- 1Django框架介绍 day01
- 2C/C++ 常用加密与解密算法_c++加密算法
- 3史上最全从0到1搭建最新版本jenkins可持续集成,整合git和maven部署微服务自动构建发版,抓紧收藏起来吧!_jenkins 部署微服务
- 4Git 远程仓库详解 ,Git分支管理详解
- 5芯片大厂的2023:裁员、价格战、等待复苏......_芯片 裁员
- 6为什么大厂一边裁员,一边招人?
- 7虚拟机redis集群容器化部署(centos 7,NAT网络)_redis容器化部署
- 8vscode中git相应插件的使用(强化工作效率)_vscode git graph
- 9拼多多今年的校招薪资,普遍比较高。。。
- 10数据可视化高级技术Echarts(桑基图&入门)_echart多维桑基图
spring security-源码流程分析(五)-oauth默认请求地址(/oauth/token)是如何生效的?
赞
踩
spring security经常在项目中用到,但是平常只是简单的使用肯定是不够的,我们需要了解深层次的东西,才能在使用的过程中不畏惧,本次打算从demo入手,跟踪源码,剖析security内在
一、@FrameworkEndpoint注解的作用
1、在之前的文章中我们看到AuthorizationServerEndpointsConfiguration配置中配置了AuthorizationEndpoint和TokenEndpoint等,他们都是继承自AbstractEndpoint
2、AuthorizationServerEndpointsConfiguration中创建了FrameworkEndpointHandlerMapping
这个RequestMappingHandlerMapping大家应该比较熟悉了,是mvc中的加载handler的类
现在我们看下FrameworkEndpointHandlerMapping的isHandler方法
至此应该清楚了,就是类上注解@FrameworkEndpoint的存在,将各个AbstractEndpoint的方法加载到servlet中
二、oauth/token请求参数如何封装成了Principal
clent的认证我们上一篇文章中已经讲过了,现在我们继续剖析这个获取token的接口
首先我们倒推看下mvc中参数是如何解析并封装到方法中的
1、ServletRequestMethodArgumentResolver参数解析
@Nullable private Object resolveArgument(Class<?> paramType, HttpServletRequest request) throws IOException { if (HttpSession.class.isAssignableFrom(paramType)) { HttpSession session = request.getSession(); if (session != null && !paramType.isInstance(session)) { throw new IllegalStateException( "Current session is not of type [" + paramType.getName() + "]: " + session); } return session; } ... ... //从request中获取principal else if (Principal.class.isAssignableFrom(paramType)) { Principal userPrincipal = request.getUserPrincipal(); if (userPrincipal != null && !paramType.isInstance(userPrincipal)) { throw new IllegalStateException( "Current user principal is not of type [" + paramType.getName() + "]: " + userPrincipal); } return userPrincipal; } else if (HttpMethod.class == paramType) { return HttpMethod.resolve(request.getMethod()); } ... // Should never happen... throw new UnsupportedOperationException("Unknown parameter type: " + paramType.getName()); }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
从request中获取principal,此时的request的是
2、SecurityContextHolderAwareRequestFilter过滤器创建流程见下图
3、SecurityContextHolderAwareRequestFilter执行流程
小结
由于Servlet3SecurityContextHolderAwareRequestWrapper继承自SecurityContextHolderAwareRequestWrapper
回到参数解析流程,调用了request的getUserPrincipal方法,看下SecurityContextHolderAwareRequestWrapper的getUserPrincipal方法
至此返回了认证对象Authentication
三、grant过程
@RequestMapping(value = "/oauth/token", method=RequestMethod.POST) public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException { if (!(principal instanceof Authentication)) { throw new InsufficientAuthenticationException( "There is no client authentication. Try adding an appropriate authentication filter."); } String clientId = getClientId(principal); ClientDetails authenticatedClient = getClientDetailsService().loadClientByClientId(clientId); TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient); if (clientId != null && !clientId.equals("")) { if (!clientId.equals(tokenRequest.getClientId())) { throw new InvalidClientException("Given client ID does not match authenticated client"); } } ... ... //获取tokenGranter OAuth2AccessToken token = getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest); if (token == null) { throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType()); } return getResponse(token); }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
此时的tokenGranter是AuthorizationServerEndpointsConfigurer的tokenGranter创建的匿名对象
默认5种授权类型(授权码模式(authorization_code)、刷新令牌(refresh_token)、简化模式(implicit)、客户端模式(client credentials)、密码模式(password)
