当前位置: 首页 > news >正文

Spring Security初探

news 2025/8/7 3:26:03
url说明方法
/login
/oauth/authorize授权断点。无登录态时跳转到/authentication/require,有登录态时跳转到/loginorg.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint#authorize
/authentication/require自己写的用于重定向到登录页面的urlcn.merryyou.sso.controller.LoginController#require
/authentication/form提交登录信息,据说是UsernamePasswordAuthenticationFilter处理此请求

在这里插入图片描述

扩展点

扩展点说明
主题数据账户密码
密码解析器提供密码加密及比对服务
自定义授权及安全拦截策略HttpSecurity的相关配置

校验密码的流程-获取用户

loadUserByUsername:26, SsoUserDetailsService (cn.merryyou.sso.server)
retrieveUser:114, DaoAuthenticationProvider (org.springframework.security.authentication.dao)
authenticate:144, AbstractUserDetailsAuthenticationProvider (org.springframework.security.authentication.dao)// 之后的166行会进行密码比对
authenticate:174, ProviderManager (org.springframework.security.authentication)
authenticate:199, ProviderManager (org.springframework.security.authentication)
attemptAuthentication:94, UsernamePasswordAuthenticationFilter (org.springframework.security.web.authentication)
doFilter:212, AbstractAuthenticationProcessingFilter (org.springframework.security.web.authentication)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilter:116, LogoutFilter (org.springframework.security.web.authentication.logout)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:64, HeaderWriterFilter (org.springframework.security.web.header)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilter:105, SecurityContextPersistenceFilter (org.springframework.security.web.context)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:56, WebAsyncManagerIntegrationFilter (org.springframework.security.web.context.request.async)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:214, FilterChainProxy (org.springframework.security.web)
doFilter:177, FilterChainProxy (org.springframework.security.web)
invokeDelegate:346, DelegatingFilterProxy (org.springframework.web.filter)
doFilter:262, DelegatingFilterProxy (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:99, RequestContextFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:105, HttpPutFormContentFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:81, HiddenHttpMethodFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:197, CharacterEncodingFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
invoke:198, StandardWrapperValve (org.apache.catalina.core)
invoke:96, StandardContextValve (org.apache.catalina.core)
invoke:478, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:140, StandardHostValve (org.apache.catalina.core)
invoke:80, ErrorReportValve (org.apache.catalina.valves)
invoke:87, StandardEngineValve (org.apache.catalina.core)
service:342, CoyoteAdapter (org.apache.catalina.connector)
service:799, Http11Processor (org.apache.coyote.http11)
process:66, AbstractProcessorLight (org.apache.coyote)
process:868, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1455, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:748, Thread (java.lang)

比对密码

additionalAuthenticationChecks:94, DaoAuthenticationProvider (org.springframework.security.authentication.dao)
authenticate:166, AbstractUserDetailsAuthenticationProvider (org.springframework.security.authentication.dao)
authenticate:174, ProviderManager (org.springframework.security.authentication)
authenticate:199, ProviderManager (org.springframework.security.authentication)
attemptAuthentication:94, UsernamePasswordAuthenticationFilter (org.springframework.security.web.authentication)
doFilter:212, AbstractAuthenticationProcessingFilter (org.springframework.security.web.authentication)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilter:116, LogoutFilter (org.springframework.security.web.authentication.logout)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:64, HeaderWriterFilter (org.springframework.security.web.header)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilter:105, SecurityContextPersistenceFilter (org.springframework.security.web.context)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:56, WebAsyncManagerIntegrationFilter (org.springframework.security.web.context.request.async)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:214, FilterChainProxy (org.springframework.security.web)
doFilter:177, FilterChainProxy (org.springframework.security.web)
invokeDelegate:346, DelegatingFilterProxy (org.springframework.web.filter)
doFilter:262, DelegatingFilterProxy (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:99, RequestContextFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:105, HttpPutFormContentFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:81, HiddenHttpMethodFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:197, CharacterEncodingFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
invoke:198, StandardWrapperValve (org.apache.catalina.core)
invoke:96, StandardContextValve (org.apache.catalina.core)
invoke:478, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:140, StandardHostValve (org.apache.catalina.core)
invoke:80, ErrorReportValve (org.apache.catalina.valves)
invoke:87, StandardEngineValve (org.apache.catalina.core)
service:342, CoyoteAdapter (org.apache.catalina.connector)
service:799, Http11Processor (org.apache.coyote.http11)
process:66, AbstractProcessorLight (org.apache.coyote)
process:868, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1455, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:748, Thread (java.lang)

根据实验结果总结的JSESSIONID规则(可能有错误,但可以解释单点登录时的JSESSIONID变化过程):
1、访问时携带的JSESSIONID无效或者没有携带,tomcat会通过response中的set-cookie设置JSESSIONID。
2、set-cookie设置的JSESSIONID会被保留在postman中
3、postman中会根据JSESSIONID中path与当前url的匹配情况选择相应的JSESSIONID添加到请求头

+++++++++++++++以下是研究日志++++++++++++++++++++++

url在哪个类中配置的?
应该了解下正常的controller处理请求的堆栈是啥
org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#lookupHandlerMethod加断点
在这里插入图片描述
在下面截图可以看到正常的controller与url对应关系的存储位置
在这里插入图片描述

下图可以看到/authentication/require接口和handler的位置对应关系
在这里插入图片描述
无法找到
GET /uaa/oauth/authorize?client_id=merryyou1&redirect_uri=http://localhost:8083/client1/login&response_type=code&state=dSx7fy HTTP/1.1
这个请求在哪里触发的。
已知/uaa/oauth/authorize这个请求返回302,重定向到/uaa/authentication/require,/uaa/authentication/require是自己写的,然后通过HttpSecurity配置。

点击"登录"时触发接口/authentication/form,此接口在哪?
加断点没找到,但是找到了其重定向的那个连接/uaa/oauth/authorize
在这里插入图片描述

authorize:123, AuthorizationEndpoint (org.springframework.security.oauth2.provider.endpoint)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
doInvoke:205, InvocableHandlerMethod (org.springframework.web.method.support)
invokeForRequest:133, InvocableHandlerMethod (org.springframework.web.method.support)
invokeAndHandle:97, ServletInvocableHandlerMethod (org.springframework.web.servlet.mvc.method.annotation)
invokeHandlerMethod:827, RequestMappingHandlerAdapter (org.springframework.web.servlet.mvc.method.annotation)
handleInternal:738, RequestMappingHandlerAdapter (org.springframework.web.servlet.mvc.method.annotation)
handle:85, AbstractHandlerMethodAdapter (org.springframework.web.servlet.mvc.method)
doDispatch:967, DispatcherServlet (org.springframework.web.servlet)

重新触发登录逻辑,可以看到org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#attemptAuthentication的调用,据说此方法是/authentication/form

attemptAuthentication:70, UsernamePasswordAuthenticationFilter (org.springframework.security.web.authentication)
doFilter:212, AbstractAuthenticationProcessingFilter (org.springframework.security.web.authentication)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilter:116, LogoutFilter (org.springframework.security.web.authentication.logout)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:64, HeaderWriterFilter (org.springframework.security.web.header)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilter:105, SecurityContextPersistenceFilter (org.springframework.security.web.context)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:56, WebAsyncManagerIntegrationFilter (org.springframework.security.web.context.request.async)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:214, FilterChainProxy (org.springframework.security.web)
doFilter:177, FilterChainProxy (org.springframework.security.web)
invokeDelegate:346, DelegatingFilterProxy (org.springframework.web.filter)
doFilter:262, DelegatingFilterProxy (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:99, RequestContextFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:105, HttpPutFormContentFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:81, HiddenHttpMethodFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:197, CharacterEncodingFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
invoke:198, StandardWrapperValve (org.apache.catalina.core)
invoke:96, StandardContextValve (org.apache.catalina.core)
invoke:478, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:140, StandardHostValve (org.apache.catalina.core)
invoke:80, ErrorReportValve (org.apache.catalina.valves)
invoke:87, StandardEngineValve (org.apache.catalina.core)
service:342, CoyoteAdapter (org.apache.catalina.connector)
service:799, Http11Processor (org.apache.coyote.http11)
process:66, AbstractProcessorLight (org.apache.coyote)
process:868, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1455, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:748, Thread (java.lang)

filter在web中的定位 --done。Filter是Servlet规范的一部分,它的主要目的是在请求到达Servlet(包括Spring MVC的DispatcherServlet)之前或之后执行某些操作

client中/ 和 /login之间的跳转逻辑是如何实现的?
感觉和EnableOAuth2Sso这个注解有关
这个博客讲的太细了,不适合初学者
初学者应该先了解如何使用,然后是http交互逻辑,最后是原理

重新阅读官方文档。–done。没看懂,改看b站视频教程

JSESSIONID
博客1;jsessionid与tomcat关系比较大;这个视频没有客户端的介绍
经过实验发现jsessionid和端口可能对应关系,因为当我访问的应用个数与postman中的jsessionid数量相同
使用chrome看看是否能看到jsessionid和端口的对应关系
应该不是和端口对应,是和路径对应,仔细看cookie,其中设置了path,postman应该是根据path判断使用哪个jsessionid

JSESSIONID=3D1A6E7BEE757E28BC0A97F60636AC3A; Path=/uaa; HttpOnly;

client和resource使用哪个?–done。使用资源,大家都是用资源
多看几个视频,看看大家用啥
视频1;视频没讲单点登录
视频2;无源码,没说是客户端还是资源
视频3;这个视频看简介,只有资源没有客户端;没有登录跳转

视频这个视频中的"access_token客户端模式"和"access_token授权码模式"有啥区别?应用场景分别是啥?–done。这个视频中没有正常展示单点登录功能,都是用百度的链接做的模拟

client资源
我能找到的所有单点登录教学视频用的都是这个
简单
支持登录跳转

感觉client更符合使用场景。百度下其使用场景 --done。看博客感觉是spring为了简化单点登录开发流程提供的注解,原文"只需要添加一个注解和少量配置即可将我们的服务作为一个单点登陆应用"

==============================

需要确认下set-cookie的path字段是否真如推测那样可以让postman根据请求中的url选择不同cookie

client-id: merryyou1这种方式可以配置客户端。客户端在oauth中的定位是啥?每个客户端对数据有不同授权?
user-authorization-uri是请求认证,access-token-uri是请求令牌,两者啥关系?

需要了解下HttpSecurity各个配置的含义

http://www.lryc.cn/news/347401.html

相关文章:

  • 【Java代码审计】敏感信息泄漏篇
  • Windows Server 2012 R2 新增D盘分区
  • transformer与beter
  • MySQL索引设计遵循一系列原则
  • windows窗口消息队列与消息过程处理函数
  • 【Chisel】chisel中怎么处理类似verilog的可变位宽和parameter
  • [Easy] leetcode-225/232 栈和队列的相互实现
  • Springboot+Vue项目-基于Java+MySQL的个人云盘管理系统(附源码+演示视频+LW)
  • Leetcode 116:填充每一个节点的下一个右侧节点指针
  • AI智能分析赋能EasyCVR视频汇聚平台,为安全生产监管提供保障
  • Java设计模式 _结构型模式_外观模式
  • 数据结构之----栈与队列
  • 如何在windows server下安装mysql5.7数据库,并使用Navicat Premium 15可视化工具新建数据库并读取数据库信息。
  • Calendar 366 II for Mac v2.15.5激活版:智能日历管理软件
  • react引入阿里矢量库图标
  • 部署Gerapy
  • Github Benefits 学生认证/学生包 新版申请指南
  • 基于单片机的宠物智能投喂系统研究
  • Linux-笔记 常用命令
  • MySQL中,关于日期类型的那些事儿,你知道哪些?
  • 【Chrome实用命令笔记】
  • 【数据库】数据库事务原理
  • LeetCode 106.从中序与后序遍历序列构造二叉树
  • Python中的compile()函数,动态编译代码的艺术
  • 【考研数学】汤家凤“免单“数学题被吐槽‘太难’,老汤回应「怎么还有脸笑」,网友:这些题有毒!
  • 在另外一个页面,让另外一个页面弹框显示操作(调佣公共的弹框)
  • 如何利用IPIDEA代理IP优化数据采集效率?
  • Rpcx (一):详解【介绍、基础示例 demo】
  • 对数据进行标准化和归一化
  • 【从零开始学架构 架构基础】二 架构设计的复杂度来源:高性能复杂度来源