Basic Authentication

本节详细介绍了 Spring Security 如何为基于 servlet 的应用程序提供 Basic HTTP Authentication支持。

This section provides details on how Spring Security provides support for Basic HTTP Authentication for servlet-based applications.

本部分介绍 HTTP 基本身份验证如何在 Spring Security 中运行。首先,我们看到 WWW-Authenticate 标头发回给未经身份验证的客户端:

This section describes how HTTP Basic Authentication works within Spring Security. First, we see the WWW-Authenticate header is sent back to an unauthenticated client:

basicauthenticationentrypoint
Figure 1. Sending WWW-Authenticate Header

前图基于我们的 SecurityFilterChain 图表构建。

The preceding figure builds off our SecurityFilterChain diagram.

number 1 首先,用户向资源 /private 发出未经身份验证的请求,而它没有授权。

number 1 First, a user makes an unauthenticated request to the resource /private for which it is not authorized.

number 2 Spring Security 的 AuthorizationFilter 指出未经身份验证的请求 Denied 抛出了 AccessDeniedException

number 2 Spring Security’s AuthorizationFilter indicates that the unauthenticated request is Denied by throwing an AccessDeniedException.

number 3 由于用户未经身份验证,所以 ExceptionTranslationFilter 启动 Start Authentication。配置的 AuthenticationEntryPoint 是 {security-api-url}org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.html[BasicAuthenticationEntryPoint] 的实例,它发送 WWW 身份验证头。RequestCache 通常是不保存请求的 NullRequestCache,因为客户端能够重复播放其最初请求的请求。

number 3 Since the user is not authenticated, ExceptionTranslationFilter initiates Start Authentication. The configured AuthenticationEntryPoint is an instance of {security-api-url}org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.html[BasicAuthenticationEntryPoint], which sends a WWW-Authenticate header. The RequestCache is typically a NullRequestCache that does not save the request since the client is capable of replaying the requests it originally requested.

当客户端收到 WWW-Authenticate 头信息时,它便知道它应该用用户名和密码重试。下图显示了处理用户名和密码的流程图:

When a client receives the WWW-Authenticate header, it knows it should retry with a username and password. The following image shows the flow for the username and password being processed:

basicauthenticationfilter
Figure 2. Authenticating Username and Password

前图基于我们的 SecurityFilterChain 图表构建。

The preceding figure builds off our SecurityFilterChain diagram.

number 1 当用户提交其用户名和密码时,BasicAuthenticationFilter 会通过从 HttpServletRequest 中提取用户名和密码,创建一个 UsernamePasswordAuthenticationToken,它是一种 Authentication

number 1 When the user submits their username and password, the BasicAuthenticationFilter creates a UsernamePasswordAuthenticationToken, which is a type of Authentication by extracting the username and password from the HttpServletRequest.

number 2 接下来,将 UsernamePasswordAuthenticationToken 传递到 AuthenticationManager 以进行身份验证。AuthenticationManager 的外观详细信息取决于 user information is stored 的方式。

number 2 Next, the UsernamePasswordAuthenticationToken is passed into the AuthenticationManager to be authenticated. The details of what AuthenticationManager looks like depend on how the user information is stored.

number 3如果身份验证失败,则_Failure_。

number 3 If authentication fails, then Failure.

  1. The SecurityContextHolder is cleared out.

  2. RememberMeServices.loginFail is invoked. If remember me is not configured, this is a no-op. See the {security-api-url}org/springframework/security/web/authentication/RememberMeServices.html[RememberMeServices] interface in the Javadoc.

  3. AuthenticationEntryPoint is invoked to trigger the WWW-Authenticate to be sent again. See the {security-api-url}org/springframework/security/web/AuthenticationEntryPoint.html[AuthenticationEntryPoint] interface in the Javadoc.

number 4 如果身份验证成功,则 Success

number 4 If authentication is successful, then Success.

  1. The Authentication is set on the SecurityContextHolder.

  2. RememberMeServices.loginSuccess is invoked. If remember me is not configured, this is a no-op. See the {security-api-url}org/springframework/security/web/authentication/RememberMeServices.html[RememberMeServices] interface in the Javadoc.

  3. The BasicAuthenticationFilter invokes FilterChain.doFilter(request,response) to continue with the rest of the application logic. See the {security-api-url}org/springframework/security/web/authentication/www/BasicAuthenticationFilter.html[BasicAuthenticationFilter] Class in the Javadoc

默认情况下,Spring Security 的 HTTP 基本认证支持已启用。但是,一旦提供了任何基于 servlet 的配置,就必须明确提供 HTTP 基本认证。

By default, Spring Security’s HTTP Basic Authentication support is enabled. However, as soon as any servlet based configuration is provided, HTTP Basic must be explicitly provided.

以下示例显示了一个最小的明确配置:

The following example shows a minimal, explicit configuration:

Explicit HTTP Basic Configuration

  • Java

  • XML

  • Kotlin

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
	http
		// ...
		.httpBasic(withDefaults());
	return http.build();
}
<http>
	<!-- ... -->
	<http-basic />
</http>
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
	http {
		// ...
		httpBasic { }
	}
	return http.build()
}