限制单个用户的session数目。<br /> * AuthenticationProvider试图得到一个非空的响应。非空的响应表明Provider已经对认证请求作出决议<br /> * 而不需要尝试其他的Provider。<br /> * 如果provider抛出一个AuthenticationException，这个异常将会被保留直到后续的providers都被尝试为止。<br /> * 如果认真请求在后续的Providers中被认证成功，早先的认证异常会被忽略而成功的认证信息将被使用。<br /> * 如果后续的Providers没有作出一个非空的响应或一个新的AuthenticationException，那么最后接收到的<br /> * AuthenticationException将会被使用。<br /> * 如果没有一个Provider返回一个非空的响应或是表明能运行一个Authentication，那么ProviderManager将会<br /> * 抛出一个ProviderNotFoundException异常。<br /> * 如果一个有效的Authentication被AuthenticationProvider返回，ProviderManager将会发布一个org<br /> * .acegisecurity.event.authentication.AuthenticationSuccessEvent。<br /> * 如果发现AuthenticationException，最后的AuthenticationException会发布一个适当的失败事件。<br /> * 默认的ProviderManager将异常和事件对应起来，我们可以通过定一个新的exceptionMappings Properties<br /> * 来调整对应关系。<br /> * 在properties中，key表现的是异常的类名的完整路径，value表现的是AbstractAuthenticationFailureEvent的<br /> * 子类，提供子类的构造。<br /> *<br /> * @see ConcurrentSessionController<br /> */<br /> public class ProviderManager extends AbstractAuthenticationManager implements InitializingBean,<br /> ApplicationEventPublisherAware, MessageSourceAware {<br /> // ~ Static fields/initializers ======================================================= </p> <p> private static final Log logger = LogFactory.getLog(ProviderManager. class );</p> <p> // ~ Instance fields ============================================================= </p> <p> private ApplicationEventPublisher applicationEventPublisher;<br /> private ConcurrentSessionController sessionController = new NullConcurrentSessionController();<br /> private List providers;<br /> protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();<br /> private Properties exceptionMappings;</p> <p> // ~ Methods ================================================================== </p> <p> public void afterPropertiesSet() throws Exception {<br /> checkIfValidList( this .providers);<br /> Assert.notNull( this .messages, " A message source must be set " );</p> <p> if (exceptionMappings == null ) {<br /> exceptionMappings = new Properties();<br /> exceptionMappings.put(AccountExpiredException. class .getName(),<br /> AuthenticationFailureExpiredEvent. class .getName());<br /> exceptionMappings.put(AuthenticationServiceException. class .getName(),<br /> AuthenticationFailureServiceExceptionEvent. class .getName());<br /> exceptionMappings.put(LockedException. class .getName(), AuthenticationFailureLockedEvent. class .getName());<br /> exceptionMappings.put(CredentialsExpiredException. class .getName(),<br /> AuthenticationFailureCredentialsExpiredEvent. class .getName());<br /> exceptionMappings.put(DisabledException. class .getName(), AuthenticationFailureDisabledEvent. class .getName());<br /> exceptionMappings.put(BadCredentialsException. class .getName(),<br /> AuthenticationFailureBadCredentialsEvent. class .getName());<br /> exceptionMappings.put(UsernameNotFoundException. class .getName(),<br /> AuthenticationFailureBadCredentialsEvent. class .getName());<br /> exceptionMappings.put(ConcurrentLoginException. class .getName(),<br /> AuthenticationFailureConcurrentLoginEvent. class .getName());<br /> exceptionMappings.put(ProviderNotFoundException. class .getName(),<br /> AuthenticationFailureProviderNotFoundEvent. class .getName());<br /> exceptionMappings.put(ProxyUntrustedException. class .getName(),<br /> AuthenticationFailureProxyUntrustedEvent. class .getName());<br /> doAddExtraDefaultExceptionMappings(exceptionMappings);<br /> }<br /> } </p> <p> private void checkIfValidList(List listToCheck) {<br /> if ((listToCheck == null ) || (listToCheck.size() == 0 )) {<br /> throw new IllegalArgumentException( " A list of AuthenticationManagers is required " );<br /> }<br /> } </p> <p> /** */ /**<br /> * 如果在启动期间没有exception被IoC容器注入，这个方法提供额外的异常对应。<br /> *<br /> * @param exceptionMappings the properties object, which already has entries in it<br /> */<br /> protected void doAddExtraDefaultExceptionMappings(Properties exceptionMappings) {} </p> <p> /** */ /**<br /> * 尝试认证通过Authentication对象。<br /> * AuthenticationProviders组将会接连尝试认证对象，直到其中的一个通过这个Authentication对象。<br /> * 如果多个AuthenticationProvider通过了Authentication对象，那么只有第一个AuthenticationProvider<br /> * 产生结果，后续的AuthenticationProvider将不会被尝试。<br /> *<br /> * @param authentication the authentication request object.<br /> *<br /> * @return a fully authenticated object including credentials.<br /> *<br /> * @throws AuthenticationException if authentication fails.<br /> */<br /> public Authentication doAuthentication(Authentication authentication)<br /> throws AuthenticationException {<br /> Iterator iter = providers.iterator();</p> <p> Class toTest = authentication.getClass();</p> <p> AuthenticationException lastException = null ;</p> <p> while (iter.hasNext()) {<br /> AuthenticationProvider provider = (AuthenticationProvider) iter.next();</p> <p> if (provider.supports(toTest)) {<br /> logger.debug( " Authentication attempt using " + provider.getClass().getName());</p> <p> Authentication result = null ;</p> <p> try {<br /> result = provider.authenticate(authentication);<br /> sessionController.checkAuthenticationAllowed(result);<br /> } catch (AuthenticationException ae) {<br /> lastException = ae;<br /> result = null ;<br /> } </p> <p> if (result != null ) {<br /> sessionController.registerSuccessfulAuthentication(result);<br /> applicationEventPublisher.publishEvent( new AuthenticationSuccessEvent(result));</p> <p> return result;<br /> }<br /> }<br /> } </p> <p> if (lastException == null ) {<br /> lastException = new ProviderNotFoundException(messages.getMessage( " ProviderManager.providerNotFound " ,<br /> new Object[] {toTest.getName()} , " No AuthenticationProvider found for {0} " ));<br /> } </p> <p> // Publish the event<br /> String className = exceptionMappings.getProperty(lastException.getClass().getName());<br /> AbstractAuthenticationEvent event = null ;</p> <p> if (className != null ) {<br /> try {<br /> Class clazz = getClass().getClassLoader().loadClass(className);<br /> Constructor constructor = clazz.getConstructor( new Class[] {<br /> Authentication. class , AuthenticationException. class<br /> } );<br /> Object obj = constructor.newInstance( new Object[] {authentication, lastException} );<br /> Assert.isInstanceOf(AbstractAuthenticationEvent. class , obj, " Must be an AbstractAuthenticationEvent " );<br /> event = (AbstractAuthenticationEvent) obj;<br /> } catch (ClassNotFoundException ignored) {}<br /> catch (NoSuchMethodException ignored) {}<br /> catch (IllegalAccessException ignored) {}<br /> catch (InstantiationException ignored) {}<br /> catch (InvocationTargetException ignored) {}<br /> } </p> <p> if (event != null ) {<br /> applicationEventPublisher.publishEvent(event);<br /> } else {<br /> if (logger.isDebugEnabled()) {<br /> logger.debug( " No event was found for the exception " + lastException.getClass().getName());<br /> }<br /> } </p> <p> // Throw the exception<br /> throw lastException;<br /> } </p> <p> public List getProviders() {<br /> return this .providers;<br /> } </p> <p> /** */ /**<br /> * 返回设定的ConcurrentSessionController对象，如果对象没有被设置则返回一个<br /> * NullConcurrentSessionController(默认初始化的对象)<br /> *<br /> * @return ConcurrentSessionController instance<br /> */<br /> public ConcurrentSessionController getSessionController() {<br /> return sessionController;<br /> } </p> <p> public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {<br /> this .applicationEventPublisher = applicationEventPublisher;<br /> } </p> <p> public void setMessageSource(MessageSource messageSource) {<br /> this .messages = new MessageSourceAccessor(messageSource);<br /> } </p> <p> /** */ /**<br /> * 设置AuthenticationProvider对象<br /> *<br /> * @param newList<br /> *<br /> * @throws IllegalArgumentException DOCUMENT ME!<br /> */<br /> public void setProviders(List newList) {<br /> checkIfValidList(newList);</p> <p> Iterator iter = newList.iterator();</p> <p> while (iter.hasNext()) {<br /> Object currentObject = null ;</p> <p> try {<br /> currentObject = iter.next();</p> <p> AuthenticationProvider attemptToCast = (AuthenticationProvider) currentObject;<br /> } catch (ClassCastException cce) {<br /> throw new IllegalArgumentException( " AuthenticationProvider " + currentObject.getClass().getName()<br /> + " must implement AuthenticationProvider " );<br /> }<br /> } </p> <p> this .providers = newList;<br /> } </p> <p> /** */ /**<br /> * 设置ConcurrentSessionController来限制用户的session数量。<br /> * 默认设置为NullConcurrentSessionController<br /> *<br /> * @param sessionController ConcurrentSessionController<br /> */<br /> public void setSessionController(ConcurrentSessionController sessionController) {<br /> this .sessionController = sessionController;<br /> }<br /> } </p> <p>

4.AuthenticationManager不依靠自己实现身份验证，而是通过Iterator逐个遍历AuthenticationProvider的子类集合(如果使用Spring的话子类类型由配置文件注入)，直到某个Provider成功验证Authentication。

Acegi提供的Provider实现包括：
　　AuthByAdapterProvider、CasAuthenticationProvider、DaoAuthenticationProvider、JaasAuthenticationProvider、PasswordDaoAuthenticationProvider、RemoteAuthenticationProvider、RunAsImplAuthenticationProvider、TestingAuthenticationProvider。
　　下面只分析DaoAuthenticationProvider的相关类，按照AuthenticationProvider-->AbstractUserDetailsAuthenticationProvider-->DaoAuthenticationProvider的顺序展开。
 /**<br /> * 这个类处理一个Authenticaon类的具体实现<br /> */<br /> public interface AuthenticationProvider {<br /> // ~ Methods ================================================================== </p> <p> /** */ /**<br /> * 和AuthenticationManager的同名方法实现同样的功能，详见AuthenticationManager<br /> *<br /> * @param authentication the authentication request object.<br /> *<br /> * @return a fully authenticated object including credentials. May return null if the<br /> * AuthenticationProvider is unable to support authentication of the passed<br /> * Authentication object. In such a case, the next AuthenticationProvider that<br /> * supports the presented Authentication class will be tried.<br /> *<br /> * @throws AuthenticationException if authentication fails.<br /> */<br /> public Authentication authenticate(Authentication authentication)<br /> throws AuthenticationException;</p> <p> /** */ /**<br /> * 如果这个AuthenticationProvider支持通过Authentication对象，则返回True。<br /> * 返回True并不意味着AuthenticationProvider能认证当前的Authenctication。<br /> * 他只是简单的声明支持通过认证。AuthenticationProvider仍旧能够通过authenticate()方法返回null，<br /> * 使其它的Provider能够尝试认证这个Authentication。(存疑)<br /> * 选择哪一个AuthenticatonProvider履行鉴定是由ProviderManager在运行时管理的。<br /> *<br /> * @param authentication DOCUMENT ME!<br /> *<br /> * @return true if the implementation can more closely evaluate the Authentication class<br /> * presented<br /> */<br /> public boolean supports(Class authentication);<br /> }<br />

/**<br /> * Authentication的基类，允许子类覆写他的方法以及使用UserDetails对象<br /> * 这个类被设计用来对UsernamePasswordAuthenticationToken的认证请求作出相应。<br /> * 在成功验证的基础上，UsernamePasswordAuthenticationToken会被构造同时返回给调用者。<br /> * 令牌可以是用户名的String形式也可以是由认证库中取得的UserDetails对象。<br /> * 如果适配器容器正在被使用，而又期望得到用户名的情况下，使用String类型是适当的。<br /> * 如果需要访问额外的用户信息，例如电子邮件地址、用户导向的名字等等，那么使用UserDetail是恰<br /> * 当的。UserDetail提供了更灵活的访问，所以通常情况下我们返回一个UserDetail而并不推荐使用适配<br /> * 器容器。如果想要覆写默认的方式，将setForcePrincipalAsString置true即可。<br /> * UserDetails通过缓存放置在UserCache中。这确保了如果后续的请求在用户名相同的情况下可以不通过<br /> * UserDetailsService查询。需要指出的是：如果用户无意间输入了错误的密码，UserDetailService去查询<br /> * 出用户最后一次输入的密码并与之比较。<br /> */<br /> public abstract class AbstractUserDetailsAuthenticationProvider implements AuthenticationProvider, InitializingBean,<br /> MessageSourceAware {<br /> // ~ Instance fields =============================================================</p> <p> protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();<br /> private UserCache userCache = new NullUserCache();<br /> private boolean forcePrincipalAsString = false ;<br /> protected boolean hideUserNotFoundExceptions = true ;</p> <p> // ~ Methods ================================================================== </p> <p> /** */ /**<br /> * 允许子类对认证请求返回或缓存的UserDetails提供额外的校验。<br /> * 通常情况下子类至少会对Authentication的getCredentials()方法和UserDetails的getPassword()方法进行<br /> * 比照。<br /> * 如果定制的逻辑需要比照额外的UserDetail属性或者UsernamePasswordAuthenticationToken，也应该在<br /> * 这个方法中定制。<br /> *<br /> * @param userDetails as retrieved from the #retrieveUser(String,<br /> * UsernamePasswordAuthenticationToken)} or UserCache<br /> * @param authentication the current request that needs to be authenticated<br /> *<br /> * @throws AuthenticationException AuthenticationException if the credentials could not be validated<br /> * (generally a BadCredentialsException an AuthenticationServiceException)<br /> */<br /> protected abstract void additionalAuthenticationChecks(UserDetails userDetails,<br /> UsernamePasswordAuthenticationToken authentication)<br /> throws AuthenticationException;</p> <p> public final void afterPropertiesSet() throws Exception {<br /> Assert.notNull( this .userCache, " A user cache must be set " );<br /> Assert.notNull( this .messages, " A message source must be set " );<br /> doAfterPropertiesSet();<br /> } </p> <p> public Authentication authenticate(Authentication authentication)<br /> throws AuthenticationException {<br /> Assert.isInstanceOf(UsernamePasswordAuthenticationToken. class , authentication,<br /> messages.getMessage( " AbstractUserDetailsAuthenticationProvider.onlySupports " ,<br /> " Only UsernamePasswordAuthenticationToken is supported " ));</p> <p> // Determine username<br /> String username = (authentication.getPrincipal() == null ) ? " NONE_PROVIDED " : authentication.getName();</p> <p> boolean cacheWasUsed = true ;<br /> UserDetails user = this .userCache.getUserFromCache(username);</p> <p> if (user == null ) {<br /> cacheWasUsed = false ;</p> <p> try {<br /> user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);<br /> } catch (UsernameNotFoundException notFound) {<br /> if (hideUserNotFoundExceptions) {<br /> throw new BadCredentialsException(messages.getMessage(<br /> " AbstractUserDetailsAuthenticationProvider.badCredentials " , " Bad credentials " ));<br /> } else {<br /> throw notFound;<br /> }<br /> } </p> <p> Assert.notNull(user, " retrieveUser returned null - a violation of the interface contract " );<br /> } </p> <p> if ( ! user.isAccountNonLocked()) {<br /> throw new LockedException(messages.getMessage( " AbstractUserDetailsAuthenticationProvider.locked " ,<br /> " User account is locked " ));<br /> } </p> <p> if ( ! user.isEnabled()) {<br /> throw new DisabledException(messages.getMessage( " AbstractUserDetailsAuthenticationProvider.disabled " ,<br /> " User is disabled " ));<br /> } </p> <p> if ( ! user.isAccountNonExpired()) {<br /> throw new AccountExpiredException(messages.getMessage( " AbstractUserDetailsAuthenticationProvider.expired " ,<br /> " User account has expired " ));<br /> } </p> <p> // This check must come here, as we don't want to tell users<br /> // about account status unless they presented the correct credentials<br /> try {<br /> additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);<br /> } catch (AuthenticationException exception) {<br /> // There was a problem, so try again after checking we're using latest data<br /> cacheWasUsed = false ;<br /> user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);<br /> additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken) authentication);<br /> } </p> <p> if ( ! user.isCredentialsNonExpired()) {<br /> throw new CredentialsExpiredException(messages.getMessage(<br /> " AbstractUserDetailsAuthenticationProvider.credentialsExpired " , " User credentials have expired " ));<br /> } </p> <p> if ( ! cacheWasUsed) {<br /> this .userCache.putUserInCache(user);<br /> } </p> <p> Object principalToReturn = user;</p> <p> if (forcePrincipalAsString) {<br /> principalToReturn = user.getUsername();<br /> } </p> <p> return createSuccessAuthentication(principalToReturn, authentication, user);<br /> } </p> <p> /** */ /**<br /> * 构建一个成功的Authentication对象。使用的保护类型所以子类可以覆写本方法。<br /> * 子类往往会将用户提供的原始信任状(未经修改以及密码未被解密)储存在返回的Authentication<br /> * 对象中。<br /> *<br /> * @param principal that should be the principal in the returned object (defined by the<br /> * #isForcePrincipalAsString() method)<br /> * @param authentication that was presented to the provider for validation<br /> * @param user that was loaded by the implementation<br /> *<br /> * @return the successful authentication token<br /> */<br /> protected Authentication createSuccessAuthentication(Object principal, Authentication authentication,<br /> UserDetails user) {<br /> // Ensure we return the original credentials the user supplied,<br /> // so subsequent attempts are successful even with encoded passwords.<br /> // Also ensure we return the original getDetails(), so that future<br /> // authentication events after cache expiry contain the details<br /> UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal,<br /> authentication.getCredentials(), user.getAuthorities());<br /> result.setDetails(authentication.getDetails());</p> <p> return result;<br /> } </p> <p> protected void doAfterPropertiesSet() throws Exception {} </p> <p> public UserCache getUserCache() {<br /> return userCache;<br /> } </p> <p> public boolean isForcePrincipalAsString() {<br /> return forcePrincipalAsString;<br /> } </p> <p> public boolean isHideUserNotFoundExceptions() {<br /> return hideUserNotFoundExceptions;<br /> } </p> <p> /** */ /**<br /> * 允许子类由定义的实现位置获取UserDetails，如果呈上的信任状是非法的可以有选择的抛出<br /> * AuthenticationExcepton异常(在有必要将用户与资源绑定来获取或产生UserDetail的情况下，这种处理<br /> * 方式是十分有效的)。<br /> * 子类没有必要去实现任何的缓存，因为AbstractUserDetailsAuthenticationProvider在默认的情况下<br /> * 将会缓存UserDetails。<br /> * UserDetails的缓存是十分复杂的，这意味着后续的认证请求即使是从缓存中得到回复也仍旧要进行<br /> * 信任状的校验，即使信任状的校验被基类在这个方法中用binding-based策略实现。<br /> * 因此在子类禁用缓存(如果想要保证这个方法是唯一能够进行认证的方法，没有UserDetails将会<br /> * 被缓存)或是确认子类实现additionalAuthenticationChecks()方法来进行被缓存的UserDetails<br /> * 对象的信任状和后续的认证请求的比照的情况下它是十分重要的。<br /> * 在大多数情况下子类不必要在这个方法中实现信任状的校验，取而代之的是在<br /> * additionalAuthenticationChecks()方法中实现。这样代码不用在2个方法中都实现信任状的校验。<br /> *<br /> * @param username The username to retrieve<br /> * @param authentication The authentication request, which subclasses may need to perform a binding-based<br /> * retrieval of the UserDetails<br /> *<br /> * @return the user information (never null - instead an exception should the thrown)<br /> *<br /> * @throws AuthenticationException if the credentials could not be validated (generally a<br /> * BadCredentialsExceptionan ,an AuthenticationServiceException or<br /> * UsernameNotFoundException)<br /> */<br /> protected abstract UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)<br /> throws AuthenticationException;</p> <p> public void setForcePrincipalAsString( boolean forcePrincipalAsString) {<br /> this .forcePrincipalAsString = forcePrincipalAsString;<br /> } </p> <p> /** */ /**<br /> * 在通常情况，如果用户名没有找到或是密码错误AbstractUserDetailsAuthenticationProvider将会<br /> * 抛出一个BadCredentialsException异常。设置这个属性为false的话，程序将会抛出<br /> * UsernameNotFoundException来取代BadCredentialsException异常。<br /> * 需要注意的是：我们认为这不如抛出BadCredentialsException来的可靠。<br /> *<br /> * @param hideUserNotFoundExceptions set to false if you wish UsernameNotFoundExceptions<br /> * to be thrown instead of the non-specific BadCredentialsException (defaults to<br /> * true)<br /> */<br /> public void setHideUserNotFoundExceptions( boolean hideUserNotFoundExceptions) {<br /> this .hideUserNotFoundExceptions = hideUserNotFoundExceptions;<br /> } </p> <p> public void setMessageSource(MessageSource messageSource) {<br /> this .messages = new MessageSourceAccessor(messageSource);<br /> } </p> <p> public void setUserCache(UserCache userCache) {<br /> this .userCache = userCache;<br /> } </p> <p> public boolean supports(Class authentication) {<br /> return (UsernamePasswordAuthenticationToken. class .isAssignableFrom(authentication));<br /> }<br /> }<br />

/**<br /> * AuthenticationProvider的具体实现，由UserDetailsService获取用户的详细信息。<br /> *<br /> */<br /> public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {<br /> // ~ Instance fields ============================================================= </p> <p> private PasswordEncoder passwordEncoder = new PlaintextPasswordEncoder();<br /> private SaltSource saltSource;<br /> private UserDetailsService userDetailsService;</p> <p> // ~ Methods ================================================================== </p> <p> protected void additionalAuthenticationChecks(UserDetails userDetails,<br /> UsernamePasswordAuthenticationToken authentication)<br /> throws AuthenticationException {<br /> Object salt = null ;</p> <p> if ( this .saltSource != null ) {<br /> salt = this .saltSource.getSalt(userDetails);<br /> } </p> <p> if ( ! passwordEncoder.isPasswordValid(userDetails.getPassword(), authentication.getCredentials().toString(), salt)) {<br /> throw new BadCredentialsException(messages.getMessage(<br /> " AbstractUserDetailsAuthenticationProvider.badCredentials " , " Bad credentials " ), userDetails);<br /> }<br /> } </p> <p> protected void doAfterPropertiesSet() throws Exception {<br /> Assert.notNull( this .userDetailsService, " An Authentication DAO must be set " );<br /> } </p> <p> public PasswordEncoder getPasswordEncoder() {<br /> return passwordEncoder;<br /> } </p> <p> public SaltSource getSaltSource() {<br /> return saltSource;<br /> } </p> <p> public UserDetailsService getUserDetailsService() {<br /> return userDetailsService;<br /> } </p> <p> protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)<br /> throws AuthenticationException {<br /> UserDetails loadedUser;</p> <p> try {<br /> loadedUser = this .getUserDetailsService().loadUserByUsername(username);<br /> } catch (DataAccessException repositoryProblem) {<br /> throw new AuthenticationServiceException(repositoryProblem.getMessage(), repositoryProblem);<br /> } </p> <p> if (loadedUser == null ) {<br /> throw new AuthenticationServiceException(<br /> " AuthenticationDao returned null, which is an interface contract violation " );<br /> } </p> <p> return loadedUser;<br /> } </p> <p> /** */ /**<br /> * 设置密码解密实例来进行密码的解密校验。如果没有设置，将会使用PlaintextPosswordEncoder<br /> * 作为默认设置。<br /> *<br /> * @param passwordEncoder The passwordEncoder to use<br /> */<br /> public void setPasswordEncoder(PasswordEncoder passwordEncoder) {<br /> this .passwordEncoder = passwordEncoder;<br /> } </p> <p> /** */ /**<br /> * (source of salts翻译不来)此方法解迷密码的时候使用。<br /> * null是一个合法得值，这表明DaoAuthenticationProvider会把null返回给PasswordEncoder。<br /> *<br /> * @param saltSource to use when attempting to decode passwords via the PasswordEncoder<br /> */<br /> public void setSaltSource(SaltSource saltSource) {<br /> this .saltSource = saltSource;<br /> } </p> <p> public void setUserDetailsService(UserDetailsService authenticationDao) {<br /> this .userDetailsService = authenticationDao;<br /> }<br /> }<br />