上图展示的Spring Security核心处理流程。当一个用户登录时,会先进行身份认证,如果身份认证未通过会要求用户重新认证,当用户身份证通过后就会调用角色管理器判断他是否可以访问,这里,如果要实现数据库管理用户及权限,就需要自定义用户登录功能,Spring Security已经提供好了一个接口UserDetailsService。
package org.springframework.security.core.userdetails; public interface UserDetailsService { /** * Locates the user based on the username. In the actual implementation, the search * may possibly be case sensitive, or case insensitive depending on how the * implementation instance is configured. In this case, the <code>UserDetails</code> * object that comes back may have a username that is of a different case than what * was actually requested.. * * @param username the username identifying the user whose data is required. * * @return a fully populated user record (never <code>null</code>) * * @throws UsernameNotFoundException if the user could not be found or the user has no * GrantedAuthority */ UserDetails loadUserByUsername(String username) throws UsernameNotFoundException; } UserDetailService该接口只有一个方法,通过方法名可以看出方法是通过用户名来获取用户信息的,但返回结果是UserDetails对象,UserDetails也是一个接口,接口中任何一个方法返回false用户的凭证就会被视为无效。
package org.springframework.security.core.userdetails; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import java.io.Serializable; import java.util.Collection; /** * Provides core user information. * * <p> * Implementations are not used directly by Spring Security for security purposes. They * simply store user information which is later encapsulated into {@link Authentication} * objects. This allows non-security related user information (such as email addresses, * telephone numbers etc) to be stored in a convenient location. * <p> * Concrete implementations must take particular care to ensure the non-null contract * detailed for each method is enforced. See * {@link org.springframework.security.core.userdetails.User} for a reference * implementation (which you might like to extend or use in your code). * * @see UserDetailsService * @see UserCache * * @author Ben Alex */ public interface UserDetails extends Serializable { // ~ Methods // ======================================================================================================== /** * Returns the authorities granted to the user. Cannot return <code>null</code>. * * @return the authorities, sorted by natural key (never <code>null</code>) */ Collection<? extends GrantedAuthority> getAuthorities(); //权限集合 /** * Returns the password used to authenticate the user. * * @return the password */ String getPassword(); //密码 /** * Returns the username used to authenticate the user. Cannot return <code>null</code>. * * @return the username (never <code>null</code>) */ String getUsername(); //用户名 /** * Indicates whether the user\'s account has expired. An expired account cannot be * authenticated. * * @return <code>true</code> if the user\'s account is valid (ie non-expired), * <code>false</code> if no longer valid (ie expired) */ boolean isAccountNonExpired(); //账户是否过期 /** * Indicates whether the user is locked or unlocked. A locked user cannot be * authenticated. * * @return <code>true</code> if the user is not locked, <code>false</code> otherwise */ boolean isAccountNonLocked(); //账户是否被锁定 /** * Indicates whether the user\'s credentials (password) has expired. Expired * credentials prevent authentication. * * @return <code>true</code> if the user\'s credentials are valid (ie non-expired), * <code>false</code> if no longer valid (ie expired) */ boolean isCredentialsNonExpired(); //证书是否过期 /** * Indicates whether the user is enabled or disabled. A disabled user cannot be * authenticated. * * @return <code>true</code> if the user is enabled, <code>false</code> otherwise */ boolean isEnabled(); //账户是否有效 }