Spring Security3中的-authentication-manager標簽詳解

講解完http標簽的解析過程，authentication-manager標簽解析部分就很容易理解了 
authentication-manager標簽在spring的配置文件中的定義一般如下 

<authentication-manager alias="authenticationManager">  
    <authentication-provider user-service-ref="userDetailsManager"/>  
</authentication-manager>   

authentication-manager標簽的解析類是： 
org.springframework.security.config.authentication.AuthenticationManagerBeanDefinitionParser 
具體解析方法parse的代碼為 

public BeanDefinition parse(Element element, ParserContext pc) {  
        Assert.state(!pc.getRegistry().containsBeanDefinition(BeanIds.AUTHENTICATION_MANAGER),  
                "AuthenticationManager has already been registered!");  
        pc.pushContainingComponent(new CompositeComponentDefinition(element.getTagName(), pc.extractSource(element)));  
        //構造ProviderManager的BeanDefinition  
        BeanDefinitionBuilder providerManagerBldr = BeanDefinitionBuilder.rootBeanDefinition(ProviderManager.class);  
        //獲取alias屬性  
        String alias = element.getAttribute(ATT_ALIAS);  
        //檢查session-controller-ref屬性，提示通過標簽<concurrent-session-control>取代  
        checkForDeprecatedSessionControllerRef(element, pc);  
        List<BeanMetadataElement> providers = new ManagedList<BeanMetadataElement>();  
        NamespaceHandlerResolver resolver = pc.getReaderContext().getNamespaceHandlerResolver();  
        //獲取authentication-manager的子節點  
        NodeList children = element.getChildNodes();  
        //循環節點，一般子節點主要是authentication-provider或者  
         //ldap-authentication-provider  
        for (int i = 0; i < children.getLength(); i++) {  
            Node node = children.item(i);  
            if (node instanceof Element) {  
                Element providerElt = (Element)node;  
                //判斷子標簽是否有ref屬性，如果有，則直接將ref屬性  
                   //引用的bean id添加到providers集合中  
                if (StringUtils.hasText(providerElt.getAttribute(ATT_REF))) {  
                    providers.add(new RuntimeBeanReference(providerElt.getAttribute(ATT_REF)));  
                } else {  
                    //如果沒有ref屬性，則通過子標簽的解析類完成標簽解析  
                       //如子標簽：authentication-provider,解析過程在后面  
                    BeanDefinition provider = resolver.resolve(providerElt.getNamespaceURI()).parse(providerElt, pc);  
                    Assert.notNull(provider, "Parser for " + providerElt.getNodeName() + " returned a null bean definition");  
                    String id = pc.getReaderContext().generateBeanName(provider);  
                    //注冊provider的BeanDefinition  
                    pc.registerBeanComponent(new BeanComponentDefinition(provider, id));  
                    //添加注冊過的bean到provider集合中  
                    providers.add(new RuntimeBeanReference(id));  
                }  
            }  
        }  
  
        if (providers.isEmpty()) {  
            providers.add(new RootBeanDefinition(NullAuthenticationProvider.class));  
        }  
  
        providerManagerBldr.addPropertyValue("providers", providers);  
        //添加默認的事件發布類  
        BeanDefinition publisher = new RootBeanDefinition(DefaultAuthenticationEventPublisher.class);  
        String id = pc.getReaderContext().generateBeanName(publisher);  
        pc.registerBeanComponent(new BeanComponentDefinition(publisher, id));  
        //將事件發布類的bean注入到ProviderManager的  
         //authenticationEventPublisher屬性中  
        providerManagerBldr.addPropertyReference("authenticationEventPublisher", id);  
        //注冊ProviderManager的bean  
        pc.registerBeanComponent(  
                new BeanComponentDefinition(providerManagerBldr.getBeanDefinition(), BeanIds.AUTHENTICATION_MANAGER));  
  
        if (StringUtils.hasText(alias)) {  
            pc.getRegistry().registerAlias(BeanIds.AUTHENTICATION_MANAGER, alias);  
            pc.getReaderContext().fireAliasRegistered(BeanIds.AUTHENTICATION_MANAGER, alias, pc.extractSource(element));  
        }  
  
        pc.popAndRegisterContainingComponent();  
  
        return null;  
    }  

通過上面的代碼片段，能夠知道authentication-manager標簽解析的步驟是 

1.構造ProviderManager的BeanDefinition 

2.循環authentication-manager的子標簽，構造provider的BeanDefinition，並添加到providers集合中 

3.將第2步的providers設置為ProviderManager的providers屬性 

4.構造異常事件發布類DefaultAuthenticationEventPublisher的BeanDefinition，並設置為ProviderManager的屬性authenticationEventPublisher 

5.通過registerBeanComponent方法完成bean的注冊任務 


authentication-provider標簽的解析類為 
org.springframework.security.config.authentication.AuthenticationProviderBeanDefinitionParser 

public BeanDefinition parse(Element element, ParserContext parserContext) {  
    //首先構造DaoAuthenticationProvider的BeanDefinition  
    RootBeanDefinition authProvider = new RootBeanDefinition(DaoAuthenticationProvider.class);  
    authProvider.setSource(parserContext.extractSource(element));  
    //獲取password-encoder子標簽  
    Element passwordEncoderElt = DomUtils.getChildElementByTagName(element, Elements.PASSWORD_ENCODER);  
  
    if (passwordEncoderElt != null) {  
        //如果有password-encoder子標簽，把解析任務交給  
          //PasswordEncoderParser完成  
        PasswordEncoderParser pep = new PasswordEncoderParser(passwordEncoderElt, parserContext);  
        authProvider.getPropertyValues().addPropertyValue("passwordEncoder", pep.getPasswordEncoder());  
        //如果有salt-source標簽，將值注入到saltSource屬性中  
        if (pep.getSaltSource() != null) {  
            authProvider.getPropertyValues().addPropertyValue("saltSource", pep.getSaltSource());  
        }  
    }  
    //下面獲取子標簽user-service、jdbc-user-service、ldap-user-service  
    Element userServiceElt = DomUtils.getChildElementByTagName(element, Elements.USER_SERVICE);  
    Element jdbcUserServiceElt = DomUtils.getChildElementByTagName(element, Elements.JDBC_USER_SERVICE);  
    Element ldapUserServiceElt = DomUtils.getChildElementByTagName(element, Elements.LDAP_USER_SERVICE);  
  
    String ref = element.getAttribute(ATT_USER_DETAILS_REF);  
  
    if (StringUtils.hasText(ref)) {  
        if (userServiceElt != null || jdbcUserServiceElt != null || ldapUserServiceElt != null) {  
            parserContext.getReaderContext().error("The " + ATT_USER_DETAILS_REF + " attribute cannot be used in combination with child" +  
                    "elements '" + Elements.USER_SERVICE + "', '" + Elements.JDBC_USER_SERVICE + "' or '" +  
                    Elements.LDAP_USER_SERVICE + "'", element);  
        }  
    } else {  
        // Use the child elements to create the UserDetailsService  
        AbstractUserDetailsServiceBeanDefinitionParser parser = null;  
        Element elt = null;  
        //下面的if語句，主要是根據子標簽的不同，選擇子標簽對應的解析器處理  
        if (userServiceElt != null) {  
            elt = userServiceElt;  
            parser = new UserServiceBeanDefinitionParser();  
        } else if (jdbcUserServiceElt != null) {  
            elt = jdbcUserServiceElt;  
            parser = new JdbcUserServiceBeanDefinitionParser();  
        } else if (ldapUserServiceElt != null) {  
            elt = ldapUserServiceElt;  
            parser = new LdapUserServiceBeanDefinitionParser();  
        } else {  
            parserContext.getReaderContext().error("A user-service is required", element);  
        }  
  
        parser.parse(elt, parserContext);  
        ref = parser.getId();  
        String cacheRef = elt.getAttribute(AbstractUserDetailsServiceBeanDefinitionParser.CACHE_REF);  
  
        if (StringUtils.hasText(cacheRef)) {  
            authProvider.getPropertyValues().addPropertyValue("userCache", new RuntimeBeanReference(cacheRef));  
        }  
    }  
    //將解析后的bean id注入到userDetailsService屬性中  
    authProvider.getPropertyValues().addPropertyValue("userDetailsService", new RuntimeBeanReference(ref));  
    return authProvider;  
}  

如果學習過acegi的配置，應該知道，acegi有這么一段配置 

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">  
   <property name="providers">  
      <list>  
         <ref local="daoAuthenticationProvider"/>  
        <ref local="anonymousAuthenticationProvider"/>  
      </list>  
   </property>  
</bean>  

實際上authentication-manager標簽所要達到的目標就是構造上面的bean。其中anonymousAuthenticationProvider是在http解析過程添加的。 

其實可以完全像acegi那樣自定義每個bean。 

<authentication-manager alias="authenticationManager">  
    <authentication-provider user-service-ref="userDetailsManager"/>  
</authentication-manager>  

上面的標簽如果用bean來定義，則可以完全由下面的xml來替代。 

<bean id="org.springframework.security.authenticationManager" class="org.springframework.security.authentication.ProviderManager">  
        <property name="authenticationEventPublisher" ref="defaultAuthenticationEventPublisher"></property>  
        <property name="providers">  
            <list>  
                <ref local="daoAuthenticationProvider"/>  
                <ref local="anonymousAuthenticationProvider"/>  
            </list>  
        </property>  
    </bean>  
      
    <bean id="defaultAuthenticationEventPublisher" class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher"></bean>  
      
    <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">  
        <property name="key"><value>work</value></property>  
    </bean>  
      
    <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">  
        <property name="userDetailsService" ref="userDetailsManager"></property>  
    </bean>  

需要注意的是anonymousAuthenticationProvider的bean中，需要增加key屬性。如果采用authentication-manager標簽的方式，key雖然沒有定義，在增加AnonymousAuthenticationFilter過濾器中，是通過java.security.SecureRandom.nextLong()來生成的。 

顯而易見，如果采用bean的方式來定義，非常復雜，而且需要了解底層的組裝過程才行，不過能夠提高更大的擴展性。采用authentication-manager標簽的方式，很簡潔，只需要提供UserDetailsService即可。