是否有一个过滤器可以在Spring Security中验证访问令牌和ID令牌?

时间:2019-09-26 02:03:51

标签: spring-security spring-security-oauth2

我已经配置了OAuth 2,并且此配置将访问令牌保存到内存中。我看到在初始登录期间,访问令牌和ID令牌在OAuth2LoginAuthenticationFilter内得到了验证。

但是对于后续请求,没有针对id / access令牌的过期验证。这让我想知道Spring Security如何验证令牌到期?

这是请求经过的筛选器链。我已经遍历了后续的过滤器链,但是,它没有调用OAuth2LoginAuthenticationFilter

WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
OAuth2AuthroizationRequestRedirectFilter
OAuth2LoginAuthenticationFilter
DefautLoginPageGeneratingFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor

这是配置:

@EnableWebSecurity
@Configuration
@ConfigurationProperties(prefix = "openid-auth")
@Setter
@Log4j2
public class AuthConfig extends WebSecurityConfigurerAdapter {

    protected static final String RESTRICTED_PATHS = "/api/**";
    private String clientId;

    @Autowired
    private StoreCheckoutLogoutHandler storeCheckoutLogoutHandler;
    @Autowired
    private StringEncryptor jasyptStringEncryptor;
    @Autowired
    private AuthTokenHandler authTokenHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if (enabled) {
            log.info("Authentication enabled for {}", RESTRICTED_PATHS);
            configureSecurity(http);
            configureOAuthAuthorization(http);
            configureLogOut(http);
            configureStatelessAuth(http);
        } else {
            http.csrf().disable();
            log.info("Authentication disabled");
        }
    }

    private void configureSecurity(HttpSecurity http) throws Exception {
        http.antMatcher("/**")
            .authorizeRequests()
            .antMatchers("/api/unprotected")
            .permitAll()
            .antMatchers(RESTRICTED_PATHS)
            .authenticated()
            .anyRequest()
            .permitAll();
    }

    private void configureOAuthAuthorization(HttpSecurity http) throws Exception {
        http.oauth2Login()
            .userInfoEndpoint()
            .userAuthoritiesMapper(userAuthoritiesMapper())
            .and()
            .defaultSuccessUrl("/", true);
    }

    private void configureLogOut(HttpSecurity http) throws Exception {
        http.logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/api/user", "DELETE"))
            .addLogoutHandler(storeCheckoutLogoutHandler)
            .logoutSuccessUrl("/")
            .invalidateHttpSession(true)
            .deleteCookies(OIDC_TOKEN_COOKIE, OAUTH2_AUTHORIZATION_REQUEST_COOKIE);
    }

    private void configureStatelessAuth(HttpSecurity http) throws Exception {
        http
                .sessionManagement()
                .sessionCreationPolicy(ALWAYS)
                .and()
              .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }

    private GrantedAuthoritiesMapper userAuthoritiesMapper() {
        return new GroupsGrantedAuthoritiesMapper();
    }
}

有人知道Spring Security的默认ID /访问令牌验证在哪里发生吗?

0 个答案:

没有答案