SpringSecurityAuthenticationManagerauthenticate()方法如何能夠檢查發送的用戶名和密碼是否正確？

我正在開發一個 Spring Boot 應用程式，它采用系統上現有用戶的用戶名和密碼，然后生成一個 JWT 令牌。我從教程中復制了它，并對其進行了更改以適用于我的特定用例。邏輯對我來說很清楚，但我對用戶如何在系統上進行身份驗證有很大的疑問。下面我將嘗試向您解釋這是結構性的，以及我的疑問。

JWT 代幣系統由兩個不同的微服務組成，分別是：

該GET-USER-WS：這個微服務simmply使用Hibernate \ JPA檢索系統中的特定用戶的資訊。基本上它包含一個呼叫服務類的控制器類，該類本身呼叫 JPA 存盤庫以檢索特定的用戶資訊：

@RestController
@RequestMapping("api/users")
@Log
public class UserController {
    
    @Autowired
    UserService userService;
    
    @GetMapping(value = "/{email}", produces = "application/json")
    public ResponseEntity<User> getUserByEmail(@PathVariable("email") String eMail) throws NotFoundException  {
        
        log.info(String.format("****** Get the user with eMail %s *******", eMail) );
        
        User user = userService.getUserByEmail(eMail);
        
        if (user == null)
        {
            String ErrMsg = String.format("The user with eMail %s was not found", eMail);
            
            log.warning(ErrMsg);
            
            throw new NotFoundException(ErrMsg);
        }
            
            
        return new ResponseEntity<User>(user, HttpStatus.OK);
        
    }

}

如您所見，此控制器包含一個 API，該 API 使用電子郵件引數（即系統上的用戶名）并回傳包含該用戶資訊的 JSON。

然后我有第二個微服務（名為AUTH-SERVER-JWT），它呼叫前一個 API 以獲取將用于生成 JWT 令牌的用戶資訊。為了使描述盡可能簡單，它包含以下控制器類：

@RestController
//@CrossOrigin(origins = "http://localhost:4200")
public class JwtAuthenticationRestController  {

    @Value("${sicurezza.header}")
    private String tokenHeader;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private JwtTokenUtil jwtTokenUtil;

    @Autowired
    @Qualifier("customUserDetailsService")
    //private UserDetailsService userDetailsService;
    private CustomUserDetailsService userDetailsService;
    
    private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationRestController.class);

    @PostMapping(value = "${sicurezza.uri}")
    public ResponseEntity<?> createAuthenticationToken(@RequestBody JwtTokenRequest authenticationRequest)
            throws AuthenticationException {
        logger.info("Autenticazione e Generazione Token");

        authenticate(authenticationRequest.getUsername(), authenticationRequest.getPassword());

        //final UserDetails userDetails = userDetailsService.loadUserByUsername(authenticationRequest.getUsername());
        final UserDetailsWrapper userDetailsWrapper = userDetailsService.loadCompleteUserByUsername(authenticationRequest.getUsername());

        final String token = jwtTokenUtil.generateToken(userDetailsWrapper);
        
        logger.warn(String.format("Token %s", token));

        return ResponseEntity.ok(new JwtTokenResponse(token));
    }

    @RequestMapping(value = "${sicurezza.uri}", method = RequestMethod.GET)
    public ResponseEntity<?> refreshAndGetAuthenticationToken(HttpServletRequest request) 
            throws Exception 
    {
        String authToken = request.getHeader(tokenHeader);
        
        if (authToken == null || authToken.length() < 7)
        {
            throw new Exception("Token assente o non valido!");
        }
        
        final String token = authToken.substring(7);
        
        if (jwtTokenUtil.canTokenBeRefreshed(token)) 
        {
            String refreshedToken = jwtTokenUtil.refreshToken(token);
            
            return ResponseEntity.ok(new JwtTokenResponse(refreshedToken));
        } 
        else 
        {
            return ResponseEntity.badRequest().body(null);
        }
    }

    @ExceptionHandler({ AuthenticationException.class })
    public ResponseEntity<String> handleAuthenticationException(AuthenticationException e) 
    {
        return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(e.getMessage());
    }

    private void authenticate(String username, String password) 
    {
        Objects.requireNonNull(username);
        Objects.requireNonNull(password);

        try {   
            /// ???
            authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
        } 
        catch (DisabledException e) 
        {
            logger.warn("UTENTE DISABILITATO");
            throw new AuthenticationException("UTENTE DISABILITATO", e);
        } 
        catch (BadCredentialsException e) 
        {
            logger.warn("CREDENZIALI NON VALIDE");
            throw new AuthenticationException("CREDENZIALI NON VALIDE", e);
        }
    }
}

This class contains two method, the first one is used to generate a brand new JWT token and the second one it is used to refresh an existing JWT token. Consider now the first use case (generate a brand new JWT token) related to the createAuthenticationToken() method. This method take as input parmether the information related to the JWT token request: @RequestBody JwtTokenRequest authenticationRequest. Bascailly the JwtTokenRequest is a simple DTO object like this:

@Data
public class JwtTokenRequest implements Serializable 
{
    private static final long serialVersionUID = -3558537416135446309L;
    private String username;
    private String password;
}

So the payload in the body request will be something like this:

{
    "username": "[email protected]",
    "password": "password" 
}

NOTE: in my DB I have a user having this username and password so the user will be retrieved and authenticated on the system.

As you can see the first effective operation that the createAuthenticationToken() method do is:

authenticate(authenticationRequest.getUsername(), authenticationRequest.getPassword());

Basically it is calling the authenticate() method defined in the same class passing to it the previous credential ("username": "[email protected]" and "password": "password").

As you can see this is my authenticate() method

private void authenticate(String username, String password) 
{
    Objects.requireNonNull(username);
    Objects.requireNonNull(password);

    try {   
        /// ???
        authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
    } 
    catch (DisabledException e) 
    {
        logger.warn("UTENTE DISABILITATO");
        throw new AuthenticationException("UTENTE DISABILITATO", e);
    } 
    catch (BadCredentialsException e) 
    {
        logger.warn("CREDENTIAL ERROR");
        throw new AuthenticationException(""CREDENTIAL ERROR", e);
    }
}

Basically it is passing these credential to the authenticate() method defined into the injected Spring Security AuthenticationManager instance, by this line:

authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));

This method seems to be able to authenticate or not these credentials. And it seems to works fine because if I put a wrong username or password it goes into the CREDENTIAL ERROR case and it throw the AuthenticationException exception.

And here my huge doubt: why it works?!?! How is it possible? If you come back to the createAuthenticationToken() controller method you can see that it does these two operation in the following order:

authenticate(authenticationRequest.getUsername(), authenticationRequest.getPassword());

final UserDetailsWrapper userDetailsWrapper = userDetailsService.loadCompleteUserByUsername(authenticationRequest.getUsername());

It first perform the authenticate() method (that should check if theusername and password that was sent are correct), then call the service method that retrieve the user information.

請問，authenticate()方法如何能夠檢查原始有效負載中發送的憑據是否正確？

uj5u.com熱心網友回復：

通常情況下，實施AuthenticationManager是一個ProviderManager，這將遍歷所有配置的AuthenticationProviderS和嘗試使用提供的憑據進行身份驗證。

其中一個AuthenticationProviders 是DaoAuthenticationProvider，它支持 aUsernamePasswordAuthenticationToken并使用UserDetailsService（您有一個customUserDetailsService）來檢索用戶并比較password使用配置的PasswordEncoder.

關于身份驗證架構的參考檔案中有更詳細的解釋。

標籤：爪哇 春天 弹簧靴 弹簧安全

上一篇：Hibernate使用@OneToMany和@ManyToOne上傳資料，但外鍵仍然為空

下一篇：僅當資料存在時如何驗證laravel輸入？