SpringSecurityOAuth2常用类
SpringSecurity默认加载的过滤器
1、org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
2、org.springframework.security.web.context.SecurityContextPersistenceFilter
3、org.springframework.security.web.header.HeaderWriterFilter
4、org.springframework.security.web.authentication.logout.LogoutFilter
5、org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
6、org.springframework.security.web.savedrequest.RequestCacheAwareFilter
7、org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
8、org.springframework.security.web.authentication.AnonymousAuthenticationFilter
9、org.springframework.security.web.session.SessionManagementFilter
10、org.springframework.security.web.access.ExceptionTranslationFilter
11、org.springframework.security.web.access.intercept.FilterSecurityInterceptor
SpringSecurityOAuth2中@EnableAuthorizationServer默认加载的过滤器
1、org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
2、org.springframework.security.web.context.SecurityContextPersistenceFilter
3、org.springframework.security.web.header.HeaderWriterFilter
4、org.springframework.security.web.authentication.logout.LogoutFilter
5、org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter
6、org.springframework.security.web.authentication.www.BasicAuthenticationFilter
7、org.springframework.security.web.savedrequest.RequestCacheAwareFilter
8、org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
9、org.springframework.security.web.authentication.AnonymousAuthenticationFilter
10、org.springframework.security.web.session.SessionManagementFilter
11、org.springframework.security.web.access.ExceptionTranslationFilter
12、org.springframework.security.web.access.intercept.FilterSecurityInterceptor
SpringSecurityOAuth2中@EnableResourceServer默认加载的过滤器
1、org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
2、org.springframework.security.web.context.SecurityContextPersistenceFilter
3、org.springframework.security.web.header.HeaderWriterFilter
4、org.springframework.security.web.authentication.logout.LogoutFilter
5、org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter
6、org.springframework.security.web.savedrequest.RequestCacheAwareFilter
7、org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
8、org.springframework.security.web.authentication.AnonymousAuthenticationFilter
9、org.springframework.security.web.session.SessionManagementFilter
10、org.springframework.security.web.access.ExceptionTranslationFilter
11、org.springframework.security.web.access.intercept.FilterSecurityInterceptor
FilterChainProxy
AuthenticationManager
ProviderManager
OAuth2AuthenticationManager
AbstractAuthenticationProcessingFilter
UsernamePasswordAuthenticationFilter
BasicAuthenticationFilter
ClientCredentialsTokenEndpointFilter
OAuth2ClientAuthenticationProcessingFilter
OAuth2AuthenticationProcessingFilter
FilterSecurityInterceptor
Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource()
.getAttributes(object);
AccessDecisionManager:AffirmativeBased、ConsensusBased、UnanimousBased
// Attempt authorization
try {
this.accessDecisionManager.decide(authenticated, object, attributes);
} catch (AccessDeniedException accessDeniedException) {
publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated, accessDeniedException));
throw accessDeniedException;
}
Spring Security内置了三个基于投票的AccessDecisionManager实现类如下,它们分别是AffirmativeBased、ConsensusBased和UnanimousBased。
AffirmativeBased 的逻辑:
(1)只要有AccessDecisionVoter的投票为ACCESS_GRANTED则同意用户进行访问;
(2)如果全部弃权也表示通过;
(3)如果没有一个人投赞成票,但是有人投反对票,则将抛出AccessDeniedException。
Spring security默认使用的是AffirmativeBased。
ConsensusBased 的逻辑:
(1)如果赞成票多于反对票则表示通过。
(2)反过来,如果反对票多于赞成票则将抛出AccessDeniedException。
(3)如果赞成票与反对票相同且不等于0,并且属性allowIfEqualGrantedDeniedDecisions的值为true,则表示通过,否则将抛出异常AccessDeniedException。参数allowIfEqualGrantedDeniedDecisions的值默认为true。
(4)如果所有的AccessDecisionVoter都弃权了,则将视参数allowIfAllAbstainDecisions的值而定,如果该值为true则表示通过,否则将抛出异常AccessDeniedException。参数allowIfAllAbstainDecisions的值默认为false。
UnanimousBased的逻辑与另外两种实现有点不一样,另外两种会一次性把受保护对象的配置属性全部传递给AccessDecisionVoter进行投票,而UnanimousBased会一次只传递一个ConfigAttribute给AccessDecisionVoter进行投票。这也就意味着如果我们的AccessDecisionVoter的逻辑是只要传递进来的ConfigAttribute中有一个能够匹配则投赞成票,但是放到UnanimousBased中其投票结果就不一定是赞成了。
UnanimousBased 的逻辑:
(1)如果受保护对象配置的某一个ConfigAttribute被任意的AccessDecisionVoter反对了,则将抛出AccessDeniedException。
(2)如果没有反对票,但是有赞成票,则表示通过。
(3)如果全部弃权了,则将视参数allowIfAllAbstainDecisions的值而定,true则通过,false则抛出AccessDeniedException。
SpringSecurity也内置一些投票者实现类如 RoleVoter、AuthenticatedVoter 和 WebExpressionVoter 等,可以查阅资料进行学习。
AccessDecisionVoter
授权服务器配置
public class AuthorizationServerConfigurerAdapter implements AuthorizationServerConfigurer {
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {}
}
@Configuration
@EnableAuthorizationServer
public class AuthorizationServer extends AuthorizationServerConfigurerAdapter {
//略...
}
ClientDetailsServiceConfigurer:用来配置客户端详情服务(ClientDetailsService),客户端详情信息在这里进行初始化,你能够把客户端详情信息写死在这里或者是通过数据库来存储调取详情信息。
AuthorizationServerEndpointsConfigurer:用来配置令牌(token)的访问端点和令牌服务(token services)。
AuthorizationServerSecurityConfigurer:用来配置令牌端点的安全约束。
资源服务器配置
@EnableResourceServer 注解自动增加了一个类型为 OAuth2AuthenticationProcessingFilter 的过滤器链。
public class ResourceServerConfigurerAdapter implements ResourceServerConfigurer {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
}
}
WebSecurityConfigurerAdapter
TokenGranter
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
