oauth2

在這個例子中的授權服務端和資源服務端是在同一個應用伺服器.
一.在客戶端tonr2:
1.使用OAuth2RestTemplate(即org.springframework.security.oauth.examples.config.WebMvcConfig.ResourceConfiguration.sparklrRestTemplate)向sparklr2發http://localhost:8080/sparklr2/photos?format=xml請求.
2.經org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter過濾,然後正常執行請求前獲取不到accessToken,拋異常給org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter的Catch處理,這裡進行會進行跳轉redirectUser(redirect, request, response);然後再到this.redirectStrategy.sendRedirect(request, response, builder.build().encode().toUriString());這裡再向sparklr2發

二.轉到服務端sparklr2
3.經過spring security的org.springframework.security.web.FilterChainProxy過濾,使用者沒登入,將使用者導向登入頁面登入,登入完成後繼續跳轉到之前的獲取授權碼請求org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize,然後接受請求.以下兩行程式碼判斷使用者是否授權給客戶端.

authorizationRequest = userApprovalHandler.checkForPreApproval(authorizationRequest,(Authentication) principal);
boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
//如果使用者授權給了客戶端
if (authorizationRequest.isApproved()) {
    if (responseTypes.contains("token"
 
)) {
        return getImplicitGrantResponse(authorizationRequest);
    }
    //直接響應獲取授權碼
    if (responseTypes.contains("code")) {
        return new ModelAndView(getAuthorizationCodeResponse(authorizationRequest,
                (Authentication) principal));
    }
}
//否則還要導向使用者到 授權給客戶端介面.
model.put("authorizationRequest", authorizationRequest);
return getUserApprovalPageResponse(model, authorizationRequest, (Authentication) principal);

4.假設使用者還沒授權過給客戶端,使用者在介面選擇是否授權並提交,org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny再接收請求,然後再響應獲取授權碼(當然使用者都拒絕授權所有許可權就會拋UserDeniedAuthorizationException異常,或者正常生成授權碼),再根據回撥url回到客戶端.

三.獲取授權碼的響應回到客戶端
5.回到org.springframework.security.oauth.examples.tonr.impl.SparklrServiceImpl.getSparklrPhotoIds再次發請求,此時又呼叫了sparklrRestTemplate,於是會再次呼叫org.springframework.security.oauth2.client.OAuth2RestTemplate.getAccessToken
這個方法會判斷accessToken為null時會呼叫acquireAccessToken(OAuth2ClientContext oauth2Context)方法,

accessToken = accessTokenProvider.obtainAccessToken(resource, accessTokenRequest);
if (accessToken == null || accessToken.getValue() == null) {
    throw new IllegalStateException(
            "Access token provider returned a null access token, which is illegal according to the contract.");
}
oauth2Context.setAccessToken(accessToken);

呼叫org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainAccessToken的accessToken = obtainNewAccessTokenInternal(resource, request);
呼叫org.springframework.security.oauth2.client.token.AccessTokenProviderChain.obtainNewAccessTokenInternal的return tokenProvider.obtainAccessToken(details, request);
呼叫org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken的return retrieveToken(request, resource, getParametersForTokenRequest(resource, request),getHeadersForTokenRequest(request));
呼叫org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport.retrieveToken的return getRestTemplate().execute(getAccessTokenUri(resource, form), getHttpMethod(),getRequestCallback(resource, form, headers), extractor , form.toSingleValueMap());這時就會向sparklr2發起獲取accessToken的請求http://localhost:8080/sparklr2/oauth/token這裡發的是POST請求,引數都在form裡面的.

四.再次向服務端獲取accessToken
org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken接收請求,處理生成accessToken(是一個UUID,實際上包含的授權資訊還是在服務端,只是這個UUID會對應Authentication),
這個例子生成accessToken在org.springframework.security.oauth2.provider.token.DefaultTokenServices.createAccessToken(org.springframework.security.oauth2.provider.OAuth2Authentication, org.springframework.security.oauth2.common.OAuth2RefreshToken)
然後呼叫tokenStore.storeAccessToken(accessToken, authentication);儲存到服務端,這裡的tokenStore使用InMemoryTokenStore實現.(使用者的認證資訊可以儲存到redis來將資源伺服器和授權伺服器分離,springDataRedis又提供了方便,redis增加了叢集,如果可靠,就沒必要持久化到資料庫了)

五.獲取accessToken的響應回到客戶端
org.springframework.security.oauth2.client.OAuth2RestTemplate.acquireAccessToken這個方法會將得到的accessToken儲存到OAuth2ClientContext.以後使用者用這個accessToken來訪問受保護的資源(直接訪問資源服務端,當然這裡授權服務端和資源服務端連在一起)就可以了.

六.訪問受資源服務端保護的資源(前面沒有特別說明的服務端都是指授權服務端)
1.先看看客戶端再向資源服務端發起請求org.springframework.security.oauth.examples.tonr.impl.SparklrServiceImpl.getSparklrPhotoIds的sparklrRestTemplate.getForObject(URI.create(sparklrPhotoListURL), byte[].class)
2.資源服務端接受請求org.springframework.security.oauth.examples.sparklr.mvc.PhotoController.getPhoto,進入這個方法之前肯定要做驗證的

先看一下代理攔截鏈springSecurityFilterChain這個最重要的過濾器的產生過程.
[email protected]–>@Import({WebSecurityConfiguration.class,ObjectPostProcessorConfiguration.class})–>在例項化org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration這個bean過程當中,會先裝配org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration#setFilterChainProxySecurityConfigurer,其中這個方法的第二個參考又會從當前的beanFactory獲取所有的SecurityConfigurer.
因為sparklr2的授權服務端和資源服務端混在一起,再加上我們一般的Security自定義有一套,就產生了三套SecurityConfigurer,在這個方法排序後,經過webSecurity.apply(webSecurityConfigurer),這些SecurityConfigurer就儲存此webSecurity的configurers(org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder#configurers)這個變數當中.
a.org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerSecurityConfiguration$$EnhancerBySpringCGLIB$$6a283588
b.org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$$EnhancerBySpringCGLIB$$54898551
c.org.springframework.security.oauth.examples.sparklr.config.SecurityConfiguration$$EnhancerBySpringCGLIB$$4bd7839
這裡可以看出先授權，再資源，最後自定義那一套.

2.springSecurityFilterChain這個bean是在org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration#springSecurityFilterChain方法宣告的,當例項化時,就會呼叫webSecurity.build();看一下構建過程

    @Override
    protected final O doBuild() throws Exception {
        synchronized(configurers) {
            buildState = BuildState.INITIALIZING;
            beforeInit();//提供全部configurers初始化的插入回撥
            init();//呼叫每個configurer的初始化:從每個configurer拿到對應的HttpSecurity放到這個webSecurity的securityFilterChainBuilders；並把一個Runnable放到這個webSecurity的postBuildAction，作用是為這個webSecurity設定FilterSecurityInterceptor攔截器

            buildState = BuildState.CONFIGURING;
            beforeConfigure();//和上面一樣提供回撥
            configure();//呼叫每個configurer的configure(WebSecurity web)方法,主要是提供對這個webSecurity再做一些設定或說修改.比如在org.springframework.security.oauth.examples.sparklr.config.SecurityConfiguration#configure(org.springframework.security.config.annotation.web.builders.WebSecurity)就可以設定忽略那些請求.

            buildState = BuildState.BUILDING;
            O result = performBuild();//看下面分解

            buildState = BuildState.BUILT;
            return result;
        }
    }

    protected Filter performBuild() throws Exception {
        Assert.state(!securityFilterChainBuilders.isEmpty(),
                "At least one SecurityBuilder<? extends SecurityFilterChain> needs to be specified. Typically this done by adding a @Configuration that extends WebSecurityConfigurerAdapter. More advanced users can invoke "
                        + WebSecurity.class.getSimpleName()
                        + ".addSecurityFilterChainBuilder directly");
        int chainSize = ignoredRequests.size() + securityFilterChainBuilders.size();
        List<SecurityFilterChain> securityFilterChains = new ArrayList<SecurityFilterChain>(chainSize);
        for(RequestMatcher ignoredRequest : ignoredRequests) {//先新增忽略請求
            securityFilterChains.add(new DefaultSecurityFilterChain(ignoredRequest));//這個DefaultSecurityFilterChain裡面的過濾器為空,這樣就達到不攔截的效果
        }
        for(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {//就是上面init過程中的三套HttpSecurity
            securityFilterChains.add(securityFilterChainBuilder.build());//一個SecurityFilterChain包含兩個方法:a是否支援這個請求；b.如果支援，得到的過濾器來處理這個請求.這裡主要就是針對不同的請求，新增不同的過濾器形成一個SecurityFilterChain。
        }
        FilterChainProxy filterChainProxy = new FilterChainProxy(securityFilterChains);//最終使用了所有的securityFilterChains構成這個FilterChainProxy
        if(httpFirewall != null) {
            filterChainProxy.setFirewall(httpFirewall);
        }
        filterChainProxy.afterPropertiesSet();

        Filter result = filterChainProxy;//宣告另一個引用來指向它.不多餘麼...應該是為了下面的除錯再包裝
        if(debugEnabled) {
            logger.warn("\n\n" +
                    "********************************************************************\n" +
                    "**********        Security debugging is enabled.       *************\n" +
                    "**********    This may include sensitive information.  *************\n" +
                    "**********      Do not use in a production system!     *************\n" +
                    "********************************************************************\n\n");
            result = new DebugFilter(filterChainProxy);
        }
        postBuildAction.run();//這裡就是上面在init過程時設的那個Runaable.作用是為這個webSecurity設定FilterSecurityInterceptor攔截器
        return result;//返回這個最終的filterChainProxy
    }

情況一:下面假設使用者沒獲取accessToken,直接訪問/sparklr2/photos?format=xml會是什麼情況
由前面的分析,客戶端會先經org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter#doFilter處理,先拋org.springframework.security.oauth2.client.resource.UserRedirectRequiredException: A redirect is required to get the users approval處理,轉而跳轉發授權碼請求,
再進入授權服務端,理應由第一套HttpSecurity的配置起作用.經調式,最後經一個FilterSecurityInterceptor Filter攔截
a.org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter的invoke(fi);
b.org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoker的InterceptorStatusToken token = super.beforeInvocation(fi);
c.org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation的this.accessDecisionManager.decide(authenticated, object, attributes);
又回到了熟悉的三者.authenticated為AnonymousAuthenticationToken的一個例項,FilterInvocation的一個例項,attributes為裝有WebExpressionConfigAttribute的陣列,經過這方法一判斷,就會拋org.springframework.security.oauth2.client.resource.UserRedirectRequiredException: A redirect is required to get the users approval,進而導向使用者到登入介面.

情況二:下面假設使用者沒獲取accessToken,直接訪問/sparklr2/photos?format=xml會是什麼情況
再進入資源服務端,理應由第二套HttpSecurity的配置起作用.經調式,最後經一個FilterSecurityInterceptor Filter攔截
a.org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter的invoke(fi);
b.org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoker的InterceptorStatusToken token = super.beforeInvocation(fi);
c.org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation的this.accessDecisionManager.decide(authenticated, object, attributes);
又回到了熟悉的三者.authenticated為AnonymousAuthenticationToken的一個例項,FilterInvocation的一個例項,attributes為裝有WebExpressionConfigAttribute的陣列,經過這方法一判斷,就會拋org.springframework.security.access.AccessDeniedException: Insufficient scope for this resource

情況三:走正常流程,使用者獲取完accessToken再訪問受保護資源的跟蹤,發起請求GET http://localhost:8080/sparklr2/photos?format=xml(OAuth2RestTemplate的context有儲存accessToken,發請求時將這個accessToken放進了請求頭)
再進入資源服務端,就是第二套HttpSecurity的配置起作用.先看看在資源服務端啟動的時候,會呼叫
org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild的securityFilterChains.add(securityFilterChainBuilder.build());
當securityFilterChainBuilder為資源服務端的那套HttpSecurity進入

org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure
private void configure() throws Exception {
    Collection<SecurityConfigurer<O,B>> configurers = getConfigurers();

    for(SecurityConfigurer<O,B> configurer : configurers ) {
        configurer.configure((B) this);
    }
}

這裡獲取有一個configurer為org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer,進入它的configure

@Override
public void configure(HttpSecurity http) throws Exception {
    AuthenticationManager oauthAuthenticationManager = oauthAuthenticationManager(http);
    //這裡會有這樣一個比較重要的Filter,後面會提到
    resourcesServerFilter = new OAuth2AuthenticationProcessingFilter();
    resourcesServerFilter.setAuthenticationEntryPoint(authenticationEntryPoint);
    resourcesServerFilter.setAuthenticationManager(oauthAuthenticationManager);
    if (eventPublisher != null) {
        resourcesServerFilter.setAuthenticationEventPublisher(eventPublisher);
    }
    if (tokenExtractor != null) {
        resourcesServerFilter.setTokenExtractor(tokenExtractor);
    }
    resourcesServerFilter = postProcess(resourcesServerFilter);
    resourcesServerFilter.setStateless(stateless);
    // @formatter:off
    http
        .authorizeRequests().expressionHandler(expressionHandler)
    .and()
    //這裡加入到過濾鏈
        .addFilterBefore(resourcesServerFilter, AbstractPreAuthenticatedProcessingFilter.class)
        .exceptionHandling()
            .accessDeniedHandler(accessDeniedHandler)
            .authenticationEntryPoint(authenticationEntryPoint);
    // @formatter:on
}

從上面可知也生成了一個OAuth2AuthenticationProcessingFilter,它用於將使用者傳過來的token,從儲存找回使用者的Authentication,下面跟蹤進入它的doFilter方法
org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter
//從請求獲取accessToken,即那個UUID.並例項化為PreAuthenticatedAuthenticationToken物件
Authentication authentication = tokenExtractor.extract(request);
//authenticationManager為OAuth2AuthenticationManager的例項,它會呼叫OAuth2Authentication auth = tokenServices.loadAuthentication(token);
Authentication authResult = authenticationManager.authenticate(authentication);
//將Authentication存到spring security的上下文.以供後續使用
SecurityContextHolder.getContext().setAuthentication(authResult);
因為還生成了FilterSecurityInterceptor Filter,經過這個Filter再次回到this.accessDecisionManager.decide(authenticated, object, attributes);
authenticated:使用authentication = authenticationManager.authenticate(authentication);
object:FilterInvocation
attributes:ArrayList[0].WebExpressionConfigAttribute.SpelExpression.expression的值#oauth2.throwOnError(#oauth2.hasScope(‘read’) or (!#oauth2.isOAuth() and hasRole(‘ROLE_USER’)))
如果驗證碼過期這種情況又會怎樣?不想再跟蹤了,這個例子還有很多單元測試.本文我在除錯過程中我沒有使用SSL.