资源服务器Token校验逻辑(源码解释)

丨阳光很暖

已于 2022-12-19 16:59:28 修改

阅读量782

点赞数

分类专栏： SpringSecurity - 资源服务器文章标签： java spring

于 2022-12-12 14:04:28 首次发布

本文链接：https://blog.csdn.net/m0_54554770/article/details/128285560

版权

Oauth2AuthenticationProcessingFilter

这里是资源服务器校验Token的入口:


private TokenExtractor tokenExtractor = new BearerTokenExtractor();

// 这里的 AuthenticationManager 是 OAuth2AuthenticationManager 
private AuthenticationManager authenticationManager;

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
			ServletException {
   

		final boolean debug = logger.isDebugEnabled();
		final HttpServletRequest request = (HttpServletRequest) req;
		final HttpServletResponse response = (HttpServletResponse) res;

		try {
   
			
			// 默认是BearerTokenExtractor 令牌提取器, 用于将Token从请求中 提取出来 并转化为 Authentication 对象
			Authentication authentication = tokenExtractor.extract(request);
				
			// 如果提取出的 Authentication == null 时走的一些逻辑 ,一般不会为null 
			if (authentication == null) {
   
				if (stateless && isAuthenticated()) {
   
					if (debug) {
   
						logger.debug("Clearing security context.");
					}
					SecurityContextHolder.clearContext();
				}
				if (debug) {
   
					logger.debug("No token in request, will continue chain.");
				}
			} else {
   
				// 将Token值 set到 Attribute 中 
				request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, authentication.getPrincipal());
				if (authentication instanceof AbstractAuthenticationToken) {
   
					AbstractAuthenticationToken needsDetails = (AbstractAuthenticationToken) authentication;
					needsDetails.setDetails(authenticationDetailsSource.buildDetails(request));
				}
				
				// 这里是校验Token的核心方法 
				// 这里的 AuthenticationManager 是 OAuth2AuthenticationManager(重点)
				Authentication authResult = authenticationManager.authenticate(authentication);

				if (debug) {
   
					logger.debug(