1, Org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
Org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter
Org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter
Org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter Login authentication (user name password Authentication)
1.1.
Org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter1.2.
Org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter1.3.
Org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter1.4, Usernamepasswordauthenticationfilter
There is a AuthenticationManager interface property in the parent class Abstractauthenticationprocessingfilter. The verification work is done primarily through an instance of this AuthenticationManager interface.
By default, the Springsecurity framework injects an instance of the Org.springframework.security.authentication.ProviderManager class into the property.
The verification process for Usernamepasswordauthenticationfilter is as follows:
1. First the filter will call its own Attemptauthentication method, remove the authentication from the request, authentication is the The Org.springframework.security.web.context.SecurityContextPersistenceFilter filter generates one by capturing the contents of a user-submitted login form Org.springframework.security.core.Authentication Interface instance.
2. After getting the authentication object, the filter invokes the Authenticate method of the Providermanager class and passes in the object
The Authenticate method of the 3.ProviderManager class then calls its own Doauthentication method, which in the Doauthentication method invokes the list< in the class. Authenticationprovider> the authenticate of each Authenticationprovider interface implementation class in the Providers collection (authentication Authentication) method, this shows that the real validation logic is done by each Authenticationprovider interface implementation class, The Daoauthenticationprovider class is a Authenticationprovider interface implementation class that is injected by default
4.AuthenticationProvider interface to obtain user information via Userdetailsservice
2, Oauth2authenticationmanager
The Java.security.MessageDigest class is used to provide the application with an information digest algorithm, such as the MD5 or SHA algorithm. The simple point is that it is used to generate hash codes.
The information digest is a secure, one-way hash function that receives data of any size and outputs a fixed-length hash value.
This is the summary of the Access_token, which stores the primary key value of the Access_token in the table, using this primary key value to Oauth_access_token.token (the Oauth2accesstoken value of the serialization), The Oauth2accesstoken object is then deserialized to outgoing. To determine immediately after the expiration, if expired, throw exception throw new Invalidtokenexception ("Access token expired:" + accesstokenvalue);
Continue querying the Oauth2authentication object if it has not expired.
Oauth2authentication on the same record in Oauth_access_token. Remove oauth2authentication before returning to determine if the existence of the ClientID, does not exist on the run out of the exception.
Oauth2authenticationmanager.authenticate->
Protected string Extracttokenkey (string value) {
if (value = = null) {
return null;
}
MessageDigest Digest;
try {
Digest = messagedigest.getinstance ("MD5");
}
catch (NoSuchAlgorithmException e) {
throw new IllegalStateException ("MD5 algorithm not available. Fatal (should is in the JDK). ");
}
try {
byte[] bytes = digest.digest (value.getbytes ("UTF-8"));
Return String.Format ("%032x", New BigInteger (1, bytes));
}
catch (Unsupportedencodingexception e) {
throw new IllegalStateException ("UTF-8 encoding not available. Fatal (should is in the JDK). ");
}
}
OAuth2.0 Learning (4-99) Spring Security OAuth2.0 Development Guide