整体介绍
security-oauth2 提供了一些默认的过滤器链,每个过滤器链里面都有一个匹配器,并且每个过滤器链中都有多个过滤器,当业务接口请求到后端的时候,在请求到达目标接口之前,会被过滤器链代理拦截下来,然后循环过滤器链,利用过滤器链本身的匹配器对请求进行匹配,如果匹配通过,则进入到过滤器链中,然后循环执行过滤器链中所有的过滤器,在这些过滤器中,会对请求头信息中的token进行校验,如果全部校验通过,请求才会调用到最初的目标接口,否则就终止请求的执行,并抛错错误码403类似的提示
源码解析
当业务接口请求到后端的时候,会被过滤器链代理拦截,代码如下
public class FilterChainProxy extends GenericFilterBean implements Filter, BeanNameAware, EnvironmentAware,
EnvironmentCapable, ServletContextAware, InitializingBean, DisposableBean {
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;
if (clearContext) {
try {
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
doFilterInternal(request, response, chain);
}
finally {
SecurityContextHolder.clearContext();
request.removeAttribute(FILTER_APPLIED);
}
}
else {
doFilterInternal(request, response, chain);
}
}
}
因为 FilterChainProxy 实现了 Filter 接口,所以会拦截接口请求,并进入到doFilter()方法中,然后请求会走到doFilterInternal()方法中,代码如下
private void doFilterInternal(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
FirewalledRequest fwRequest = firewall
.getFirewalledRequest((HttpServletRequest) request);
HttpServletResponse fwResponse = firewall
.getFirewalledResponse((HttpServletResponse) response);
List<Filter> filters = getFilters(fwRequest);
if (filters == null || filters.size() == 0) {
if (logger.isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl(fwRequest)
+ (filters == null ? " has no matching filters" : " has an empty filter list"));
}
fwRequest.reset();
chain.doFilter(fwRequest, fwResponse);
return;
}
VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters);
vfc.doFilter(fwRequest, fwResponse);
}
在上面代码块里,先调用getFilters()方法获取过滤器
private List<Filter> getFilters(HttpServletRequest request) {
for (SecurityFilterChain chain : filterChains) {
if (chain.matches(request)) {
return chain.getFilters();
}
}
return null;
}
在getFilters()方法中,循环所有滤器链,利用每条过滤器链本身的匹配器与接口请求进行匹配,返回第一条匹配成功的过滤器链,然后将该过滤器链中的所有过滤器以集合的形式返回到doFilterInternal()方法中,doFilterInternal()方法在拿到过滤器集合之后,将其封装在了VirtualFilterChain过滤器链中,然后调用VirtualFilterChain过滤器链的doFilter方法
private static class VirtualFilterChain implements FilterChain{
@Override
public void doFilter(ServletRequest request, ServletResponse response)
throws IOException, ServletException {
if (currentPosition == size) {
if (logger.isDebugEnabled()) {
logger.debug(UrlUtils.buildRequestUrl(firewalledRequest)
+