Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about what the authentication process of Spring security oauth2 is. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Authentication mode of Spring security oauth3 resources ResourceServerSecurityConfigurer resource configuration mode @ Override public void configure (HttpSecurity http) throws Exception {AuthenticationManager oauthAuthenticationManager = oauthAuthenticationManager (http); resourcesServerFilter = new OAuth3AuthenticationProcessingFilter (); resourcesServerFilter.setAuthenticationEntryPoint (authenticationEntryPoint); resourcesServerFilter.setAuthenticationManager (oauthAuthenticationManager); if (eventPublisher! = null) {resourcesServerFilter.setAuthenticationEventPublisher (eventPublisher) } if (tokenExtractor! = null) {/ / additional parsing methods for adding token call BearerTokenExtractor resourcesServerFilter.setTokenExtractor (tokenExtractor) by default;} if (authenticationDetailsSource! = null) {resourcesServerFilter.setAuthenticationDetailsSource (authenticationDetailsSource) } resourcesServerFilter = postProcess (resourcesServerFilter); resourcesServerFilter.setStateless (stateless) / / @ formatter:off http .authorizeRequests () .expressionHandler (expressionHandler) .and () .addFilterBefore (resourcesServerFilter AbstractPreAuthenticatedProcessingFilter.class) .accesstionHandling () .accessDeniedHandler (accessDeniedHandler) .authenticationEntryPoint (authenticationEntryPoint) / / @ formatter:on}

The filter interception recognition in OAuth3AuthenticationProcessingFilter takes the value of token from request with the help of tokenExtractor and converts it into an Authentication object.

Public class OAuth3AuthenticationProcessingFilter implements Filter, InitializingBean {... Public void doFilter (ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {final boolean debug = logger.isDebugEnabled (); final HttpServletRequest request = (HttpServletRequest) req; final HttpServletResponse response = (HttpServletResponse) res; try {/ / call TokenExtractor to parse the corresponding token value from httpRequest and convert it into an Authentication object. Authentication authentication = tokenExtractor.extract (request); if (authentication = = null) {if (stateless & & isAuthenticated ()) {if (debug) {logger.debug ("Clearing security context.") } SecurityContextHolder.clearContext ();} if (debug) {logger.debug ("No token in request, will continue chain.") }} else {request.setAttribute (OAuth3AuthenticationDetails.ACCESS_TOKEN_VALUE, authentication.getPrincipal ()); if (authentication instanceof AbstractAuthenticationToken) {AbstractAuthenticationToken needsDetails = (AbstractAuthenticationToken) authentication The Authenticationd object called by needsDetails.setDetails (authenticationDetailsSource.buildDetails (request));} / / 2, which calls the method of authenticationManager.authenticate to determine whether the user has successfully logged in Authentication authResult = authenticationManager.authenticate (authentication) If (debug) {logger.debug ("Authentication success:" + authResult);} eventPublisher.publishAuthenticationSuccess (authResult); SecurityContextHolder.getContext () .setAuthentication (authResult) }} catch (OAuth3Exception failed) {SecurityContextHolder.clearContext (); if (debug) {logger.debug ("Authentication request failed:" + failed) } eventPublisher.publishAuthenticationFailure (new BadCredentialsException (failed.getMessage (), failed), new PreAuthenticatedAuthenticationToken ("access-token", "Nash A"); authenticationEntryPoint.commence (request, response, new InsufficientAuthenticationException (failed.getMessage (), failed)) Return;} chain.doFilter (request, response);}.}

After the authentication is completed, continue with the permission authentication filtering operation configured in configure. The default implementation of AuthenticationManager is configured OAuth3AuthenticationManager, so the

-- ResourceServerSecurityConfigurer.javaprivate AuthenticationManager oauthAuthenticationManager (HttpSecurity http) {OAuth3AuthenticationManager oauthAuthenticationManager = new OAuth3AuthenticationManager (); if (authenticationManager! = null) {if (authenticationManager instanceof OAuth3AuthenticationManager) {oauthAuthenticationManager = (OAuth3AuthenticationManager) authenticationManager } else {return authenticationManager;}} oauthAuthenticationManager.setResourceId (resourceId); / / configure tokenService parsing method oauthAuthenticationManager.setTokenServices (resourceTokenServices (http)); oauthAuthenticationManager.setClientDetailsService (clientDetails ()) Return oauthAuthenticationManager;} private ResourceServerTokenServices resourceTokenServices (HttpSecurity http) {tokenServices (http); return this.resourceTokenServices;} private ResourceServerTokenServices tokenServices (HttpSecurity http) {if (resourceTokenServices! = null) {return resourceTokenServices;} DefaultTokenServices tokenServices = new DefaultTokenServices () / / specify the parsing method of token: tokenServices.setTokenStore (tokenStore ()); tokenServices.setSupportRefreshToken (true); tokenServices.setClientDetailsService (clientDetails ()); this.resourceTokenServices = tokenServices; return tokenServices;} Token access mode:

Species mode

InMemoryTokenStore

JdbcTokenStore

JwtTokenStore

JwkTokenStore

RedisTokenStore

-- OAuth3AuthenticationManager authentication management public Authentication authenticate (Authentication authentication) throws AuthenticationException {if (authentication = = null) {throw new InvalidTokenException ("Invalid token (token not found)");} String token = (String) authentication.getPrincipal (); / / get the corresponding value OAuth3Authentication auth = tokenServices.loadAuthentication (token) from the tokenStore of the specified implementation If (auth = = null) {throw new InvalidTokenException ("Invalid token:" + token);} Collection resourceIds = auth.getOAuth3Request () .getResourceIds () If (resourceId! = null & & resourceIds! = null & &! resourceIds.isEmpty () &! resourceIds.contains (resourceId)) {throw new OAuth3AccessDeniedException ("Invalid token does not contain resource id (" + resourceId + ")");} checkClientDetails (auth) If (authentication.getDetails () instanceof OAuth3AuthenticationDetails) {OAuth3AuthenticationDetails details = (OAuth3AuthenticationDetails) authentication.getDetails () / / Guard against a cached copy of the same details if (! details.equals (auth.getDetails () {/ / Preserve the authentication details from the one loaded by token services details.setDecodedDetails (auth.getDetails ()) }} auth.setDetails (authentication.getDetails ()); auth.setAuthenticated (true); return auth;} after reading the above, do you have any further understanding of the authentication process of Spring security oauth2? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.