简单分析一下SpringAcegi的源代码实现： Servlet.Filter的实现AuthenticationProcessingFilter启动Web页面的验证过程–在AbstractProcessingFilter定义了整个验证过程的模板： Java代码 publicvoiddoFilter(ServletRequestrequest,ServletResponseresponse,FilterChainchain) throwsIOException,ServletException{ //这里检验是不是符合ServletRequest/SevletResponse的要求 if(!(requestinstanceofHttpServletRequest)){ thrownewServletException("CanonlyprocessHttpServletRequest"); } if(!(responseinstanceofHttpServletResponse)){ thrownewServletException("CanonlyprocessHttpServletResponse"); } HttpServletRequesthttpRequest=(HttpServletRequest)request; HttpServletResponsehttpResponse=(HttpServletResponse)response; //根据HttpServletRequest和HttpServletResponse来进行验证 if(requiresAuthentication(httpRequest,httpResponse)){ if(logger.isDebugEnabled()){ logger.debug("Requestistoprocessauthentication"); } //这里定义Acegi中的Authentication对象来持有相关的用户验证信息 AuthenticationauthResult; try{ onPreAuthentication(httpRequest,httpResponse); //这里的具体验证过程委托给子类完成，比如AuthenticationProcessingFilter来完成基于Web页面的用户验证 authResult=attemptAuthentication(httpRequest); }catch(AuthenticationExceptionfailed){ //Authenticationfailed unsuccessfulAuthentication(httpRequest,httpResponse,failed); return; } //Authenticationsuccess if(continueChainBeforeSuccessfulAuthentication){ chain.doFilter(request,response); } //完成验证后的后续工作，比如跳转到相应的页面 successfulAuthentication(httpRequest,httpResponse,authResult); return; } chain.doFilter(request,response); } 在AuthenticationProcessingFilter中的具体验证过程是这样的： Java代码 publicAuthenticationattemptAuthentication(HttpServletRequestrequest) throwsAuthenticationException{ //这里从HttpServletRequest中得到用户验证的用户名和密码 Stringusername=obtainUsername(request); Stringpassword=obtainPassword(request); if(username==null){ username=""; } if(password==null){ password=""; } //这里根据得到的用户名和密码去构造一个Authentication对象提供给AuthenticationManager进行验证，里面包含了用户的用户名和密码信息 UsernamePasswordAuthenticationTokenauthRequest=newUsernamePasswordAuthenticationToken(username,password); //Placethelastusernameattemptedinto