-
1.org.springframework.security.web.access.interceptFilterSecurityInterceptor
- Filter
- doFilter
- FilterInvocation.invoke
- beforeInvocation
- SecurityContextHolder.getContext().getAuthentication()
- authenticationManager.authenticate(authentication)
- accessDecisionManager.decide(authenticated, object, attributes)
- getChain().doFilter
- afterInvocation
- afterInvocationManager.decide(token.getSecurityContext().getAuthentication(), token.getSecureObject(), token.getAttributes(), returnedObject)
- beforeInvocation
- FilterInvocation.invoke
- doFilter
- AbstractSecurityInterceptor
- AuthenticationManager
- AfterInvocationManager
- AfterInvocationProviderManager
- AccessDecisionManager
- AbstractAccessDecisionManager
- Affirmativebased
- Consensusbased
- Unanimousbased
- AbstractAccessDecisionManager
- Filter
-
2.org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor
- org.aopalliance.intercept.MethodInterceptor
- org.aopalliance.aop.Advice.Interceptor
- org.aopalliance.aop.Advice
- org.aopalliance.aop.Advice.Interceptor
- AbstractSecurityInterceptor
- org.aopalliance.intercept.MethodInterceptor
-
3.org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor
- MethodInterceptor
-
4.AuthenticationEntryPoint,主要是commence方法统一异常,由用户自定义实现
-
5.AuthenticationManager, 用于验证,Processes an Authentication request
FilterComparator 设置过滤器执行链
FilterComparator.Step order = new FilterComparator.Step(100, 100);
this.put(ChannelProcessingFilter.class, order.next());
this.put(ConcurrentSessionFilter.class, order.next());
this.put(WebAsyncManagerIntegrationFilter.class, order.next());
this.put(SecurityContextPersistenceFilter.class, order.next());
this.put(HeaderWriterFilter.class, order.next());
this.put(CorsFilter.class, order.next());
this.put(CsrfFilter.class, order.next());
this.put(LogoutFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter", order.next());
this.filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter", order.next());
this.put(X509AuthenticationFilter.class, order.next());
this.put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter", order.next());
this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter", order.next());
this.filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter", order.next());
this.put(UsernamePasswordAuthenticationFilter.class, order.next());
this.put(ConcurrentSessionFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());
this.put(DefaultLoginPageGeneratingFilter.class, order.next());
this.put(DefaultLogoutPageGeneratingFilter.class, order.next());
this.put(ConcurrentSessionFilter.class, order.next());
this.put(DigestAuthenticationFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter", order.next());
this.put(BasicAuthenticationFilter.class, order.next());
this.put(RequestCacheAwareFilter.class, order.next());
this.put(SecurityContextHolderAwareRequestFilter.class, order.next());
this.put(JaasApiIntegrationFilter.class, order.next());
this.put(RememberMeAuthenticationFilter.class, order.next());
this.put(AnonymousAuthenticationFilter.class, order.next());
this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter", order.next());
this.put(SessionManagementFilter.class, order.next());
this.put(ExceptionTranslationFilter.class, order.next());
this.put(FilterSecurityInterceptor.class, order.next());
this.put(SwitchUserFilter.class, order.next());
oauth2关键类
- OAuth2AuthenticationProcessingFilter OAuth2的Filter
- doFilter
- tokenExtractor.extract
- authenticationManager.authenticate
- 成功,publishAuthenticationSuccess和SecurityContextHolder.getContext().setAuthentication
- 失败,authenticationEntryPoint.commence
- doFilter
- OAuth2AuthenticationManager
- ResourceServerTokenServices
- DefaultTokenServices 实现类
- loadAuthentication 方法
- readAccessToken 方法
- TokenStore 依赖
- RedisTemplateTokenStore 实现类
- getAccessToken 方法
- removeRefreshToken 方法
- removeAccessToken 方法
- RedisTemplateTokenStore 实现类
- DefaultTokenServices 实现类
- ClientDetailsService
- RedisClientDetailsService,在Redis中缓存JdbcClientDetailsService维护的ClientDetails
- JdbcClientDetailsService ,ClientDetails最终存储于数据库中
- ResourceServerTokenServices
- BearerTokenExtractor
- OAuth2AuthenticationEntryPoint,统一的异常处理类
