SpringSecurity过滤器链中FilterSecurityInterceptor

        // 添加JWT filter
        httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);

 

@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter
{
    @Autowired
    private TokenService tokenService;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException
    {
        LoginUser loginUser = tokenService.getLoginUser(request);
        if (StringUtils.isNotNull(loginUser) && StringUtils.isNull(SecurityUtils.getAuthentication()))
        {
            tokenService.verifyToken(loginUser);
            UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(loginUser, null, loginUser.getAuthorities());
            authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
            SecurityContextHolder.getContext().setAuthentication(authenticationToken);
        }
        chain.doFilter(request, response);
        // Spring Security过滤器链中最后的是FilterSecurityInterceptor,用来进行权限认证,在它的invoke()中的super.beforeInvocation()方法会进行鉴权
        // 如果鉴权失败会抛异常进入ExceptionTranslationFilter的sendStartAuthentication执行this.authenticationEntryPoint.commence()方法,
        // 最后调用我们重写的AuthenticationEntryPointImpl.commence()方法
    }
}