问题描述
我定义了以下 bean:
I have the following bean defined:
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="userDetailsService" />
</sec:authentication-manager>
我猜这里 Spring 使用了一些 AuthenticationManager 的默认实现.
I guess here Spring uses some default implementation of AuthenticationManager.
在我的 Java 代码中:
In my Java code I have:
@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager; // specific for Spring Security
public boolean login(String username, String password) {
try {
Authentication authenticate = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
if (authenticate.isAuthenticated()) {
SecurityContextHolder.getContext().setAuthentication(authenticate);
return true;
}
}
catch (AuthenticationException e) {
}
return false;
}
这里调用了 AuthenticationManager.authenticate(...).但是我想知道默认情况下 AuthenticationManager Spring 使用哪个实现,以及它的 authenticate(...) 做了什么来进行身份验证(即,确保用户名匹配密码).
Here AuthenticationManager.authenticate(...) is called. But I would like to know which implementation of AuthenticationManager Spring uses by default, and what its authenticate(...) does in order to authenticate (i.e., make sure that username matches password).
你能解释一下吗?
推荐答案
AuthenticationManager 实际上只是身份验证提供程序的容器,为它们提供一致的接口.在大多数情况下,默认的AuthenticationManager就足够了.
The AuthenticationManager is really just a container for authentication providers, giving a consistent interface to them all. In most cases, the default AuthenticationManager is more than sufficient.
当你打电话
.authenticate(new UsernamePasswordAuthenticationToken(username, password))`
它将UsernamePasswordAuthenticationToken 传递给默认的AuthenticationProvider,它将使用userDetailsService 根据用户名获取用户并比较该用户的密码与身份验证令牌中的那个.
it is passing the UsernamePasswordAuthenticationToken to the default AuthenticationProvider, which will use the userDetailsService to get the user based on username and compare that user's password with the one in the authentication token.
一般来说,AuthenticationManager 将某种 AuthenticationToken 传递给它的每个 AuthenticationProviders 并且他们每个人都检查它,如果可以的话使用它进行身份验证,它们返回已验证"、未验证"或无法验证"的指示(这表明提供者不知道如何处理令牌,因此它继续处理它)
In general, the AuthenticationManager passes some sort of AuthenticationToken to the each of it's AuthenticationProviders and they each inspect it and, if they can use it to authenticate, they return with an indication of "Authenticated", "Unauthenticated", or "Could not authenticate" (which indicates the provider did not know how to handle the token, so it passed on processing it)
这种机制允许您插入其他身份验证方案,例如针对 LDAP 或 Active Directory 服务器或 OpenID 进行身份验证,并且是 Spring Security 框架内的主要扩展点之一.
This is the mechanism that allows you to plug in other authentication schemes, like authenticating against an LDAP or Active Directory server, or OpenID, and is one of the main extension points within the Spring Security framework.
这篇关于Spring-Security 中的默认 AuthenticationManager 是什么?它是如何认证的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!