三.授权服务器是如何实现授权的呢?
1.前言
前面一篇文章已经讲了我们是如何在第一次(未认证的情况下)访问client A(http://localhost:11980/cth/time)时,重定向到client A的http://localhost:11980/cth/oauth2/authorization/messaging-client-oidc地址(Get请求),然后,又重定向到授权服务器的http://server:10880/cfgs/oauth2/authorize?response_type=code&client_id=cth-messaging-client&scope=openid&state=3XIsMHi6vQPGm5MxqtHmqH5D90nKuBN_Af4jMJAoVVo%3D&redirect_uri=http://127.0.0.1:11980/cth/api/getCode&nonce=V4cRB0El04KuXdTfh61LWNZa1cSUn1xKWIRdX5DrdZg地址上,最后重定向到登录页面
http://localhost:10880/cfgs/login/oauth, 那么后面授权服务器是如何实现授权的呢?
2.授权服务器 如何进行登录认证?
在统一登录页,用户输入用户名密码后,点击“登录”按钮后,会向授权服务器发送一个http://server:10880/cfgs/login/oauth请求(POST类型),这个时候会携带用户名密码到授权服务器,而授权服务器端的SpringSecurity的FilerChainProxy过滤器链中有如下的过滤器,如下所示:
在登录验证这一步,授权服务器其实和普通的SpringSecurity应用是没有区别的,就是通过UsernamePasswordAuthenticationFilter过滤器验证用户名密码的有效性.如果输入正确的用户名密码,attemptAuthentication()方法会正常返回,
如果登录成功就执行后续successfulAuthentication()方法,具体实现如下:
//AbstractAuthenticationProcessingFilter.java
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
// 省略 ……
Authentication authResult;
try {
//实际调用了实现类UsernamePasswordAuthenticationFilter中的实现
authResult = attemptAuthentication(request, response);
if (authResult == null) {
return;
}
sessionStrategy.onAuthentication(authResult, request, response);
}catch (InternalAuthenticationServiceException failed) {
logger.error(
"An internal error occurred while trying to authenticate the user.",
failed);
unsuccessfulAuthentication(request, response, failed);
return;
}catch (AuthenticationException failed) {
// Authentication failed
unsuccessfulAuthentication(request, response, failed);
return;
}
// Authentication success
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
successfulAuthentication(request, response, chain, authResult);
}
下面就是successfulAuthentication方法:
//org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
Authentication authResult) throws IOException, ServletException {
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(authResult);
SecurityContextHolder.setContext(context);
this.securityContextRepository.saveContext(context, request, response);
if (this.logger.isDebugEnabled()) {
this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", authResult));
}
this.rememberMeServices.loginSuccess(request, response, authResult);
if (this.eventPublisher != null) {
this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
}
this.successHandler.onAuthenticationSuccess(request, response, authResult);
}
从这个方法我们继续debug,进入到org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler的onAuthenticationSuccess方法,如下:
走到这里又重定向到了/oauth2/authorize这个地址了。
然后我们跟着debug走,会发现FliterChainProxy的拦截链,又发生了变化。
于是进入到OAuth2AuthorizationEndpointFilter,这是它的源码:
//OAuth2AuthorizationEndpointFilter(org.springframework.security.oauth2.server.authorization.web)
@Override
protectedvoiddoFilterInternal(HttpServletRequestrequest,HttpServletResponseresponse,FilterChainfilterChain)
throwsServletException,IOException{
if(!this.authorizationEndpointMatcher.matches(request)){
filterChain.doFilter(request,response);
return;
}
try{
Authenticationauthentication=this.authenticationConverter.convert(request);
if(authenticationinstanceofAbstractAuthenticationToken){
((AbstractAuthenticationToken)authentication)
.setDetails(this.authenticationDetailsSource.buildDetails(request));
}
AuthenticationauthenticationResult=this.authenticationManager.authenticate(authentication);
if(!authenticationResult.isAuthenticated()){
//IfthePrincipal(ResourceOwner)isnotauthenticatedthen
//passthroughthechainwiththeexpectationthattheauthenticationprocess
//willcommenceviaAuthenticationEntryPoint
filterChain.doFilter(request,response);
return;
}
if(authenticationResultinstanceofOAuth2AuthorizationConsentAuthenticationToken){
if(this.logger.isTraceEnabled()){
this.logger.trace("Authorizationconsentisrequired");
}
sendAuthorizationConsent(request,response,
(OAuth2AuthorizationCodeRequestAuthenticationToken)authentication,
(OAuth2AuthorizationConsentAuthenticationToken)authenticationResult);
return;
}
this.authenticationSuccessHandler.onAuthenticationSuccess(
request,response,authenticationResult);
}catch(OAuth2AuthenticationExceptionex){
if(this.logger.isTraceEnabled()){
this.logger.trace(LogMessage.format("Authorizationrequestfailed:%s",ex.getError()),ex);
}
this.authenticationFailureHandler.onAuthenticationFailure(request,response,ex);
}
}
跟着debug走,会进入到onAuthenticationSuccess方法。
sendAuthorizationResponse方法其实是获取了一个随机的code,并且重定向到一个新的地址:http://127.0.0.1:11980/cth/api/getCode?code=Y685NfBp2O89VnC7ecylf_CShYgXICtOPebxU-TX5C1mhUqrNI3Q2Fy3QssVhblvgnp0LHjpEYDboJigF10TQxVsTFBv3iiDWLGjb_vcXR0MKUdW1rfwmOlTNOFl9qpf&state=70E6GtH83jG4yOdhCPWFGlVoggMB29EbRocGUN1D7LA%3D
最后就成功回到了客户端的http://127.0.0.1:11980/cth/api/getCode上。