SecurityContextPersistenceFilter(安全上下文持久化)
默認到Session里面摟數據,摟到數據再塞入SecurityContextHolder,
此時SecurityContextHolder里面有數據,再調用filterchain內部的其他filter,其他filter也會處理這個SecurityContextHolder
數據存入SecurityContextHolder是一次性的,本次請求結束SecurityContextHolder里面的數據就會丟失,
所以本filter在filterchain執行結束之后,會從SecurityContextHolder對應的threadLocal里面取出context,存入httpsession,同時清空threadLocal(防內存泄漏)
httpsession默認是會持久化(有超時時間),所以只要瀏覽器cookie里面有jsessionid,哪怕服務器重啟,登陸狀態也不會丟失
//doFilter方法
if (request.getAttribute(FILTER_APPLIED) != null) {
// ensure that filter is only applied once per request
chain.doFilter(request, response);
return;
}
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request,response);
//獲取安全上下文
SecurityContext contextBeforeChainExecution = repo.loadContext(holder);
try {
SecurityContextHolder.setContext(contextBeforeChainExecution);
chain.doFilter(holder.getRequest(), holder.getResponse());
}
//過濾器鏈中的filter執行結束后,會過來清空
finally {
SecurityContext contextAfterChainExecution = SecurityContextHolder.getContext();
// Crucial removal of SecurityContextHolder contents - do this before anything else. 可能是怕內存泄漏(threadLocal實現)
SecurityContextHolder.clearContext();
repo.saveContext(contextAfterChainExecution, holder.getRequest(),holder.getResponse());//存到session中半持久化
request.removeAttribute(FILTER_APPLIED);
OAuth2AuthorizationRequestRedirectFilter(oauth2.0鑒權請求重定向filter)
將HttpServletRequest轉換為OAuth2AuthorizationRequest(三方認證請求),且如果OAuth2AuthorizationRequest不等於null,則會重定向到第三方認證接
例如github,gitee的三方授權頁面
OAuth2LoginAuthenticationFilter(oauth2.0 認證請求filter---oauth2.0 Login 流程的發動機)
oauth2.0 Login 流程的發動機,處理第三方認證的回調(該回調有授權碼)
拿着授權碼到第三方認證服務器獲取access_token和refresh_token
拿着上一步獲取到的access_token去第三方認證服務器獲取用戶信息
將獲取到的用戶信息通過OAuth2AuthorizedClientRepository.saveAuthorizedClient()方法保存在HttpSession(因為默認實現是基於HttpSession)
開發者應該可以自定義OAuth2AuthorizedClientRepository來實現自定義的用戶信息存儲,或者構造DefaultOAuth2AuthorizedClientManager(該manager內部持有OAuth2AuthorizedClientRepository)