08、Spring Security 实战 - oauth2认证:ClientCredentialsTokenEndpointFilter 过滤器

第一步

Spring Security对于获取TOKEN的请求(/oauth/token),需要认证client_id和client_secret。认证client_id和client_secret可以有2种方式,一种是通过 ClientCredentialsTokenEndpointFilter,另一种是通过BasicAuthenticationFilter。

ClientCredentialsTokenEndpointFilter 继承自 AbstractAuthenticationProcessingFilter,调用授权接口获取token值的请求(/oauth/token)需要认证client_id和client_secret。该请求会被 AbstractAuthenticationProcessingFilter 过滤器拦截,执行父类的doFilter() 方法:

public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean
    implements ApplicationEventPublisherAware, MessageSourceAware {
   
     

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {
   
     

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        // 判断是否需要认证:判断url是否为与配置的获取access token的url进行匹配
        if (!requiresAuthentication(request, response)) {
   
     
            chain.doFilter(request, response);
            return;
        }

        Authentication authResult;
        try {
   
     
            // 调用实现类中的attemptAuthentication方法认证
            authResult = attemptAuthentication(request, response);
            if (authResult == null) {
   
     
                return;
            }
            // session存储
            sessionStrategy.onAuthentication(authResult, request, response);
        }catch (InternalAuthenticationServiceException failed) {
   
     
            //  认证失败处理
            unsuccessfulAuthentication(request, response, failed);
            return;
        }catch (AuthenticationException failed) {
   
     
            // Authentication failed
            unsuccessfulAuthentication(request, response, failed);
            return;
        }
        // Authentication success
        if (continueChainBeforeSuccessfulAuthentication) {
   
     
            chain.doFilter(request, response);
        }
        // 回调认证成功的自定义处理逻辑
        successfulAuthentication(request, response, chain, authResult);
    }

    protected boolean requiresAuthentication(HttpServletRequest request,
                                             HttpServletResponse response) {
   
     
        return requiresAuthenticationRequestMatcher.matches(request);
    }
}

requiresAuthentication(request, response) 最终会调用 ClientCredentialsTokenEndpointFilter 中内部类 ClientCredentialsRequestMatcher#matches 方法:

@Deprecated
public class ClientCredentialsTokenEndpointFilter extends AbstractAuthenticationProcessingFilter {
   
     
    // ...
    
    // 内部类
    protected static class ClientCredentialsRequestMatcher implements RequestMatcher {
   
     
        
        // /oauth/token
        private String path;

        public ClientCredentialsRequestMatcher(String path) {
   
     
            this.path = path;
        }

        // 判断请求的 url 与获取 access token 的默认 url(/oauth/token)是否一致
        // 判断 client_id 是否为空
        public boolean matches(HttpServletRequest request) {
   
     
            // 请你路径uri : /ngsoc/AUTH/oauth/token
            String uri = request.getRequestURI();
            int pathParamIndex = uri.indexOf(59);
            if (pathParamIndex > 0) {
   
     
                uri = uri.substring(0, pathParamIndex);
            }
			// ngsoc
            String clientId = request.getParameter("client_id");
            if (clientId == null) {
   
     
                return false;
            } else {
   
     
                // 服务路径 request.getContextPath() : /ngosc/AUTH
                // path : /oauth/token
                return "".equals(request.getContextPath()) ? uri.endsWith(this.path) : uri.endsWith(request.getContextPath() + this.path);
            }
        }
    }
}

第二步

当认证请求需要被认证时,authResult = attemptAuthentication(request, response); 就会调用子类ClientCredentialsTokenEndpointFilter#attemptAuthentication 方法,在方法中将参数中的client_id和client_sercet封装成Authentication对象UsernamePasswordAuthenticationToken,然后交给AuthenticationManager的实现类去认证。

@Deprecated
public class ClientCredentialsTokenEndpointFilter extends AbstractAuthenticationProcessingFilter {
   
     
    
    private AuthenticationEntryPoint authenticationEntryPoint;
    private boolean allowOnlyPost;
    
    public Authentication attemptAuthentication(HttpServletRequest request, 
                                                HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
   
     
        // 如果不是post请求,抛出异常
        if (this.allowOnlyPost && !"POST".equalsIgnoreCase(request.getMethod())) {
   
     
            throw new HttpRequestMethodNotSupportedException(request.getMethod(), new String[]{
   
     "POST"});
        } else {
   
     
            // 从请求参数client_id中获取clientId 
            String clientId = request.getParameter("client_id"); // ngsoc
            // 从请求参数client_secret中获取clientSecret
            String clientSecret = request.getParameter("client_secret"); // ngsoc
            
            // 从SecurityContextHolder中获取认证成功的认证用户信息,如果不为空,直接返回
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication != null && authentication.isAuthenticated()) {
   
     
                return authentication;
            } else if (clientId == null) {
   
     
                throw new BadCredentialsException("No client credentials presented");
            } else {
   
     
                if (clientSecret == null) {
   
     
                    clientSecret = "";
                }
                clientId = clientId.trim();
                // 将clientId和clientSecret封装为UsernamePasswordAuthenticationToken对象
                UsernamePasswordAuthenticationToken authRequest 
                    = new UsernamePasswordAuthenticationToken(clientId, clientSecret);
                // 将UsernamePasswordAuthenticationToken交给AuthenticationManager的子类认证
                return this.getAuthenticationManager().authenticate(authRequest);
            }
        }
    }
}

第三步

AuthenticationManager接口源码:

public interface AuthenticationManager {
   
     
   // 身份认证
   // 请求数据:待认证的 Authentication
   // 响应数据:认证成功的 Authentication
   Authentication authenticate(Authentication authentication) throws AuthenticationException;
}

AuthenticationManager接口的默认实现类是ProviderManager,因此this.getAuthenticationManager().authenticate(authRequest) 最终会调用ProviderManager#authenticate方法完成认证。

public class ProviderManager implements AuthenticationManager, MessageSourceAware,
InitializingBean {
   
     

    // AuthenticationProvider列表
    private List<AuthenticationProvider> providers = Collections.emptyList();
    // 父类的 AuthenticationManager
    private AuthenticationManager parent;

    public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {
   
     
        Class<? extends Authentication> toTest = authentication.getClass();
        Authentication result = null;
        Authentication parentResult = null;
        // 遍历AuthenticationProvider列表
        for (AuthenticationProvider provider : getProviders()) {
   
     
            // 判断当前遍历 AuthenticationProvider 是否支持Authentication对象的认证
            if (!provider.supports(toTest)) {
   
     
                continue;
            }

            try {
   
     
                // 如果支持,将使用该AuthenticationProvider完成认证
                result = provider.authenticate(authentication);
                if (result != null) {
   
     
                    copyDetails(authentication, result);
                    break;
                }
            }
			// ....
        }

        if (result == null && parent != null) {
   
     
            // Allow the parent to try.
            try {
   
     
                result = parentResult = parent.authenticate(authentication);
            } catch (ProviderNotFoundException e) {
   
     
            }catch (AuthenticationException e) {
   
     
                lastException = parentException = e;
            }
        }
		// ...
    }
}

说明:

在Spring Seourity 中,允许系统同时⽀持多种不同的认证⽅式,例如同时⽀持⽤户名/密码认证、 ReremberMe 认证、⼿机号码动态认证等,⽽不同的认证⽅式对应了不同的 AuthenticationProvider,所以⼀个完整的认证流程可能由多个AuthenticationProvider 来提供。

多个AuthenticationProvider将组成⼀个列表,这个列表将由ProviderManager 代理。换句话说,在ProviderManager 中存在⼀个AuthenticationProvider列表,在ProviderManager中遍历列表中的每⼀个AuthenticationProvider去执⾏身份认证,最终得到认证结果。

ProviderManager 本身也可以再配置⼀个 AuthenticationManager 作为parent,这样当ProviderManager 认证失败之后,就可以进⼊到 parent 中再次进⾏认证。理论上来说, ProviderManager 的 parent 可以是任意类型的AuthenticationManager,但是通常都是由ProviderManager 来扮演 parent 的⻆⾊,也就是 ProviderManager 是ProviderManager 的 parent。

默认情况下,ProviderManager的AuthenticationProvider列表中包含两个实现类:AnoymousAuthenticationProvider 和DaoAuthenticationProvider。

for循环内第一次得到AnoymousAuthenticationProvider,执行AnonymousAuthenticationProvider#supports方法判断该类是否支持UsernamePasswordAuthenticationToken类型的认证,结果不支持,代码如下:

public class AnonymousAuthenticationProvider implements AuthenticationProvider,
      MessageSourceAware {
   
     

   public boolean supports(Class<?> authentication) {
   
     
      return (AnonymousAuthenticationToken.class.isAssignableFrom(authentication));
   }
}

for循环内第二次得到DaoAuthenticationProvider,该类继承自AbstractUserDetailsAuthenticationProvider类,会调用AbstractUserDetailsAuthenticationProvider#supports方法判断该类是否支持UsernamePasswordAuthenticationToken类型的认证,结果支持。

public abstract class AbstractUserDetailsAuthenticationProvider implements
    AuthenticationProvider, InitializingBean, MessageSourceAware {
   
     
    
    public boolean supports(Class<?> authentication) {
   
     
        return (UsernamePasswordAuthenticationToken.class
                .isAssignableFrom(authentication));
    }
}

因此 result = provider.authenticate(authentication) 最终会调用AbstractUserDetailsAuthenticationProvider#authenticate方法对UsernamePasswordAuthenticationToken对象完成认证,在该方法中根据clientId获取数据源中存储的用户user,然后判断user是否禁用、过期、锁定、密码是否一致等,若都满足条件则验证通过。

public abstract class AbstractUserDetailsAuthenticationProvider implements
    AuthenticationProvider, InitializingBean, MessageSourceAware {
   
     

    public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {
   
     
        // Determine username
        String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED"
            : authentication.getName();

        boolean cacheWasUsed = true;
        // 从缓存中根据clientId获取UserDetails对象
        UserDetails user = this.userCache.getUserFromCache(username);

        // 如果缓存中获取不到
        if (user == null) {
   
     
            cacheWasUsed = false;

            try {
   
     
                // 从数据源中获取
                user = retrieveUser(username,
                                    (UsernamePasswordAuthenticationToken) authentication);
            }catch (UsernameNotFoundException notFound) {
   
     
                // 如果根据clientId从数据源中获取UserDetails用户详情,如果为空,认证失败抛出异常
                logger.debug("User '" + username + "' not found");
                if (hideUserNotFoundExceptions) {
   
     
                    throw new BadCredentialsException(messages.getMessage(
                        "AbstractUserDetailsAuthenticationProvider.badCredentials",
                        "Bad credentials"));
                }
                else {
   
     
                    throw notFound;
                }
            }
        }
        try {
   
     
            // 检查账户是否锁定、启用、过期等
            pr eAuthenticationChecks.check(user);
            //检查凭据[密码]是否非空、以及存储密码与输入密码是否一致
            additionalAuthenticationChecks(user,
               (UsernamePasswordAuthenticationToken) authentication);
        }
        catch (AuthenticationException exception) {
   
     
            if (cacheWasUsed) {
   
     
                cacheWasUsed = false;
                user = retrieveUser(username,
                                    (UsernamePasswordAuthenticationToken) authentication);
                preAuthenticationChecks.check(user);
                additionalAuthenticationChecks(user,
                          (UsernamePasswordAuthenticationToken) authentication);
            }
            else {
   
     
                throw exception;
            }
        }
		// 检查凭据是否未过期
        postAuthenticationChecks.check(user);
		// 将查询到到的用户放入缓存中
        if (!cacheWasUsed) {
   
     
            this.userCache.putUserInCache(user);
        }
        Object principalToReturn = user;
        if (forcePrincipalAsString) {
   
     
            principalToReturn = user.getUsername();
        }

        // 创建Authentication[身份认证信息]
        return createSuccessAuthentication(principalToReturn, authentication, user);
    }
}

到这儿认证流程就结束了,但是我们可以继续往下看一下,底层如何根据username获取客户端用户信息的。

第四步

retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication); 获取用户信息会调用DaoAuthenticationProvider#retrieveUser方法,该方法中,会调用UserDetailsService接口实现类的loadUserByUsername方法根据clientId获取客户端详情信息,代码如下:

public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
   
     
    
    protected final UserDetails retrieveUser(String username,
 	UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
   
     
        prepareTimingAttackProtection();
        try {
   
     
            // 调用UserDetailsService接口实现类的loadUserByUsername方法根据username获取用户信息
            UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
            if (loadedUser == null) {
   
     
                throw new InternalAuthenticationServiceException(
                    "UserDetailsService returned null, which is an interface contract violation");
            }
            return loadedUser;
        }
        catch (UsernameNotFoundException ex) {
   
     
            mitigateAgainstTimingAttack(authentication);
            throw ex;
        }
        catch (InternalAuthenticationServiceException ex) {
   
     
            throw ex;
        }
        catch (Exception ex) {
   
     
            throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
        }
    }
    
	protected UserDetailsService getUserDetailsService() {
   
     
		return userDetailsService;
	}
}

public interface UserDetailsService {
   
     
   UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}

第五步

UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username); 会调用ClientDetailsUserDetailsService#loadUserByUsername方法,获取客户端详情信息:

@Deprecated
public class ClientDetailsUserDetailsService implements UserDetailsService {
   
     
    private final ClientDetailsService clientDetailsService;
    private String emptyPassword = "";

    public ClientDetailsUserDetailsService(ClientDetailsService clientDetailsService) {
   
     
        this.clientDetailsService = clientDetailsService;
    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
   
     
        this.emptyPassword = passwordEncoder.encode("");
    }

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
   
     
        ClientDetails clientDetails;
        try {
   
     
            // 虎获取客户端详情
            clientDetails = this.clientDetailsService.loadClientByClientId(username);
        } catch (NoSuchClientException var4) {
   
     
            throw new UsernameNotFoundException(var4.getMessage(), var4);
        }

        String clientSecret = clientDetails.getClientSecret();
        if (clientSecret == null || clientSecret.trim().length() == 0) {
   
     
            clientSecret = this.emptyPassword;
        }
		// 将客户端信息 ClientDetails 封装成UserDetails并返回
        return new User(username, clientSecret, clientDetails.getAuthorities());
    }
}

第六步

在该方法中会调用ClientDetailsService接口实现类BaseClientDetails#loadClientByClientId方法获取ClientDetails信息:

@Deprecated
public interface ClientDetailsService {
   
     
    ClientDetails loadClientByClientId(String var1) throws ClientRegistrationException;
}

public interface ClientDetails extends Serializable {
   
     

	String getClientId();//客户端id
	
	Set<String> getResourceIds();//此客户端可以访问的资源。如果为空,则调用者可以忽略
	
	boolean isSecretRequired();//验证此客户端是否需要secret
	
	String getClientSecret();//获取客户端的secret
	
	boolean isScoped();//此客户端是否仅限于特定范围
	
	Set<String> getScope();//此客户端的范围。如果客户端未确定作用域,则为空
	
	Set<String> getAuthorizedGrantTypes();//此客户端被授权的授权类型
	
	Set<String> getRegisteredRedirectUri();//此客户端的预定义重定向redirect_url
	
	Collection<GrantedAuthority> getAuthorities();//权限集合
	
	Integer getAccessTokenValiditySeconds();//访问令牌有效期
	
	Integer getRefreshTokenValiditySeconds();//刷新令牌有效期

	boolean isAutoApprove(String scope);//测试客户端是否需要特定范围的用户批准
    
	Map<String, Object> getAdditionalInformation();//额外的信息
}

BaseClientDetails [
    clientId=ngsoc, 
    clientSecret={
   
     bcrypt}$2a$10$Dcn01QtYjhoXeeX0LPsn/.DBiiosgsFFKHVC1/tQiWk5dht1TgtKy, 
    scope=[], 
    resourceIds=[], 
    authorizedGrantTypes=[password, refresh_token, client_credentials], 
    registeredRedirectUris=[], 
    authorities=[], 
    accessTokenValiditySeconds=43200, 
    refreshTokenValiditySeconds=86400, 
    additionalInformation={
   
     }
]