Now let’s explore the situation where you are using Spring Security in a web application (without web.xml
security enabled). How is a user authenticated and the security context established?
现在让我们来探讨在Web应用程序中使用Spring Security的情况(未启用web.xml安全性)。如何对用户进行身份验证并建立安全上下文?
Consider a typical web application’s authentication process:
考虑典型的Web应用程序的身份验证过程:
- You visit the home page, and click on a link.
您访问主页,然后单击链接。
- A request goes to the server, and the server decides that you’ve asked for a protected resource.
请求转到服务器,服务器确定您已请求受保护的资源。
- As you’re not presently authenticated, the server sends back a response indicating that you must authenticate. The response will either be an HTTP response code, or a redirect to a particular web page.
由于您目前尚未通过身份验证,因此服务器会发回一个响应,指示您必须进行身份验证。响应将是HTTP响应代码,或重定向到特定网页。
- Depending on the authentication mechanism, your browser will either redirect to the specific web page so that you can fill out the form, or the browser will somehow retrieve your identity (via a BASIC authentication dialogue box, a cookie, a X.509 certificate etc.).
根据身份验证机制,您的浏览器将重定向到特定的网页,以便您可以填写表单,或者浏览器将以某种方式检索您的身份(通过BASIC身份验证对话框,cookie,X.509证书等)。
- The browser will send back a response to the server. This will either be an HTTP POST containing the contents of the form that you filled out, or an HTTP header containing your authentication details.
浏览器将向服务器发回响应。这将是包含您填写的表单内容的HTTP POST,或者包含您的身份验证详细信息的HTTP标头。
- Next the server will decide whether or not the presented credentials are valid. If they’re valid, the next step will happen. If they’re invalid, usually your browser will be asked to try again (so you return to step two above).
接下来,服务器将决定所呈现的凭证是否有效。如果它们有效,则下一步将会发生。如果它们无效,通常会要求您的浏览器再次尝试(因此您将返回上面的第二步)。
- The original request that you made to cause the authentication process will be retried. Hopefully you’ve authenticated with sufficient granted authorities to access the protected resource. If you have sufficient access, the request will be successful. Otherwise, you’ll receive back an HTTP error code 403, which means "forbidden".
将重试您进行身份验证过程的原始请求。希望您已通过足够授权的权限进行身份验证以访问受保护资源。如果您有足够的访问权限,请求将成功。否则,您将收到HTTP错误代码403,这意味着“禁止”。
Spring Security has distinct classes responsible for most of the steps described above. The main participants (in the order that they are used) are the ExceptionTranslationFilter
, an AuthenticationEntryPoint
and an "authentication mechanism", which is responsible for calling the AuthenticationManager
which we saw in the previous section.
Spring Security具有不同的类,负责上述大多数步骤。主要参与者(按照它们使用的顺序)是ExceptionTranslationFilter,AuthenticationEntryPoint和“认证机制”,它负责调用我们在上一节中看到的AuthenticationManager。