package org.springframework.security.web.authentication

类图-总体结构

UsernamePasswordAutherticationFilter类图

结构说明

从类图上看，UsernamePasswordAuthenticationFilter这个类继承了AbstractAuthenticationProcessingFilter。

关于AbstractAuthenticationProcessingFilter类的详解参考文章 源码解析-AbstractAuthenticationProcessingFilter

说明

看类结构UsernamePasswordAuthenticationFilter应该是对类AbstractAuthenticationProcessingFilter的补充和实现。

构造方法说明

1.public UsernamePasswordAuthenticationFilter()
构造方法，具体实现如下：

public UsernamePasswordAuthenticationFilter() {
       //调用了父类的构造函数，默认采用/login,且使用POST方法;
        super(new AntPathRequestMatcher("/login", "POST"));
    }

实例方法说明

1.public Authentication attemptAuthentication(HttpServletRequest,HttpServletResponse)

• 功能说明
  尝试进行认证，该方法是整个UsernamePasswordAuthenticationFilter的核心方法;
  对AbstractAuthenticationProcessingFilter中的方法进行了覆盖。
• 入参
  HttpServletRequest
HttpServletResponse
• 返回结果
  Authentication
• 抛出异常
  AuthenticationServiceException
• 源码说明

public Authentication attemptAuthentication(HttpServletRequest request,
            HttpServletResponse response) throws AuthenticationException {
        //如果postOnly为true,并且request的请求方式不是"POST",那么抛出认证异常.
        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException(
                    "Authentication method not supported: " + request.getMethod());
        }
        //获取用户名和密码
        String username = obtainUsername(request);
        String password = obtainPassword(request);
        //如果用户名为空,则设置默认值
        if (username == null) {
            username = "";
        }
        //如果密码为空,则设置默认值
        if (password == null) {
            password = "";
        }
        //对用户名进行去空格处理
        username = username.trim();
        //根据用户名和密码创建用户名和密码认证token
        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
                username, password);
        //设置认证详细信息
        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);
        //获取认证管理处理类,并进行认证,返回认证结果
        return this.getAuthenticationManager().authenticate(authRequest);
    }

整体流程图

尝试认证流程图

2. protected String obtainPassword(HttpServletRequest)

• 功能说明
  根据passwordParameter获取用户输入的密码
• 入参
  HttpServletRequest HTTP请求
• 返回结果
  String 获取到的密码
• 源码说明

protected String obtainPassword(HttpServletRequest request) {
        //从Http的request中获取key为password的字段，获取用户输入的密码
        return request.getParameter(passwordParameter);
    }

3.···protected String obtainUsername(HttpServletRequest)```

• 功能说明
  根据usernameParameter获取用户输入的用户名
• 入参:
  HttpServletRequest http请求
• 出参:
  String 获取到的用户名
• 源码说明

protected String obtainUsername(HttpServletRequest request) {
        //从request中获取用户名，获取用户输入的用户名
        return request.getParameter(usernameParameter);
    }

4.setDetails(HttpServletRequest,UsernamePasswordAuthenicationToken)

• 功能说明
  补充认证详细信息
• 入参:
  HttpServletRequest http请求
  UsernamePasswordAuthenicationToken 认证信息
• 返回结果:
  无
• 源码说明

/**
     * Provided so that subclasses may configure what is put into the authentication
     * request's details property.
     *
     * @param request that an authentication request is being created for
     * @param authRequest the authentication request object that should have its details
     * set
     */
    protected void setDetails(HttpServletRequest request,
            UsernamePasswordAuthenticationToken authRequest) {
        //补充authRequest-认证请求，默认为WebAuthenticationDetails（内带ip和sessionId）
        authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
    }

5.public void setUsernameParameter(String)

• 功能说明
  设置usernameParameter属性;该属性用来获取httpRequest中的用户名;
• 入参
  String new usernameParameter
• 返回结果
  无
• 源码说明

/**
     * Sets the parameter name which will be used to obtain the username from the login
     * request.
     *
     * @param usernameParameter the parameter name. Defaults to "username".
     */
    public void setUsernameParameter(String usernameParameter) {
        Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
        this.usernameParameter = usernameParameter;
    }

6.public void setPasswordParameter(String)

• 功能说明
  设置passwordParameter属性;该属性用来获取httpRequest中的密码
• 入参
  String new passwordParameter
• 返回结果
  无
• 源码说明

/**
     * Sets the parameter name which will be used to obtain the password from the login
     * request..
     *
     * @param passwordParameter the parameter name. Defaults to "password".
     */
    public void setPasswordParameter(String passwordParameter) {
        Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
        this.passwordParameter = passwordParameter;
    }

7.public void setPostOnly(boolean)

• 功能说明
  设置postOnly属性,默认为true;如果该值为true，则只支持POST方式的请求认证；
• 入参
  boolean postOnly real value
• 返回结果
  无
• 源码说明

/**
     * Defines whether only HTTP POST requests will be allowed by this filter. If set to
     * true, and an authentication request is received which is not a POST request, an
     * exception will be raised immediately and authentication will not be attempted. The
     * <tt>unsuccessfulAuthentication()</tt> method will be called as if handling a failed
     * authentication.
     * <p>
     * Defaults to <tt>true</tt> but may be overridden by subclasses.
     */
    public void setPostOnly(boolean postOnly) {
        this.postOnly = postOnly;
    }

8.public String getUsernameParameter()

• 功能说明
  获取usernameParameter的值
• 入参
  无
• 返回结果
  String the property usernameParameter's value.
• 源码说明

public final String getUsernameParameter() {
        return usernameParameter;
    }

9.public String getPasswordParameter()

• 功能说明
  获取passwordParameter的值
• 入参
  无
• 返回结果
  String the property passwordParameter's value
• 代码说明

public final String getPasswordParameter() {
        return passwordParameter;
    }