| url | 说明 | 方法 |
|---|---|---|
| /login | ||
| /oauth/authorize | 无登录态时跳转到/authentication/require,有登录态时跳转到/login | org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint#authorize |
| /authentication/require | 自己写的用于重定向到登录页面的url | cn.merryyou.sso.controller.LoginController#require |
| /authentication/form | 提交登录信息, | 据说是UsernamePasswordAuthenticationFilter处理此请求 |
==================
url在哪个类中配置的?
应该了解下正常的controller处理请求的堆栈是啥
org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#lookupHandlerMethod加断点
在下面截图可以看到正常的controller与url对应关系的存储位置
下图可以看到/authentication/require接口和handler的位置对应关系
无法找到
GET /uaa/oauth/authorize?client_id=merryyou1&redirect_uri=http://localhost:8083/client1/login&response_type=code&state=dSx7fy HTTP/1.1
这个请求在哪里触发的。
已知/uaa/oauth/authorize这个请求返回302,重定向到/uaa/authentication/require,/uaa/authentication/require是自己写的,然后通过HttpSecurity配置。
点击"登录"时触发接口/authentication/form,此接口在哪?
加断点没找到,但是找到了其重定向的那个连接/uaa/oauth/authorize
authorize:123, AuthorizationEndpoint (org.springframework.security.oauth2.provider.endpoint)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
doInvoke:205, InvocableHandlerMethod (org.springframework.web.method.support)
invokeForRequest:133, InvocableHandlerMethod (org.springframework.web.method.support)
invokeAndHandle:97, ServletInvocableHandlerMethod (org.springframework.web.servlet.mvc.method.annotation)
invokeHandlerMethod:827, RequestMappingHandlerAdapter (org.springframework.web.servlet.mvc.method.annotation)
handleInternal:738, RequestMappingHandlerAdapter (org.springframework.web.servlet.mvc.method.annotation)
handle:85, AbstractHandlerMethodAdapter (org.springframework.web.servlet.mvc.method)
doDispatch:967, DispatcherServlet (org.springframework.web.servlet)
重新触发登录逻辑,可以看到org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#attemptAuthentication的调用,据说此方法是/authentication/form
attemptAuthentication:70, UsernamePasswordAuthenticationFilter (org.springframework.security.web.authentication)
doFilter:212, AbstractAuthenticationProcessingFilter (org.springframework.security.web.authentication)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilter:116, LogoutFilter (org.springframework.security.web.authentication.logout)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:64, HeaderWriterFilter (org.springframework.security.web.header)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilter:105, SecurityContextPersistenceFilter (org.springframework.security.web.context)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:56, WebAsyncManagerIntegrationFilter (org.springframework.security.web.context.request.async)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
doFilter:331, FilterChainProxy$VirtualFilterChain (org.springframework.security.web)
doFilterInternal:214, FilterChainProxy (org.springframework.security.web)
doFilter:177, FilterChainProxy (org.springframework.security.web)
invokeDelegate:346, DelegatingFilterProxy (org.springframework.web.filter)
doFilter:262, DelegatingFilterProxy (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:99, RequestContextFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:105, HttpPutFormContentFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:81, HiddenHttpMethodFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:197, CharacterEncodingFilter (org.springframework.web.filter)
doFilter:107, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
invoke:198, StandardWrapperValve (org.apache.catalina.core)
invoke:96, StandardContextValve (org.apache.catalina.core)
invoke:478, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:140, StandardHostValve (org.apache.catalina.core)
invoke:80, ErrorReportValve (org.apache.catalina.valves)
invoke:87, StandardEngineValve (org.apache.catalina.core)
service:342, CoyoteAdapter (org.apache.catalina.connector)
service:799, Http11Processor (org.apache.coyote.http11)
process:66, AbstractProcessorLight (org.apache.coyote)
process:868, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1455, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:748, Thread (java.lang)
filter在web中的定位 --done。Filter是Servlet规范的一部分,它的主要目的是在请求到达Servlet(包括Spring MVC的DispatcherServlet)之前或之后执行某些操作
client中/ 和 /login之间的跳转逻辑是如何实现的?
感觉和EnableOAuth2Sso这个注解有关
这个博客讲的太细了,不适合初学者
初学者应该先了解如何使用,然后是http交互逻辑,最后是原理
client-id: merryyou1这种方式可以配置客户端。客户端在oauth中的定位是啥?每个客户端对数据有不同授权?
user-authorization-uri是请求认证,access-token-uri是请求令牌,两者啥关系?
需要了解下HttpSecurity各个配置的含义