SpringSecurity——OAuth2框架鉴权实现源码分析_spring security oauth2源码解析

一、ManagedFilter迭代过滤器链

ManagedFilter管理这六条过滤器链，如图所示：
其中的第五条过滤器链springSecurityFilterChain是本文要讨论的对象。

0.characterEncodingFilter
1.WebMvcMetricsFilter
2.formContentFilter
3.requestContextFilter
4.springSecurityFilterChain
5.corsFilter

ManagedFilter.class -> doFilter()

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    if (this.servletContext.getDeployment().getDeploymentState() != State.STARTED) {
        throw UndertowServletMessages.MESSAGES.deploymentStopped(this.servletContext.getDeployment().getDeploymentInfo().getDeploymentName());
    } else {
        if (!this.started) {
            this.start();
        }

        this.getFilter().doFilter(request, response, chain);//迭代下一条过滤器链
    }
}
1
2
3
4
5
6
7
8
9
10
11

1.4 springSecurityFilterChain

在springSecurityFilterChain过滤器链中，首先初始化一个FilterChainProxy过滤器链代理对象，在这个过滤器链代理对象中有一个过滤器链集合，每一个过滤器链都有一组过滤器来处理不同的请求。
其中的第八条过滤器链OAuth2AuthenticationProcessingFilter是本文要讨论的对象，用于处理请求的鉴权。

FilterChainProxy.class --> doFilter()

public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
    if (this.currentPosition == this.size) {
        if (FilterChainProxy.logger.isDebugEnabled()) {
            FilterChainProxy.logger.debug(UrlUtils.buildRequestUrl(this.firewalledRequest) + " reached end of additional filter chain; proceeding with original chain");
        }

        this.firewalledRequest.reset();
        this.originalChain.doFilter(request, response);
    } else {
        ++this.currentPosition;
        Filter nextFilter = (Filter)this.additionalFilters.get(this.currentPosition - 1);//new了一个过滤器链代理对象
        if (FilterChainProxy.logger.isDebugEnabled()) {
            FilterChainProxy.logger.debug(UrlUtils.buildRequestUrl(this.firewalledRequest) + " at position " + this.currentPosition + " of " + this.size + " in additional filter chain; firing Filter: '" + nextFilter.getClass().getSimpleName() + "'");
        }

        nextFilter.doFilter(request, response, this);	//迭代过滤器
    }

}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

1.4.7 OAuth2AuthenticationProcessingFilter

OAuth2鉴权主要用到了OAuth2AuthenticationProcessingFilter过滤器。这个过滤器下涉及到的类有以下12个类，大致作用是从请求中提取authentication，从authentication中获取token，判断是否为空，是否有效，是否过期。具体主要包含1-66个步骤的跳转和调用，详见代码中的注释。

【1】OAuth2AuthenticationProcessingFilter.class

这里是鉴权开始执行的起点，鉴权的大致步骤为以下内容：从请求中提取authentication --> 判断是否为空 --> 清除SpringSecurity上下文中的内容（如果有） --> 存到request的attributte中 --> 由authenticationManager进行鉴权操作 --> 将鉴权通过的事件进行广播 --> 将鉴权结果存储到SpringSecurity上下文中。

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    boolean debug = logger.isDebugEnabled();
    HttpServletRequest request = (HttpServletRequest)req;
    HttpServletResponse response = (HttpServletResponse)res;

    try {
        //1.从请求中提取authentication，跳到【2】
        Authentication authentication = this.tokenExtractor.extract(request);
        //23.判断authentication是否为空，如果为空，也就是这个请求未携带token
        if (authentication == null) {
            //24.如果this.stateless等于true，同时	SecurityContextHolder.getContext().getAuthentication()中的authentication不为空而且不属于匿名用户的authentication
            if (this.stateless && this.isAuthenticated()) {
                if (debug) {
                    logger.debug("Clearing security context.");
                }
                SecurityContextHolder.clearContext();
            }

            if (debug) {
                logger.debug("No token in request, will continue chain.");
            }
        //25.如果请求中提取的authentication不为空
        } else {
          //26.把OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE作为key，authentication.getPrincipal()作为value存到request的attributte中
            request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, authentication.getPrincipal());
            //27.判断authentication的对象是否是AbstractAuthenticationToken的实例
            if (authentication instanceof AbstractAuthenticationToken) {
                //28.如果是，Authentication authentication向下转型为AbstractAuthenticationToken needsDetails
                AbstractAuthenticationToken needsDetails = (AbstractAuthenticationToken)authentication;
                //29.为needsDetails的details属性赋值，跳到【4】
                needsDetails.setDetails(this.authenticationDetailsSource.buildDetails(request));
            }
			//31.跳到【5】，由authenticationManager进行鉴权后返回authResult，从【5】返回这里并开始下一行
            Authentication authResult = this.authenticationManager.authenticate(authentication);
            if (debug) {
                logger.debug("Authentication success: " + authResult);
            }
			//64.将鉴权通过的事件进行广播
            this.eventPublisher.publishAuthenticationSuccess(authResult);
            //65.将authResult存到SecurityContextHolder的context属性中
            SecurityContextHolder.getContext().setAuthentication(authResult);
        }
    } catch (OAuth2Exception var9) {
        SecurityContextHolder.clearContext();
        if (debug) {
            logger.debug("Authentication request failed: " + var9);
        }

        this.eventPublisher.publishAuthenticationFailure(new BadCredentialsException(var9.getMessage(), var9), new PreAuthenticatedAuthenticationToken("access-token", "N/A"));
        this.authenticationEntryPoint.commence(request, response, new InsufficientAuthenticationException(var9.getMessage(), var9));
        return;
    }
	//66.放行
    chain.doFilter(request, response);
}

private boolean isAuthenticated() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    return authentication != null && !(authentication instanceof AnonymousAuthenticationToken);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

【2】CookieTokenExtractor.class（我们自己重写的方法）

【2】~ 【3】这两个类里主要是从请求中获取authentication的具体实现步骤：大致上分为从SpringSecurity上下文中获取、从cookie中获取、从请求头中获取。从任意一个位置获取之后就把authentication返回到【1】。

@Override
public Authentication extract(HttpServletRequest request) {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    if (authentication != null) {//2.从SecurityContextHolder中提取authentication
        return authentication;//3.如果拿到了，直接返回提取到的authentication
    }
    //4.如果没拿到，调用父类extract(request)方法,跳到【3】
    return super.extract(request);
    //22.带着token跳到【1】
}
@Override
protected String extractToken(HttpServletRequest request) {
    String result;
    //6.从cookie中提取authentication
    Cookie accessTokenCookie = OAuth2CookieHelper.getAccessTokenCookie(request);
    //7.如果拿到了，直接返回提取到的authentication
    if (accessTokenCookie != null) {
        result = accessTokenCookie.getValue();
    } else {
        //8.如果没拿到，调用父类extractToken(request)方法,跳到【3】
        result = super.extractToken(request);
    }
    //19.带着token，跳到C中的extract(HttpServletRequest request)
    return result;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

【3】BearerTokenExtractor.class -> extract()

public Authentication extract(HttpServletRequest request) {
    //5.调用子类中的extractToken(request)，从请求中获取token
    String tokenValue = this.extractToken(request);
    //20.如果获取到了，包装token
    if (tokenValue != null) {
        PreAuthenticatedAuthenticationToken authentication = new PreAuthenticatedAuthenticationToken(tokenValue, "");
        //21.返回包装后的authentication，跳到【2】
        return authentication;
    } else {
        return null;
    }
}

protected String extractToken(HttpServletRequest request) {
    //9.调用本类中extractHeaderToken(request)，从请求中获取token
    String token = this.extractHeaderToken(request);
    if (token == null) {
        logger.debug("Token not found in headers. Trying request parameters.");
        token = request.getParameter("access_token");
        if (token == null) {
            logger.debug("Token not found in request parameters.  Not an OAuth2 request.");
        } else {
            request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, "Bearer");
        }
    }
	//18.带着token，跳到【2】
    return token;
}

protected String extractHeaderToken(HttpServletRequest request) {
    //10.通过请求头的key【Authorization】获取对应的值
    Enumeration<String> headers = request.getHeaders("Authorization");

    String value;
    do {//11.遍历获取到的值
        if (!headers.hasMoreElements()) {
            return null;
        }

        value = (String)headers.nextElement();
        //12.找到一个以"Bearer"开头的value，把这个value转换成全小写字母
    } while(!value.toLowerCase().startsWith("Bearer".toLowerCase()));
	//13.把这个value前面的"Bearer"裁掉并且去空格处理，存储到authHeaderValue中
    String authHeaderValue = value.substring("Bearer".length()).trim();
    //14.把OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE作为key，"Bearer"作为value存到request的attributte中
    request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, value.substring(0, "Bearer".length()).trim());
    //15.找到数字44在authHeaderValue中的下标
    int commaIndex = authHeaderValue.indexOf(44);
    if (commaIndex > 0) {
        //16.如果下标>0，也就是存在这个数字，就剪切开头到下标44所在的位置的值，重新赋给authHeaderValue
        authHeaderValue = authHeaderValue.substring(0, commaIndex);
    }
	//17.否则直接返回authHeaderValue，跳到本类中的extractToken(HttpServletRequest request)
    return authHeaderValue;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

【4】OAuth2AuthenticationDetailsSource.class

这里创建了OAuth2AuthenticationDetails对象，把request存放进去

@Deprecated
public class OAuth2AuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, OAuth2AuthenticationDetails> {
    public OAuth2AuthenticationDetailsSource() {
    }

    public OAuth2AuthenticationDetails buildDetails(HttpServletRequest context) {
        //30.new 了一个OAuth2AuthenticationDetails对象，把request存放进去，然后返回【1】
        return new OAuth2AuthenticationDetails(context);
    }
}
1
2
3
4
5
6
7
8
9
10

【5】OAuth2AuthenticationManager.class

这里是鉴权的核心处理器：从authentication中获取token后，解析token，并对解析后的token分别执行了是否为空判断、有效性和是否过期判断

public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    //32.判断authentication是否为空，为空就抛异常
    if (authentication == null) {
        throw new InvalidTokenException("Invalid token (token not found)");
    } else {
        //33.从authentication中获取token
        String token = (String)authentication.getPrincipal();
        //34.校验token的有效性和是否过期,跳到【6】
        OAuth2Authentication auth = this.tokenServices.loadAuthentication(token);
        if (auth == null) {
            throw new InvalidTokenException("Invalid token: " + token);
        } else {
            Collection<String> resourceIds = auth.getOAuth2Request().getResourceIds();
            if (this.resourceId != null && resourceIds != null && !resourceIds.isEmpty() && !resourceIds.contains(this.resourceId)) {
                throw new OAuth2AccessDeniedException("Invalid token does not contain resource id (" + this.resourceId + ")");
            } else {
                //61.调用本类中checkClientDetails(auth)方法
                this.checkClientDetails(auth);
                if (authentication.getDetails() instanceof OAuth2AuthenticationDetails) {
                    OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails)authentication.getDetails();
                    if (!details.equals(auth.getDetails())) {
                        details.setDecodedDetails(auth.getDetails());
                    }
                }

                auth.setDetails(authentication.getDetails());
                auth.setAuthenticated(true);
                //63.返回处理之后的auth，跳到【1】
                return auth;
            }
        }
    }
}

private void checkClientDetails(OAuth2Authentication auth) {
    //62.Oauth客户端如果为null ,不检查，如果配置了ClientDetailsService的实现类，会进行检查
    if (this.clientDetailsService != null) {
        ClientDetails client;
        try {
            //获取客户端
            client = this.clientDetailsService.loadClientByClientId(auth.getOAuth2Request().getClientId());
        } catch (ClientRegistrationException var6) {
            throw new OAuth2AccessDeniedException("Invalid token contains invalid client id");
        }
		//获取客户端的授权范围
        Set<String> allowed = client.getScope();
        Iterator var4 = auth.getOAuth2Request().getScope().iterator();
		//迭代授权范围，如果没有当前授权，就抛异常
        while(var4.hasNext()) {
            String scope = (String)var4.next();
            if (!allowed.contains(scope)) {
                throw new OAuth2AccessDeniedException("Invalid token contains disallowed scope (" + scope + ") for this client");
            }
        }
    }

}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

【6】DefaultTokenServices.class -> loadAuthentication(String accessTokenValue)

这里做两件事情：

1.是解析token，即把token解析为可以阅读的键值对

2.是对于token的为空判断、有效性和是否过期判断的具体步骤

public OAuth2Authentication loadAuthentication(String accessTokenValue) throws AuthenticationException, InvalidTokenException {
    //35.从解析token，跳到【7】
    OAuth2AccessToken accessToken = this.tokenStore.readAccessToken(accessTokenValue);
    //51.判断token是否为空，为空就抛异常
    if (accessToken == null) {
        throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
        //53.判断token是否过期，过期就从tokenStore中移除token并且抛异常，跳到【11】
    } else if (accessToken.isExpired()) {
        this.tokenStore.removeAccessToken(accessToken);
        throw new InvalidTokenException("Access token expired: " + accessTokenValue);
    } else {
        //55.从tokenStore中解析token，跳到【7】
        OAuth2Authentication result = this.tokenStore.readAuthentication(accessToken);
        //59.结果为空就抛异常
        if (result == null) {
            throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
        } else {
            if (this.clientDetailsService != null) {
                String clientId = result.getOAuth2Request().getClientId();

                try {
                    this.clientDetailsService.loadClientByClientId(clientId);
                } catch (ClientRegistrationException var6) {
                    throw new InvalidTokenException("Client not valid: " + clientId, var6);
                }
            }
			//60.把解析后的token返回【5】
            return result;
        }
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

【7】JwtTokenStore.class -> readAccessToken(String tokenValue)

【7】~【10】解析token的具体步骤

public OAuth2AccessToken readAccessToken(String tokenValue) {
    //36.从本类中调用convertAccessToken(tokenValue)读取
    OAuth2AccessToken accessToken = this.convertAccessToken(tokenValue);
    //48.接收到返回的accessToken，调用this.jwtTokenEnhancer.isRefreshToken(accessToken)方法，跳到【9】
    if (this.jwtTokenEnhancer.isRefreshToken(accessToken)) {
        throw new InvalidTokenException("Encoded token is a refresh token");
    } else {
        //50.将token返回【6】
        return accessToken;
    }
}

private OAuth2AccessToken convertAccessToken(String tokenValue) {
    //37.调用this.jwtTokenEnhancer.decode(tokenValue)方法用公钥解码token，跳到【8】
    //41.调用this.jwtTokenEnhancer.extractAccessToken()方法，跳到【9】
    return this.jwtTokenEnhancer.extractAccessToken(tokenValue, this.jwtTokenEnhancer.decode(tokenValue));
    //47.接收到返回的token，并将其返回到上面的方法
    
}

public OAuth2Authentication readAuthentication(OAuth2AccessToken token) {
    //56.跳到下面的方法
    return this.readAuthentication(token.getValue());
    //58.带着token返回【6】
}

public OAuth2Authentication readAuthentication(String token) {
    //57.调用this.jwtTokenEnhancer.decode(token)方法，跳到【8】，并且把步骤38-47再走一遍，返回一个token，到上面的方法
    return this.jwtTokenEnhancer.extractAuthentication(this.jwtTokenEnhancer.decode(token));
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

【8】OAuth2JwtAccessTokenConverter -> decode(String token) 我们重写的方法，这里略

@Override
protected Map<String, Object> decode(String token) {
    ......
    //38.调用父类的解码方法，跳到【9】
    return super.decode(token);
    //40.从10带着解析后的token返回【7】
	......
}
1
2
3
4
5
6
7
8

【9】JwtAccessTokenConverter.class -> decode(String token)

protected Map<String, Object> decode(String token) {
    //39.把token解析为可以阅读的键值对并且返回【8】
    try {
        Jwt jwt = JwtHelper.decodeAndVerify(token, this.verifier);
        String claimsStr = jwt.getClaims();
        Map<String, Object> claims = this.objectMapper.parseMap(claimsStr);
        if (claims.containsKey("exp") && claims.get("exp") instanceof Integer) {
            Integer intValue = (Integer)claims.get("exp");
            claims.put("exp", new Long((long)intValue));
        }

        this.getJwtClaimsSetVerifier().verify(claims);
        return claims;
    } catch (Exception var6) {
        throw new InvalidTokenException("Cannot convert access token to JSON", var6);
    }
}

public OAuth2AccessToken extractAccessToken(String value, Map<String, ?> map) {
    //42.跳到【10】
    return this.tokenConverter.extractAccessToken(value, map);
    //46.接收到返回的token，并将其返回到【7】
}

public boolean isRefreshToken(OAuth2AccessToken token) {
    //49.判断token的additionalInformation属性中是否包含叫做"ati"的key，并将结果返回8
    return token.getAdditionalInformation().containsKey("ati");
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

【10】DefaultAccessTokenConverter.class -> extractAccessToken()

public OAuth2AccessToken extractAccessToken(String value, Map<String, ?> map) {
    DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(value);
    Map<String, Object> info = new HashMap(map);
    info.remove("exp");
    info.remove("aud");
    info.remove(this.clientIdAttribute);
    info.remove(this.scopeAttribute);
    //43.把exp字段的数据(毫秒值)转换成日期类型数据
    if (map.containsKey("exp")) {
        token.setExpiration(new Date((Long)map.get("exp") * 1000L));
    }

    if (map.containsKey("jti")) {
        info.put("jti", map.get("jti"));
    }

    token.setScope(this.extractScope(map));
    //44.把解析后的token键值对存到token的additionalInformation属性中
    token.setAdditionalInformation(info);
    //45.返回token到【9】
    return token;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

【11】DefaultOAuth2AccessToken.class -> isExpired()

判断token是否过期

public boolean isExpired() {
    //54.判断accessToken的expiration是否不为空同时小于当前时间，并将结果返回【6】
    return this.expiration != null && this.expiration.before(new Date());
}
1
2
3
4