# 前言

最近在做 Spring OAuth2 登录,并在登录之后保存 Cookies。具体而言就是 Spring OAuth2 和 Spring Security 集成。Google一下竟然没有发现一种能满足我的要求。最终只有研究源码了。

有时间会画个 UML 图。

# 一些基础知识

  • Spring Security 验证身份的方式是利用 Filter,再加上 HttpServletRequest 的一些信息进行过滤。
  • 类 Authentication 保存的是身份认证信息。
  • 类 AuthenticationProvider 提供身份认证途径。
  • 类 AuthenticationManager 保存的 AuthenticationProvider 集合,并调用 AuthenticationProvider 进行身份认证。

# AbstractAuthenticationProcessingFilter

## 设计模式

### 抽象工厂模式

AbstractAuthenticationProcessingFilter 是一个抽象类,主要的功能是身份认证。OAuth2ClientAuthenticationProcessingFilter(Spriing OAuth2)、RememberMeAuthenticationFilter(RememberMe)都继承了 AbstractAuthenticationProcessingFilter ,并重写了方法 attemptAuthentication 进行身份认证。

* Performs actual authentication. 进行真正的认证。
* <p>
* The implementation should do one of the following: 具体实现需要做如下事情:
* <ol>
* <li>Return a populated authentication token for the authenticated user, indicating
* successful authentication</li> 返回一个具体的 Authentication认证对象。
* <li>Return null, indicating that the authentication process is still in progress.
* Before returning, the implementation should perform any additional work required to
* complete the process.</li> 返回 null,表示实现的子类不能处理该身份认证,还需要别的类进行身份认证(往 FilterChain 传递)。
* <li>Throw an <tt>AuthenticationException</tt> if the authentication process fails</li> 抛出异常 AuthenticationException 表示认证失败。
* </ol>
* @param request from which to extract parameters and perform the authentication
* @param response the response, which may be needed if the implementation has to do a
* redirect as part of a multi-stage authentication process (such as OpenID).
* @return the authenticated user token, or null if authentication is incomplete.
* @throws AuthenticationException if authentication fails.
public abstract Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException, IOException,

这个方法的目的很明确,就是需要子类提供身份认证的具体实现。子类根据 HttpServletRequest 等信息进行身份认证,并返回 Authentication 对象、 null、异常,分别表示认证成功返回的身份认证信息、需要其他 Filter 继续进行身份认证、认证失败。下面是一个 OAuth2ClientAuthenticationProcessingFilter 对于方法 attemptAuthentication 的实现,具体代码的行为就不解释了。

public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException, ServletException { OAuth2AccessToken accessToken;
try {
accessToken = restTemplate.getAccessToken();
} catch (OAuth2Exception e) {
BadCredentialsException bad = new BadCredentialsException("Could not obtain access token", e);
publish(new OAuth2AuthenticationFailureEvent(bad));
throw bad;
try {
OAuth2Authentication result = tokenServices.loadAuthentication(accessToken.getValue());
if (authenticationDetailsSource!=null) {
request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, accessToken.getValue());
request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, accessToken.getTokenType());
publish(new AuthenticationSuccessEvent(result));
return result;
catch (InvalidTokenException e) {
BadCredentialsException bad = new BadCredentialsException("Could not obtain user details from token", e);
publish(new OAuth2AuthenticationFailureEvent(bad));
throw bad;
} }

至于方法 attemptAuthentication 是怎么被调用的?身份认证流程很简单,但是身份认证完成之前、完成之后,也需要做很多的操作。大部分操作都是一尘不变的,身份认证之前确认是否要进行身份验证、保存身份认证信息、成功处理、失败处理等。具体流程,在下面的方法中体现。可以看出这就是个工厂,已经确定好身份认证的流程,所以我们需要做的事情就是重写身份认证机制(方法 attemptAuthentication)就可以了。

* Invokes the
* {@link #requiresAuthentication(HttpServletRequest, HttpServletResponse)
* requiresAuthentication} method to determine whether the request is for
* authentication and should be handled by this filter. If it is an authentication
* request, the
* {@link #attemptAuthentication(HttpServletRequest, HttpServletResponse)
* attemptAuthentication} will be invoked to perform the authentication. There are
* then three possible outcomes:
* <ol>
* <li>An <tt>Authentication</tt> object is returned. The configured
* {@link SessionAuthenticationStrategy} will be invoked (to handle any
* session-related behaviour such as creating a new session to protect against
* session-fixation attacks) followed by the invocation of
* {@link #successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication)}
* method</li>
* <li>An <tt>AuthenticationException</tt> occurs during authentication. The
* {@link #unsuccessfulAuthentication(HttpServletRequest, HttpServletResponse, AuthenticationException)
* unsuccessfulAuthentication} method will be invoked</li>
* <li>Null is returned, indicating that the authentication process is incomplete. The
* method will then return immediately, assuming that the subclass has done any
* necessary work (such as redirects) to continue the authentication process. The
* assumption is that a later request will be received by this method where the
* returned <tt>Authentication</tt> object is not null.
* </ol>
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res; // 是否需要身份认证
if (!requiresAuthentication(request, response)) {
// 不需要身份认证,传递到 FilterChain 继续过滤
chain.doFilter(request, response); return;
} if (logger.isDebugEnabled()) {
logger.debug("Request is to process authentication");
} Authentication authResult; try {
// 进行身份认证,该方法需要子类重写
authResult = attemptAuthentication(request, response);
if (authResult == null) {
// return immediately as subclass has indicated that it hasn't completed
// authentication
// 身份认证成功,保存 session
sessionStrategy.onAuthentication(authResult, request, response);
// 身份认证代码出错
catch (InternalAuthenticationServiceException failed) {
"An internal error occurred while trying to authenticate the user.",
// 身份认证失败一系列事物处理,包括调用 RememberMeServices 等
unsuccessfulAuthentication(request, response, failed); return;
// 身份认证失败异常
catch (AuthenticationException failed) {
// Authentication failed
// 身份认证失败一系列事物处理,包括调用 RememberMeServices 等
unsuccessfulAuthentication(request, response, failed); return;
} // Authentication success
// 身份认证成功之后是否需要传递到 FilterChain
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
} // 身份认证成功一系列事物处理,包括调用 RememberMeServices 等
successfulAuthentication(request, response, chain, authResult);

### 策略模式

这里还可以看一下方法 doFilter 的内部调用,比如下面这个方法。

* Default behaviour for successful authentication.
* <ol>
* <li>Sets the successful <tt>Authentication</tt> object on the
* {@link SecurityContextHolder}</li>
* <li>Informs the configured <tt>RememberMeServices</tt> of the successful login</li>
* <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured
* <tt>ApplicationEventPublisher</tt></li>
* <li>Delegates additional behaviour to the {@link AuthenticationSuccessHandler}.</li>
* </ol>
* Subclasses can override this method to continue the {@link FilterChain} after
* successful authentication.
* @param request
* @param response
* @param chain
* @param authResult the object returned from the <tt>attemptAuthentication</tt>
* method.
* @throws IOException
* @throws ServletException
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response, FilterChain chain, Authentication authResult)
throws IOException, ServletException { if (logger.isDebugEnabled()) {
logger.debug("Authentication success. Updating SecurityContextHolder to contain: "
+ authResult);
} // 认证成功设置身份认证信息
SecurityContextHolder.getContext().setAuthentication(authResult); // RememberMeServices 设置成功登录信息,如 Cookie 等
rememberMeServices.loginSuccess(request, response, authResult); // 认证成功发送事件
// Fire event
if (this.eventPublisher != null) {
eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
authResult, this.getClass()));
} // 认证成功处理器
successHandler.onAuthenticationSuccess(request, response, authResult);

Spring Security 还是很贴心的把这个方法的修饰符设定成了 protected,以满足我们重写身份认证成功之后的机制,虽然大多数情况下并不需要。不需要的原因是认证成功之后的流程基本最多也就是这样,如果想改变一些行为,可以直接传递给 AbstractAuthenticationProcessingFilter 一些具体实现即可,如 AuthenticationSuccessHandler(认证成功处理器)。根据在这个处理器内可以进行身份修改、返回结果修改等行为。下面是该对象的定义。

    private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();

各种各样的 AuthenticationSuccessHandler 可以提供多种多样的认证成功行为,这是一种策略模式。

# 后记

Spring Security 采取了多种设计模式,这是 Spring 家族代码的一贯特性。让人比较着急的是,Spring Security 虽然可以做到开箱即用,但是想要自定义代码的话,必须要熟悉 Spring Security 代码。比如如何使用 RememberMeServices。RememberMeService 有三个方法,登录成功操作、登录失败操作、自动登录操作。你可以重写这些方法,但你如果不看源码,你无法得知这些方法会在什么时候调用、在哪个 Filter 中调用、需要做什么配置。


  1. the request resource is not available
  2. 自动提交Git branch代码评审到Review Board系统
  3. HDU 3065 (AC自动机模板题)
  4. matlab eps中文乱码的解决方法
  5. Excel2010 柱形图与折线图制表
  6. Windows 7的 磁盘管理中,某个磁盘或分区,突然变成只读。
  7. [译]使用Command模式和MediatR简化你的控制器
  8. Path Sum I &amp;&amp; II &amp; III
  9. 【C++ Primer 第11章】4. 无序容器
  10. muduo网络库架构总结
  12. DOS批处理中%cd%和%~dp0的异同分析
  13. Linux 密码过期(WARNING:Your password has expired )
  14. Python 多进程、多线程效率比较
  15. tomcat 日志详解
  16. win7下openvpn不能自动加路由
  17. Servlet和JSP的本质和区别
  18. C#获取显示器屏幕数量 控制winform显示到哪一个屏幕
  19. 内存控制函数(1)-mmap() 建立内存映射
  20. easyUI---分页插件


  1. QWebSocketServer
  2. 一步一步带你实现virtual dom(一)
  3. springMVC,spring,mybatis全注解搭建框架--第一步,让框架跑起来
  4. ‘true’==true返回false详解
  5. java编程思想第四版第五章习题
  6. linux之x86裁剪移植---grub 识别文件系统
  7. 笔记本CPU低压和标压有什么区别?
  8. sublime Xdebug 配置
  9. Java Web项目部署Tomcat运行出错
  10. Parallel中分区器Partitioner的简单使用