你的位置:首页 > 软件开发 > Java > Spring Security4源码解读探寻权限机制

Spring Security4源码解读探寻权限机制

发布时间:2016-11-15 17:00:37
我们知道springSecurity 会在用户登录的时候获取用户的角色权限, 你是一个普通用户可能没有管理员拥有的权限。用户登录后Authentication 获取用户的权限。 不通用户登录系统会生成各自Authentication 那么这个 Authentication ...

  我们知道springSecurity 会在用户登录的时候获取用户的角色权限, 你是一个普通用户可能没有管理员拥有的权限。用户登录后Authentication 获取用户的权限。 不通用户登录系统会生成各自Authentication

  那么这个 Authentication 存在哪 呢?服务端?那100万 个用户都同时登录,系统如何区分哪个 Authentication是哪个用户的?

 

 

 

测试。使用两个账号,分布登录两个不通浏览器。一个是火狐,一个是谷歌。控制台分别打印出

Spring Security4源码解读探寻权限机制

==========================两个角色互不干扰。

Spring Security4源码解读探寻权限机制

其他接口调用,使用AuthUtil 获取权限的时候, 没有在去授权

难道存在客户端的cookie?

现在一个测试浏览器 两个窗口打开, 登录两个不同的账号 ,结果不同角色不同权限。

好吧, 开始看源码吧。

先看我自定义的授权接口:

Spring Security4源码解读探寻权限机制URLZg2EUx6N+r6Pncscgo7VH9nByJXZyew5qyCiZuXrxw8lVUTEjJPu07/84yYdJyVgaaz5IfnE+yXzWJ5ez6VmYdvnL9TnHifIjwExuE6mqJ51gybzs6+VYDNt6AQAAXFvuyL4/juNx2OkacrljkNm6I/sosZaPOwYZzAN03ivvcd3q4dnUPovjRAymB+fTIt1m88qis5z73X3btqEnl+LCh5Or/G3OyK5W9fjMy7FejsWgzx4AAEDhiuxiFldyuWOQzZoje1MXnuZvPrmc9w17JH5HZNcHCVU6rhhdLECVlTq5nIklQH7zCidXrqoe47yc6+VYjJL1AgAAuH7skT0cpXUv6X+lXO4YZLfWyN7YvR2l8Hp4lpWKlBbVlER2pYy++A5QUqySL4BedeOK7ObvJ455aUUyHtN0rlfJ1yTHegEAAFw/1sjeH8fGv+x6U8sgx5zWGdnXeuFpt9dRy0LUBajVy65NREq3jUf25nvZPX7Z0NcLAADg+vF9lJKjK739veyOTuKS/uMGpdXbpps8Gmq+Ld3b9qXVfiuw9evbs7Ja1y4urTs6W+blWC/vYiSebwUAAHAtIntjF542siT5nzjfY2mANaOr9eWW+7Tob/C7aFVYvGSk3kVHKFbRZ2eel329yr45uNYLAADguvGN7ItbV2R3XDpZclUlAAAA0AJbH9kbu/AUAAAAWIutj+wAAADAZiOyAwAAAK1GZAcAAABajcgOAAAAtBqRHQAAAGg1IjsAAADQatctsnPPRwAAAGwYr8geDKM4lh5xmr1S/EXDoGQirYjsjmd/uh4LCgAAAKyNR2QPBlEcRadaZD8dBFXm1IbIfpxY+9EdgwAAAIA1Ko3sO8PTOBru9MebH9kPz6azq/PDioMAAACAtSqJ7MEwiuNRv9fZgsgeTq5myajqIAAAAGC93JF9fxzH47DTNUZ24S99j9u6I/somc2Sk6qDzG9W/6ZnIYMYxCAGMYhBDGIQgxjUzCCVK7KLMV2J7JJwFMdxNNxpdWTnwlMAAABsJntkD0dpSUz6X1dkLxuaWmtk596OAAAA2FTWyN4fx8Y/U2/6zvC03ZG9yQtPW/JzCYMYxCAGMYhBDGIQg7Z1kMr3UUqOfvRgGLX8vuzHycx2daljEAAAANAGNSO71Afvd+uY9UX2UdLMhacAAADAGvhG9sWtK7KHkyvbTwyOQQAAAEBLbH1k58JTAAAAbLatj+wAAADAZiOyAwAAAK1GZAcAAABajcgOAAAAtBqRHQAAAGg1IjsAAADQakR2AAAAoNW8InswjOJYevppJhzlj0AdhyUTIbIDAAAANXhE9mAQxVF0qkT2neFpHMejvveciOwAAABADaWRfWd4GkfDnf5YjuzhKD4dBFXmRGQHAAAAaiiJ7MEwSrvSlcjeH8fRcKfSnIjsAAAAQA3uyL4/nhepy5F9Z3gaj8P9cV7J7lEhQ2QHAAAAanBFdjGmy5E9DetFTO+P49I6GSI7AAAAUIM9socjNZTLkV26RUwwiOJoGLjmRGQHAAAAarBG9r5Q9SL+RcOd/JrU4v3hKCayAwAAAEvg+yglwx1jioy+M1RvAWlAZAcAAABqqBvZ8+crFV3vJVMgsgMAAAA1+Eb2xRHZAQAAgBqI7AAAAECrEdkBAACAViOyAwAAAK1GZAcAAABajcgOAAAAtBqRHQAAAGg1IjsAAADQas1H9n/y8Gf/7J//8m/+7sNfJn/7N3/34Z/981/+k4c/67Ylsh+cT2fTyYH84iiZXR6b3+8YBAAAAKyCV2TPHnRaPP10fxxrf6eDoNf52cOf/dtfT3/1Hz5+97vf//7P//W73/3+V//h//y3v57+7OHPWhHZTy5nQgQPJ1fTyUG3N0qmZ2Gvc5zMkpPyQQAAAMAqeUT2YBDFUXQqRnbFznA+9H/6n1//7W/+/vs//uP3f/zH7//4X/+vP/7j93/8x7/9zd+/+V8v2hDZjxOli32UzGaz6WWSXCbT2UzqUHcMAgAAAFanNLLvDE/jaLjTH9sjeziK42gYdLq9zr/6m3/36+/+n//8+//v73//5/8893989//+q7/5d+uP7Idn09nV+aH36+5BAAAAwEqURPZgGMXxqN/r2CN70cXe7XW+/Zf/+t9891/++//xfxH9m+/+y7f/8l+vPbKHk6tZMpJfPDifCl3p07PQaxAAAACwOu7Ivj+O43HY6Toiu9DF3u11/sVf/+rvpt//++8//eb7T7/5/tO//78//eb7T383/f5f/PWv1h3ZR8lMrUenlh0AAADt54rsYky3RHapi73b6/zTb1/977/6T1e/+3T1uz/+p999uvrdp6vfffrrX139029frTmyyxeeyrhjDAAAANrr/wd/9dnuojHn6QAAAABJRU5ErkJggg==" >

顶级接口AbstractAuthenticationToken

点进去

Spring Security4源码解读探寻权限机制

AbstractAuthenticationToken 这个抽象类, 实现了两个接口Authentication // CredentialsContainer

CredentialsContainer 接口点击进去

Spring Security4源码解读探寻权限机制md5bAHy0SMe7MqBZFKiIVrDH5ZpUlKlZd7ygFuSJwvSUvwh5b3I+hGZGb8yKqsyq/LT+Lzo7qzMjHjiiYhvPflkxEGjebgOf/u3f7vmFQAAAAAAtszBmucjggEAAABg50AEAwAAAEDtQAQDAAAAQO1ABAMAAABA7UAEAwAAAEDtQAQDAAAAQO1ABAMAAABA7diyCO4G0bRfdp0BAAAAoOYc9LzE38c9f/VzdtoynW8pgr3JLJy0G81uEI685mE/iIJB+ZUHAAAAgHpy4PvDTmv+x3FPFL5HnTPf793Sn28dCe4GURSF0yCYBmEUOcSDb9x7/OTB3c3Z4sa9x0/evH+j/CYBAAAAgE1z0PP9RTA4rXpbnaExGJwvHeJkFEaz8Un+gt558PTJ+eNBa6O2uPvw/OmT88md8lsFAAAAADbKQULmel3fX+hgr+uv9LESaxHcHodCJDgcedZFvDl4M6tN7z48fzxoxbL16ZPzp2KQ+M6Dp4/u3WzenswPJc+982BxyvnTh7el99q02gYAAACAcjlY5kIsuLXICu4eW5y/6Zzguw/Pn8qyFObyd65iW/cfCYp2LnPnZ90cvLmUyOLv6bOW3Lj3WKaPAQAAAGBvOBj6/rBzNP+7dbr8M35DrrhIcEyu1SFa9x8lQ7wCdx8mdeqdB6tP3nmQ0M2rZN/W/UfJKK94VoLbkyfnTx/du1l28wAAAADAJjgQEn/TOcHHPXM8eNPrBOsiwWkRvPiYXtqmyXySSDAAAADAvnNw3FsK31s9MSrcjNOCSxbBDXVOsDYSrBTBhvfetvIGHgAAAACUi7hE2lHnTAz9HnXOzEsFb2nHuIw2TYrg2xPxqFIEp3KC07A6BAAAAEBNOEgGemMdvPgxLRLc2Oa2ycl1goV1IaTrPyiVbhxXliwQwTrBAAAAALVhy9smF0Y6HQIAAAAAwBpEMAAAAADUDkQwAAAAANSOXRXBAAAAAADOIIIBAAAAoHYgggEAAACgdiCCAQAAAKB2IIIB4LAxmEZBV/xPP4jCSbv8gkHpZHwDdgv6MoCKLYvgbhBN+2XX2ZHBNIoYStayXvwTDHSf7AcRM+62GUyjaDY+Sf7zZBSaGmvnKMG7tjlubOJeUt+oADRlDvaxLwMUwkHPS/zd6gxXG8Z55vMtRbA3mYWTdqPZDcKR1zzsB7Yd0pvMIuGnzG6sGpUG08hF2bfHYaH1cixGzgtmB9N8c2Q32FERrDPvbjZlslHk023hJXEqYT+IcgsCxQU34l16KxWrZrZ5r+ahzjecoCnLuZfxdgB15cD3h53W/I/jnu+fnbbiY63ToYUOto4Ed4MoisJpEEyDMLLsjf3A9pNl4jK4dIMoMYL3g7WriQjeKErz7mxTigYPR578aHscbqU5dCXsBtFsPJmqC5njgiUop929l8E3HKApS7pX83B7fRlgpzjoLZVuRvW2OkO/d0t/fr50iJNRmFMw7UD6Qf6xrOipxbEYLhdEBGdLu6NNadki25mqNXcZxJrJ7Dm27YVysiWnzW0KT1OWcq+y7ghQeQ6Sod9VVLjRPGx4Xd/vHmvPtxbB7XEoRIKtdEP8lNnwwGjxELorO3f+s1TSqXEz8acwQKefayvyWVOpGol76cSiQdwnLisYKn65ob8s38IyumJoDHUyChPXX1nbtV66wi9QzH9iCVOtqWplTXtpydZO2tDLe2nNu8tNubqgfl7MJ1mSd0xeObd5V7YydF7hT/0F44+tPpNyUYWzObaXIQ9ePkali7Eo4Tr3yuuHZt+QldB4QZqytKbU9uX4mjsQbwLYAAeC6j3qnPmr0G/rdOj7RYlg15zgpcRJxxq9yUzo56kHPekn1EsMIli4UfL6q8sqBJw5Rri6l/YdhWQGSPzNYX6R+QA3L3BGfimKYTRUfBFJfdWR4MzP3GiawmtsmLq12Ci6wpvbS+6Hq48NpuI0ozWUdVx8h5pyeU3DN9L2OLSeIPU3ymveeb0WfT/5Gb2Q0vVKheU1JXRrL7FpMk6iHKMaJ6NQM5Tlv5ezHyp9Q11C7QVpytKasiGckv0/IhjqzMHQ94edo8Xft3rL1+LOTo87w+IiwTFuq0Msv2cvpXCmMwsDimZeN4lgQWpLMjfyieDEBcWraZRT9pBwotNUoTPU6o6BLKUhbzqEtvBqG6b/I9RLW3hzexkdQLy+yVB5RXD1m7J52NiICFaGynKbt7mM90tM6q6c5GfpSuh2rwWKL352WTTr3msNP7QspHiWxaM2mrKEplyQpy8D1IODVme4yohIUnxO8FqIX3xXD8GFH/kwJ2ISwU7PhZUnrkYcbzJLPbxWKyelanQavnWGEk60rpdBBOeWvNkLCvXSFt4pv00dCTYZykUEV7splwYpUAQ3E88KklHA/OaVfWmx0lu2F7R1tsKVkzafNfFsPYrWV06Ofqj2DWUJNRekKUtsSrE8iGAAkYPjnq9Qurd6Ra4OUQCCgtHlKWreVdquCBbzVsXBS5oncNhobiJ8aErojK8/kIm58iPB2sK7i2BhShooi2F3u11uSlszur4ddTIKk8nT+c1bvJrRKyfdkFK4ctLoS2kaldu9NvNEQlXCbQpTmjJ/JLjoNx0Bdp/EEmkr4oRgUxi4sVURnMip0uWAJmbfBOJZySSqNdSALjG0PQ6jIMjstxTnsybGLLFU6mw2zTCnKIatobKLPEgvqH0xTlN4jQ2FWWQROLFpZVN7xe2bdIP2OFTOAYasYlUr725T6r3aZGeZeVMkwk4u5s3eWviYri+rq6yxvKaEbu2ls7ByjJIlvq93L3c/lPuGroTKC9KUJTflsgyqlw008WyAfeZATPkVdsqQKWMZmxTB6eBBaqBJv2ObGV9kJwrXjN8sthDB/WwQIzleiCWRFlI20iVqlw6Fym5kHOZUxZAbSqLe0iWRXNC0OoSu8EobrkwRTtqJRtG0sp0Iln/9UDSlzqN0rbybTSl+OP86wVLzpoqXo8PKSiibyMXyqPuyusrmBABZCd3ayzBuqMYo8f/hqG9fL/W9nP1Q7hvqEqouSFOW3pS6dYLn5XR4XQdg59nytsm1w/61Cdg8Fk8Y60gFdoyDirIji7WDEV1fNq1GCrC/III3CRqrUmSaw5vM8uz0sb9I36jDe6GpWfEDdgd9Xx5MI77qQF1BBG+E5XMuJo9qkU6HIPgxJ/sMuh8wL8JhQ+YbsFuo+/L8NQzmKagtiGAAAAAAqB2IYAAAAACoHYhgAAAAAKgdiGAAAAAAqB2IYAAAAACoHVsWwd1gI+/jt+4/On88aJVuTQAAAADYCQ7SeyN7XX+1a9yR8XxLEexNZuGk3Wh2g3DkNQ/7QaFrstx58PTJg7tlmxIAAAAAdoWkCPa6qw2TW6dDCx1sHQnuBlEUhdMgmAZum9PcuPdYoXTvPtxwGPjGvcdP3rx/o/zWAgAAAIBCEEXwUecsoXpbnaHvd4+15+dLhzgZhW4bdN158PSJQuluRaHefXj+9Mn55E75DQYAAAAA6yOI4NbpcBkGnv/p++J/ZFiL4PY4FCLB4cizLuLNwZsaAXpz8ObTh7fF/8SB4Vi2Pn1ynsiUuPPg6aN7N5u3J/NDycveebA45Tx1zWUxyDwGAAAA2AMEESzkQhz3fN8fdrzToe/3PN35m84Jvvvw/Kku0Ht7ktHHc/k7V7Gt+48ERTuXufML3hy8uZTI4u/ps5bcuPdYpo8BAAAAYLfIiGDvdOj783+2ChPBC3KtDtG6/+jc8Mab7JW4uw+TOlX8zJ0HCUm9SqXIrC+hfNnu9uTJ+dNH926W3XIAAAAA4EwqHSKZ/5BKkJCx6XWCtZFg+cpoMhG8uIJe2qbJfJJIMAAAAMBecCCshnar52dejDs7bWnP38JmGcqcYMUrcaZIsFIEG95707ycBwAAAAA7RWKJtFZnmFoiTZ8L0djajnEyAZoWu/L/356IJ6pXFE7mBMuuyeoQAAAAAPtCerOMVme43CzDqIAb29w2Ob1OsDJ2K6wLIV3/Qal045CzZIEI1gkGAAAA2C+2vG1yYdwcvKl6O00VIQYAAAAAiNlRESx/JS4GEQwAAAAAenZUBOtABAMAAACAnj0UwQAAAAAAehDBAAAAAFA7EMEAAAAAUDsQwQAAAABQOxDBAAAAAFA7tiyCu0E07ZddZwAAAACoOekd4xrLTeMy/5diKYK9ySyctBvNbhCOvOZhP4iCQfmVBwAAAIB6khLBt3q+P+yc9ooWwY1mN4iiKJwGwTQIo4h4MAAAAACUR0IEH/f8nncYS+GiRfBho3nYOBmF0Wx8Un61AQAAAKDOSNIhNiOC2+NQiASHI6/smgMAAABAbdmSCCYnGAAAAACqw9YiwTGsDgEAAAAA5bNlEQwAAAAAUD4Hvu/7vj/sHAn/RQQDAAAAwD5DJBgAAAAAakdCBM+3yRB/zk5b2vMRwQAAAACwc2x522QAAAAAgPJBBAMAAABA7UAEAwAAAEDtQAQDAAAAQO1ABAMAAABA7UAEAwAAAEDtQAQDAAAAQO1ABAMAAABA7diyCO4G0bRfdp0LpB9EUdAtvRg6BtNo8RMMyi7Mjtpwv60xmEZRFE7a+3avOa37j84fD1pbNWnzsFEZx65IMSrCnvevTVmgtE4EsGnS2yYf95abxQ07LfP5liLYm8zCSbvR7AbhyGse9gMbQdYNoigSRfNgGllqaPtPWqK4oPuQWngJLYxZsggu3IZu3Hnw9MmDu3kPaekHUe55bpvW0DtbsZP0Nu9lQ7ZNN+AAUrbt2Pvbv6pujer0LwtcLFBeJ9oNtj2bQ5Fktk1e/NnqDG10sHUkuBtEURROg2AahJGdx3SDKArD2Wr4QAS7U1cRfOPe4/WH7xv3Hj958/4NjW1n48k0CkdeNa2xTWcrZT7ItvKCuw8zEaziHUBOLUTwNvpX5a2xU/1LaYFKdqLdABG8y6QjwStap0Pf73mG8/OlQ5yMwmg2PrH8fKzbhAwKRLA7tRTBdx48fVLE8N08vPvw/OmT88kdRb3CkZfXwkzSRSFt5RjpvFu4AyjYfxG8nf5VfWvsVP+SW6CqnWg3QATvMlsTwe1xKESCrWJmc1Wxyp1Iupo3mS2zXZcXTPxzeVB8FCXkyNqMhvoLxgPK6jOpeon3si+hgtTgJf7ZD6Jw0o4fykepHJKkMdOXVVsjWc7EBTWHNmvDPLPXzcGbqQE3/k+KeNzXHEqdnp0nYuPrG0j8cxPWUDmAwdkM+eLtcSg7y82xtfeS9mUbx862cvrow9ubdgAVDoMD/UtiXoWh6F+6s1JNKR7KHK14J1KOAEL0IWtkxyFFZUPFvXSNcjIKU+0+mEY5goCwJZQiuNh0COec4GBw2DgZhbETCyK4H4juGytsYThTfDPzJrP0WZbjviausOot3UAclU5G4eri3SDbqXJ+d9SLYGUxUsa0tIameM7fevPb0Lm97j48f6p69LZONtuNe4+fnItTwjwX4kRSQb0mLtYaBgcwNJn0C1LGY5es5diSe2n6sr5eulZuHjaatyfSqb1gB1DiODjQv0Tzqg1F/xLRFD55KG2onepE2UkqWspKsZrWQ4rGULb3Mjib+msbVASFCPa6vu8PO0fG8ze5OsRy7GiPw9n4RHC17HesVKKF3Cnb4zDX4HVo/KRhIFZ/sngRbChGdiDWWmMwjSQDt+lQwTZ0a6/W/UfnulF43Vc6bk+enD99dO/mskjLYS7plu6TdH5ruN1L7RuH3mRmmeK87r20fVldL1Mra1qzWAewtozt4ED/Ups3x6BXr/6lKXz67jvdiTKTlDDpL8eNPEOKcEHjhCi7l94BxLPy5YLC9pCJYK/r+74yTSLJJtcJFnrvYBoF3aQITvlTsqvLnXL1LEP42ZwITjztkjxeKVkEm6x

实现了Serializable 接口 。序列化对象。

好吧还是看不懂, 那看获取权限另一种方式, 不是AuthUtil

Spring Security4源码解读探寻权限机制

 

看下SecurityContextHolder 源码

Spring Security4源码解读探寻权限机制

 

有个静态方法     initialize();

看下这个方法

Spring Security4源码解读探寻权限机制

每一个线程都可以独立地改变自己的副本,而不会和其它线程的副本冲突。

继续往下面看:

这里跳转:

Spring Security4源码解读探寻权限机制

声明一个ThreadLocal

存储的是对象

Spring Security4源码解读探寻权限机制 这里存了权限。

 

================================

Spring Security4源码解读探寻权限机制

重点是这个set 方法, 看看被哪些 调用

Spring Security4源码解读探寻权限机制

 看看父类 AbstractSecurityInterceptor 抽象权限过滤器, 应该不是这个时候存进去的。

第二个 Spring Security4源码解读探寻权限机制

DelegatingSecurityContextCallable  委派权限上下文对象, 看着也不像。

第三个

Spring Security4源码解读探寻权限机制

谷歌翻译 是消化授权过滤器, 应该不是这个时候存的

第四个

Spring Security4源码解读探寻权限机制

权限上下文持久化过滤器

看到持久化,赶紧点进去==》

Spring Security4源码解读探寻权限机制

继续看下五个

Spring Security4源码解读探寻权限机制

抽象权限**, 这个更不是了

第六个

Spring Security4源码解读探寻权限机制

上下文进程**。 马丹还不是。

第七个

Spring Security4源码解读探寻权限机制

委派权限上下文接口

Spring Security4源码解读探寻权限机制http://images2015.cnblogs.com/blog/711107/201611/711107-20161115160937248-351160637.png" >

最终找到了,好吧, 这个 就是最终的设置方法了

来看他的源码:

Spring Security4源码解读探寻权限机制

 

==============================================================================================================

现在大概明白了 原理:

1 、用户密码用户名验证。

2 、授权通过,会放到threadLocal。

疑惑: 某个用户调用某个方法,获取方法,怎么判断他就是那个用户?

 

Spring Security4源码解读探寻权限机制

多个用户调用服务器这段代码, 获取不一样的角色怎么做到的!!!!

ThreadLocal在Spring中发挥着重要的作用,在管理request作用域的Bean、事务管理、任务调度、AOP等模块都出现了它们的身影,起着举足轻重的作用。要想了解Spring事务管理的底层技术,ThreadLocal是必须攻克的山头堡垒。

ThreadLocal是什么

早在JDK 1.2的版本中就提供java.lang.ThreadLocal,ThreadLocal为解决多线程程序的并发问题提供了一种新的思路。使用这个工具类可以很简洁地编写出优美的多线程程序。

ThreadLocal很容易让人望文生义,想当然地认为是一个“本地线程”。其实,ThreadLocal并不是一个Thread,而是Thread的局部变量,也许把它命名为ThreadLocalVariable更容易让人理解一些。

当使用ThreadLocal维护变量时,ThreadLocal为每个使用该变量的线程提供独立的变量副本,所以每一个线程都可以独立地改变自己的副本,而不会影响其它线程所对应的副本。

======================================================源码太多, 有些人说看源码是一种享受,很少吧

原标题:Spring Security4源码解读探寻权限机制

关键词:Spring

*特别声明:以上内容来自于网络收集,著作权属原作者所有,如有侵权,请联系我们: admin#shaoqun.com (#换成@)。

可能感兴趣文章

我的浏览记录