我已经配置了OAuth 2,并且此配置将访问令牌保存到内存中。我看到在初始登录期间,访问令牌和ID令牌在OAuth2LoginAuthenticationFilter
内得到了验证。
但是对于后续请求,没有针对id / access令牌的过期验证。这让我想知道Spring Security如何验证令牌到期?
这是请求经过的筛选器链。我已经遍历了后续的过滤器链,但是,它没有调用OAuth2LoginAuthenticationFilter
。
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
OAuth2AuthroizationRequestRedirectFilter
OAuth2LoginAuthenticationFilter
DefautLoginPageGeneratingFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
这是配置:
@EnableWebSecurity
@Configuration
@ConfigurationProperties(prefix = "openid-auth")
@Setter
@Log4j2
public class AuthConfig extends WebSecurityConfigurerAdapter {
protected static final String RESTRICTED_PATHS = "/api/**";
private String clientId;
@Autowired
private StoreCheckoutLogoutHandler storeCheckoutLogoutHandler;
@Autowired
private StringEncryptor jasyptStringEncryptor;
@Autowired
private AuthTokenHandler authTokenHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
if (enabled) {
log.info("Authentication enabled for {}", RESTRICTED_PATHS);
configureSecurity(http);
configureOAuthAuthorization(http);
configureLogOut(http);
configureStatelessAuth(http);
} else {
http.csrf().disable();
log.info("Authentication disabled");
}
}
private void configureSecurity(HttpSecurity http) throws Exception {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/api/unprotected")
.permitAll()
.antMatchers(RESTRICTED_PATHS)
.authenticated()
.anyRequest()
.permitAll();
}
private void configureOAuthAuthorization(HttpSecurity http) throws Exception {
http.oauth2Login()
.userInfoEndpoint()
.userAuthoritiesMapper(userAuthoritiesMapper())
.and()
.defaultSuccessUrl("/", true);
}
private void configureLogOut(HttpSecurity http) throws Exception {
http.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/api/user", "DELETE"))
.addLogoutHandler(storeCheckoutLogoutHandler)
.logoutSuccessUrl("/")
.invalidateHttpSession(true)
.deleteCookies(OIDC_TOKEN_COOKIE, OAUTH2_AUTHORIZATION_REQUEST_COOKIE);
}
private void configureStatelessAuth(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(ALWAYS)
.and()
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
private GrantedAuthoritiesMapper userAuthoritiesMapper() {
return new GroupsGrantedAuthoritiesMapper();
}
}
有人知道Spring Security的默认ID /访问令牌验证在哪里发生吗?