Spring-Security 中的默认 AuthenticationManager 是什么?它是如何认证的?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9787409/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the default AuthenticationManager in Spring-Security? How does it authenticate?
提问by rapt
I have the following bean defined:
我定义了以下bean:
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="userDetailsService" />
</sec:authentication-manager>
I guess here Spring uses some default implementation of AuthenticationManager.
我猜这里 Spring 使用了一些默认的AuthenticationManager.
In my Java code I have:
在我的 Java 代码中,我有:
@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager; // specific for Spring Security
public boolean login(String username, String password) {
try {
Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
if (authenticate.isAuthenticated()) {
SecurityContextHolder.getContext().setAuthentication(authenticate);
return true;
}
}
catch (AuthenticationException e) {
}
return false;
}
Here AuthenticationManager.authenticate(...)is called. But I would like to know which implementation of AuthenticationManagerSpring uses by default, and what its authenticate(...)does in order to authenticate (i.e., make sure that username matches password).
这里AuthenticationManager.authenticate(...)被称为。但是我想知道AuthenticationManager默认情况下使用 Spring 的哪个实现,以及它authenticate(...)做什么来进行身份验证(即,确保用户名与密码匹配)。
Could you explain this?
你能解释一下吗?
回答by cdeszaq
The AuthenticationManageris really just a container for authentication providers, giving a consistent interface to them all. In mostcases, the default AuthenticationManageris more than sufficient.
这AuthenticationManager实际上只是身份验证提供程序的容器,为它们提供一致的接口。在大多数情况下,默认值AuthenticationManager绰绰有余。
When you call
你打电话时
.authenticate(new UsernamePasswordAuthenticationToken(username, password))`
it is passing the UsernamePasswordAuthenticationTokento the default AuthenticationProvider, which will use the userDetailsServiceto get the user based on username and compare that user's password with the one in the authentication token.
它将传递UsernamePasswordAuthenticationToken给 default AuthenticationProvider,它将使用userDetailsService来根据用户名获取用户并将该用户的密码与身份验证令牌中的密码进行比较。
In general, the AuthenticationManagerpasses some sort of AuthenticationTokento the each of it's AuthenticationProvidersand they each inspect it and, if they can use it to authenticate, they return with an indication of "Authenticated", "Unauthenticated", or "Could not authenticate" (which indicates the provider did not know how to handle the token, so it passed on processing it)
一般来说,它们AuthenticationManager会AuthenticationToken向每个对象传递某种信息,AuthenticationProviders然后他们每个人都会对其进行检查,如果可以使用它进行身份验证,则返回“已验证”、“未验证”或“无法验证”的指示(即表示提供者不知道如何处理令牌,所以它继续处理它)
This is the mechanism that allows you to plug in other authentication schemes, like authenticating against an LDAP or Active Directory server, or OpenID, and is one of the main extension points within the Spring Security framework.
这是允许您插入其他身份验证方案的机制,例如针对 LDAP 或 Active Directory 服务器或 OpenID 进行身份验证,并且是 Spring Security 框架内的主要扩展点之一。
回答by Ralph
Spring Security ships only one real AuthenticationManagerimplementation:
Spring Security 只提供一个真正的AuthenticationManager实现:
org.springframework.security.authentication.ProviderManager
This uses different AuthenticationProviderfor the authentication tasks
这使用不同AuthenticationProvider的身份验证任务
The AuthenticationManagerBeanDefinitionParseris responsible to parse <sec:authentication-manager>its java doc states:
该AuthenticationManagerBeanDefinitionParser解析负责<sec:authentication-manager>其Java文档的状态:
Registers the central ProviderManager used by the namespace configuration, and allows the configuration of an alias, allowing users to reference it in their beans and clearly see where the name is coming from.
注册命名空间配置使用的中央 ProviderManager,并允许配置别名,允许用户在他们的 bean 中引用它并清楚地看到名称的来源。
It creates the ProviderManagerand adds the specified provides. If no provides is specified in the xml, then it adds an NullAuthenticationProvider. This is at least a provider that does noting than preventing configuration exceptions.
它创建ProviderManager并添加指定的提供。如果在 xml 中没有指定提供,那么它会添加一个NullAuthenticationProvider. 这至少是一个不注意防止配置异常的提供者。
回答by Ivan Gandacov
From Spring Security Docs:
来自Spring 安全文档:
The default implementation in Spring Security is called ProviderManagerand rather than handling the authentication request itself, it delegates to a list of configured AuthenticationProviders, each of which is queried in turn to see if it can perform the authentication. Each provider will either throw an exception or return a fully populated Authenticationobject.
Spring Security 中的默认实现称为ProviderManager,它不是处理身份验证请求本身,而是委托给已配置的AuthenticationProvider列表,依次查询每个列表以查看它是否可以执行身份验证。每个提供者要么抛出异常,要么返回一个完全填充的Authentication对象。
Information about ProviderManagercan also be found in Topical Guide - Spring Security Architecture:
关于ProviderManager 的信息也可以在Topical Guide - Spring Security Architecture 中找到:
The most commonly used implementation of AuthenticationManageris ProviderManager, which delegates to a chain of AuthenticationProviderinstances. An AuthenticationProvideris a bit like an AuthenticationManagerbut it has an extra method to allow the caller to query if it supports a given Authenticationtype...
AuthenticationManager最常用的实现是 ProviderManager,它委托给一系列AuthenticationProvider实例。一个AuthenticationProvider的是有点像 的AuthenticationManager,但它有一个额外的方法,以允许调用者查询它是否支持给定的身份验证类型...
