Spring-security-oauth2的版本是2.3.5.RELEASE
Spring-security的版本是5.1.4.RELEASE
比较登录的用户的密码是否与数据库中对应的密码一致
List-1
- public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
- private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword";
- private PasswordEncoder passwordEncoder;
- private volatile String userNotFoundEncodedPassword;
- private UserDetailsService userDetailsService;
- private UserDetailsPasswordService userDetailsPasswordService;
-
- public DaoAuthenticationProvider() {
- this.setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
- }
-
- protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
- if (authentication.getCredentials() == null) {
- this.logger.debug("Authentication failed: no credentials provided");
- throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
- } else {
- String presentedPassword = authentication.getCredentials().toString();
- if (!this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
- this.logger.debug("Authentication failed: password does not match stored value");
- throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
- }
- }
- }
如List-1中所示,重点是"if (!this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {"这行代码,这行中presentedPassword表示客户端提交的密码,而userDetails.getPassword()则是从数据库中取出的密码,判断是否一样,不一样则说明密码错误。
我们来看父类AbstractUserDetailsAuthenticationProvider中的authenticate方法,如下List-2,注意List-2中的"this.additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken)authentication);",它调用的是DaoAuthenticationProvider的additionalAuthenticationChecks方法,见上面的List-1。
List-2
-
- public Authentication authenticate(Authentication authentication) throws AuthenticationException {
- Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication, () -> {
- return this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports", "Only UsernamePasswordAuthenticationToken is supported");
- });
- String username = authentication.getPrincipal() == null ? "NONE_PROVIDED" : authentication.getName();
- boolean cacheWasUsed = true;
- UserDetails user = this.userCache.getUserFromCache(username);
- if (user == null) {
- cacheWasUsed = false;
-
- try {
- user = this.retrieveUser(username, (UsernamePasswordAuthenticationToken)authentication);
- } catch (UsernameNotFoundException var6) {
- this.logger.debug("User '" + username + "' not found");
- if (this.hideUserNotFoundExceptions) {
- throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
- }
-
- throw var6;
- }
-
- Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
- }
-
- try {
- this.preAuthenticationChecks.check(user);
- this.additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken)authentication);
- } catch (AuthenticationException var7) {
- if (!cacheWasUsed) {
- throw var7;
- }
-
- cacheWasUsed = false;
- user = this.retrieveUser(username, (UsernamePasswordAuthenticationToken)authentication);
- this.preAuthenticationChecks.check(user);
- this.additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken)authentication);
- }
-
- this.postAuthenticationChecks.check(user);
- if (!cacheWasUsed) {
- this.userCache.putUserInCache(user);
- }
-
- Object principalToReturn = user;
- if (this.forcePrincipalAsString) {
- principalToReturn = user.getUsername();
- }
-
- return this.createSuccessAuthentication(principalToReturn, authentication, user);
- }
List-2中的"return this.createSuccessAuthentication(principalToReturn, authentication, user);"调用的是DaoAuthenticationProvider的createSuccessAuthentication方法。
Reference
- Spring-security-oauth2源码
