Oauth2AuthenticationProcessingFilter
这里是资源服务器校验Token的入口:
private TokenExtractor tokenExtractor = new BearerTokenExtractor();
// 这里的 AuthenticationManager 是 OAuth2AuthenticationManager
private AuthenticationManager authenticationManager;
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
ServletException {
final boolean debug = logger.isDebugEnabled();
final HttpServletRequest request = (HttpServletRequest) req;
final HttpServletResponse response = (HttpServletResponse) res;
try {
// 默认是BearerTokenExtractor 令牌提取器, 用于将Token从请求中 提取出来 并转化为 Authentication 对象
Authentication authentication = tokenExtractor.extract(request);
// 如果提取出的 Authentication == null 时走的一些逻辑 ,一般不会为null
if (authentication == null) {
if (stateless && isAuthenticated()) {
if (debug) {
logger.debug("Clearing security context.");
}
SecurityContextHolder.clearContext();
}
if (debug) {
logger.debug("No token in request, will continue chain.");
}
} else {
// 将Token值 set到 Attribute 中
request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, authentication.getPrincipal());
if (authentication instanceof AbstractAuthenticationToken) {
AbstractAuthenticationToken needsDetails = (AbstractAuthenticationToken) authentication;
needsDetails.setDetails(authenticationDetailsSource.buildDetails(request));
}
// 这里是校验Token的核心方法
// 这里的 AuthenticationManager 是 OAuth2AuthenticationManager(重点)
Authentication authResult = authenticationManager.authenticate(authentication);
if (debug) {
logger.debug(