Fourth, Spring Boot integration Spring Security certification process

II. Summary statement

1. This article mainly introduces the login and logout business processes, so the use of memory-based user names and passwords, the authorization of the relevant content is not introduced, followed by a detailed introduction to the database-based authentication and authorization
2. How to View Memory-Based Default Username Passwords
3. How to Configure Memory-Based Custom Username Passwords
4. This article is strongly related to the above, so if you are unfamiliar with the filters related to logging in the filter chain, please first check theSpring Boot integration Spring Security security securityFilterChain filter chain details

III. Memory-based username and password

1. Default user name and password

1. I. Spring Boot integration Spring Security of the auto-assemblySection 6 of this document describes how to generate the default authentication interface inMemoryUserDetailsManager when the user does not customize the authentication interface, where the user name is user and the password is a randomly-generated uuid, which is printed on the console when the project is started.

2. Username and password source code

2、Customize user name and password

1. Configuration binding in the previous subsection [username password source code] can be configured to customize the username, password
2. Configure username and password via configuration file

3, to facilitate the test to add a test interface TestController

package ;

import ;
import ;
import ;

@RestController
@RequestMapping("/test")
public class TestController {

    @GetMapping("/hello")
    public String hello() {
        return "success";
    }

}

IV. Introduction to important concepts of login and logout

1. Security context repository (SecurityContextRepository): used to store the security context, the default session-based implementation (HttpSessionSecurityContextRepository)
2. SecurityContextHolder: Used to store the security context of the request, based on the ThreadLocal implementation by default.
3. Security context (SecurityContext): used to store authentication information
4. Authentication information (Authentication): used to store the user and authentication results information, the main implementation classes are
   • UsernamePasswordAuthenticationToken: UsernamePasswordAuthenticationToken
   • Anonymous Authentication Token: AnonymousAuthenticationToken
5. Login page request: a request to jump to the login page
6. Login request: a request submitted after entering a username and password on the login page
7. Logout page request: request to jump to the logout page
8. Logout request: Confirmation of logout submission on the logout page

V. Login Business Logic

1. Login to business-related filters

1. SecurityContextPersistenceFilter
2. UsernamePasswordAuthenticationFilter
3. DefaultLoginPageGeneratingFilter
4. AnonymousAuthenticationFilter
5. ExceptionTranslationFilter
6. FilterSecurityInterceptor

2. Access to the business request processing flow

1）、Access to the business request address is intercepted and redirected to the login page request

1. Browser access to the business request address:http://localhost:8080/test/hello

2. SecurityContextPersistenceFilter handles the request:

   1. Get security context from security context repository as empty, create security context without authentication information (SecurityContextImpl)
   2. Set the security context obtained in step 1 to the security context holder
   3. Execution of subsequent filter chains
   4. source code (computing)

   

3. AnonymousAuthenticationFilter handles the request:

   1. Get authentication information in the security context in the security context holder is empty
   2. Creating Anonymous Authentication Information
   3. Creating a new security context with no authentication information
   4. Set the anonymous authentication information in step 2 to the security context in step 3
   5. Set the security context in step 3 to the security context holder
   6. Execution of subsequent filter chains
   7. source code (computing)

   

4. FilterSecurityInterceptor handles the request:

   1. Verify that the anonymous authentication information in the security context in the security context holder passes the
   2. Failure to validate authorization information (when the business request address is not set to be accessed anonymously), an AccessDeniedException is thrown.
   3. source code (computing)

   

5. ExceptionTranslationFilter handles the request:

   1. Catch AccessDeniedException thrown by FilterSecurityInterceptor.
   2. Determining authorization exceptions due to anonymous access
   3. Creating a new security context with no authentication information
   4. Set the security context in step 3 to the security context holder
   5. Redirects to the login page:http://localhost:8080/login
   6. source code (computing)

   

6. SecurityContextPersistenceFilter handles the request:

   1. Code after execution
   2. Get the security context in the security context holder
   3. Deleting a Security Context in a Security Context Holder
   4. Save the security context obtained in step 2 to the security context repository
   5. source code (computing)

   

7. Redirects login page requests:http://localhost:8080/login（GET）

2）、Redirect the fixed page request, return to the login page

1. SecurityContextPersistenceFilter handles the request:

   1. Get security context from security context repository as empty, create security context without authentication information (SecurityContextImpl)
   2. Set the security context obtained in step 1 to the security context holder
   3. Execution of subsequent filter chains
   4. Source code (ibid.)

2. DefaultLoginPageGeneratingFilter handles the request:

   1. Determine if the request is a jump to the login page
   2. Generate default login page
   3. Returns and renders the generated default login page
   4. source code (computing)

   

3. SecurityContextPersistenceFilter handles the request:

   1. Code after execution
   2. Get the security context in the security context holder
   3. Deleting a Security Context in a Security Context Holder
   4. Save the security context obtained in step 2 to the security context repository
   5. Source code (ibid.)

3), enter the correct user name and password, redirect to the business request

1. SecurityContextPersistenceFilter handles the request:

   1. Get security context from security context repository as empty, create security context without authentication information (SecurityContextImpl)
   2. Set the security context obtained in step 1 to the security context holder
   3. Execution of subsequent filter chains
   4. Source code (ibid.)

2. UsernamePasswordAuthenticationFilter handles the request:

   1. Determining the need for authentication (method)
   2. Authentication username password successful, generate authenticated authentication information UsernamePasswordAuthenticationToken
   3. Creating a new security context with no authentication information
   4. Set the authentication information in step 2 to the security context in step 3
   5. Set the security context from step 3 to the security context holder
   6. Save the security context from step 3 to the local variable security context repository (empty implementation)
   7. Redirects to the business request address:http://localhost:8080/test/hello
   8. source code (computing)

   

3. SecurityContextPersistenceFilter handles the request:

   1. Code after execution
   2. Get the security context in the security context holder
   3. Deleting a Security Context in a Security Context Holder
   4. Save the security context obtained in step 2 to the security context repository
   5. Source code (ibid.)

4), redirection to business requests

1. SecurityContextPersistenceFilter handles the request:

   1. Get authenticated security contexts from the security context repository
   2. Set the security context obtained in step 1 to the security context holder
   3. Execution of subsequent filter chains
   4. Source code (ibid.)

2. FilterSecurityInterceptor handles the request:

   1. Verify that the authentication information in the security context in the security context holder passes the
   2. Verify that the authorization was successful
   3. Calling the interface to return data
   4. source code (computing)

   

3. SecurityContextPersistenceFilter handles the request:

   1. Code after execution
   2. Get the security context in the security context holder
   3. Deleting a Security Context in a Security Context Holder
   4. Save the security context obtained in step 2 to the security context repository
   5. Source code (ibid.)

VI. Logic for logout implementation

1. Logging out of business-related filters

1. SecurityContextPersistenceFilter
2. LogoutFilter
3. DefaultLogoutPageGeneratingFilter

2、Access to the logout page request processing flow

1. Browser access to logout request address:http://localhost:8080/logout

2. SecurityContextPersistenceFilter handles the request:

   1. Get authenticated security contexts from the security context repository
   2. Set the security context obtained in step 1 to the security context holder
   3. Execution of subsequent filter chains
   4. Source code (ibid.)

3. DefaultLogoutPageGeneratingFilter handles the request:

   1. Determine if the request is a jump to a logout page
   2. Generate default logout page
   3. Returns and renders the generated default logout page
   4. source code (computing)

   

4. SecurityContextPersistenceFilter handles the request:

   1. Code after execution
   2. Get the security context in the security context holder
   3. Deleting a Security Context in a Security Context Holder
   4. Save the security context obtained in step 2 to the security context repository
   5. Source code (ibid.)

3、Logout page to confirm the logout request processing flow

1）、Confirm logout, redirect to login page request

1. SecurityContextPersistenceFilter handles the request:

   1. Get authenticated security contexts from the security context repository
   2. Set the security context obtained in step 1 to the security context holder
   3. Execution of subsequent filter chains
   4. Source code (ibid.)

2. LogoutFilter handles the request:

   1. Judgment is a logout request
   2. Get the security context in the security context holder
   3. Logout processor handles logout operations
      1. Deleting a Security Context in a Security Context Holder
      2. Create a security context with no authentication information
      3. Save the security context from step 2 to the security context repository
   4. Redirect to login page
   5. source code (computing)

   

3. SecurityContextPersistenceFilter handles the request:

   1. Code after execution
   2. Get the security context in the security context holder
   3. Deleting a Security Context in a Security Context Holder
   4. Save the security context obtained in step 2 to the security context repository
   5. Source code (ibid.)

2）、Login page request

The logon business logic is described in Section V and will not be repeated.

VII. Description

1. Spring Boot integration with Spring Security is a non-front-to-back architecture by default.
2. The process described in this article is a non-front-to-back split version of the processing flow
3. Simpler front-to-back processing
   1. Accessing the business interface without authentication returns an unauthenticated error message
   2. Returns a Token after a successful call to the login interface, which is carried in the request header thereafter
   3. A successful call to the logout interface returns success and the backend invalidates the Token
   4. Carry the Token to access the business interface, and after the back-end verifies the Token successfully, call the business interface and return the data