关于资源服务器默认配置
1、@EnableResourceServer 开启资源服务器
@import(ResourceServerConfiguration.class) // 把 ResourceServerConfiguration 注入到容器
public @interface EnableResourceServer {
}
2、
@Configuration
// ConfigurationPhase.REGISTER_BEAN 1、security.oauth2.client.client-id 2、security.oauth2.resource.jwt 3、security.oauth2.resource.jwk
// 4、security.oauth2.resource.user-info-uri 5、security.oauth2.resource.token-info-uri 6、AuthorizationServerEndpointsConfiguration
@Conditional(ResourceServerCondition.class)
@ConditionalOnClass({ EnableResourceServer.class, SecurityProperties.class })
@ConditionalOnWebApplication
@ConditionalOnBean(ResourceServerConfiguration.class) // 容器中必须要有资源服务器配置
@import(ResourceServerTokenServicesConfiguration.class) // 把 ResourceServerTokenServicesConfiguration 注入到容器
public class OAuth2ResourceServerConfiguration{
}
3、
@Configuration
@ConditionalOnMissingBean(AuthorizationServerEndpointsConfiguration.class) // 容器中没有 AuthorizationServerEndpointsConfiguration 实例
public class ResourceServerTokenServicesConfiguration {
// 注入对应的 ResourceServerTokenServices
}
关于资源服务器自定义配置
public class AutoResourceServerConfiguration implements ResourceServerConfigurer {
private final RemoteTokenServices remoteTokenServices;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter(); // 默认访问令牌转换器
UserAuthenticationConverter userTokenConverter = new EnhanceUserAuthenticationConverter(); // 自定义增强用户认证转换器
accessTokenConverter.setUserTokenConverter(userTokenConverter);
// 增强用户认证转换器
remoteTokenServices.setAccessTokenConverter(accessTokenConverter);
// 使用远程令牌服务
resources.tokenServices(remoteTokenServices);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and().csrf().disable();
}
}
关于资源服务器检验token
OAuth2AuthenticationProcessingFilter -> // 对所有需要令牌的资源生效
BearerTokenExtractor.extract() -> // 使用BearerTokenExtractor在请求头中提取token
PreAuthenticatedAuthenticationToken -> // String bearer token -> PreAuthenticatedAuthenticationToken 生成预认证令牌
OAuth2AuthenticationManager.authenticate() -> // 使用OAuth2AuthenticationManager认证
// 使用远程token服务加载令牌 默认使用DefaultTokenServices 可以通过 ResourceServerConfigurer.configure ->
// ResourceServerSecurityConfigurer.tokenServices 配置
RemoteTokenServices.loadAuthentication() ->
DefaultAccessTokenConverter.extractAuthentication() -> // 默认访问令牌转换器
DefaultUserAuthenticationConverter.extractAuthentication() // 默认用户认证转换器
// 至此 用户认证信息 已经成功提取到
关于资源服务器是如何配置 OAuth2AuthenticationProcessingFilter 到容器的
@EnableResourceServer ->
// 注入ResourceServerConfiguration到容器
ResourceServerConfiguration.configure(HttpSecurity http) -> {
// 配置资源服务安全配置
ResourceServerSecurityConfigurer resources = new ResourceServerSecurityConfigurer(){
void configure(HttpSecurity http){
// 配置 O Auth 2身份验证处理过滤器
OAuth2AuthenticationProcessingFilter resourcesServerFilter = new OAuth2AuthenticationProcessingFilter();
}
};
http.apply(resources);
}
// 至此过滤器配置完成
