spring security&oauth 路径草稿

http://spring-security-oauth.codehaus.org/schema/spring-security-oauth-3.0.xsd
http://www.springframework.org/schema/security/spring-security-3.1.xsd


//加载默认的类
AuthorizationServerBeanDefinitionParser

<sec:remember-me use-secure-cookie="true" />

此类为惯穿全文主类
org.springframework.security.web.context.HttpSessionSecurityContextRepository.SaveToSessionResponseWrapper
org.springframework.security.web.context.HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY
public static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
   
public final void sendRedirect(String location) throws IOException {
//表示每次重定向之前把认证过的信息存入session，以待下次使用
        doSaveContext();
        super.sendRedirect(location);
    }

spring security context上下文：
org.springframework.security.web.context.HttpSessionSecurityContextRepository
org.springframework.security.web.context.HttpRequestResponseHolder
org.springframework.security.web.context.NullSecurityContextRepository
org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper
org.springframework.security.web.context.SecurityContextPersistenceFilter
org.springframework.security.web.context.SecurityContextRepository

org.springframework.security.web.savedrequest.HttpSessionRequestCache
DefaultSavedRequest

org.springframework.security.web.context.SecurityContextPersistenceFilter(81-82)类使用下面一个类org.springframework.security.web.context.HttpSessionSecurityContextRepository重新把session load到 org.springframework.security.core.context.SecurityContext( SecurityContext contextBeforeChainExecution = repo.loadContext(holder);)


org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
这个类是将SecurityContext从session中取到request中，满足 自动填充org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint的传入方法：
@RequestMapping
public ModelAndView authorize(Map<String, Object> model,
@RequestParam(value = "response_type", required = false, defaultValue = "none") String responseType,
@RequestParam Map<String, String> requestParameters, SessionStatus sessionStatus, Principal principal) {

...
WebAppContext
SessionHandler
ServletHandler
com.XXX.spring.core.PrintRequestFilter
org.springframework.web.filter.DelegatingFilterProxy
org.springframework.web.filter.DelegatingFilterProxy
org.springframework.security.web.FilterChainProxy
org.springframework.security.web.context.SecurityContextPersistenceFilter
org.springframework.security.web.authentication.www.BasicAuthenticationFilter
org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter
org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter
org.springframework.security.authentication.ProviderManager

org.springframework.security.authentication.dao.DaoAuthenticationProvider@7878966d
org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService@1e02437d

org.springframework.security.oauth2.provider.CompositeTokenGranter@53e7105f
[com.XXX.mplus.member.service.FlymeAuthenticationProvider@4f8befbb]

org.springframework.security.authentication.UsernamePasswordAuthenticationToken@91c76850

org.springframework.security.oauth2.provider.endpoint.TokenEndpoint
org.springframework.security.oauth2.provider.CompositeTokenGranter

org.springframework.security.authentication.DefaultAuthenticationEventPublisher@dcb9a59
org.springframework.security.authentication.event.AuthenticationSuccessEvent[source=org.springframework.security.authentication.UsernamePasswordAuthenticationToken@83a95e68: Principal: org.springframework.security.core.userdetails.User@7c56a1ac: Username: KzA76k3lBCYDqKTy6VYvb9WR6QSUWVGJ; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: null; Not granted any authorities]

org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter@2d511c93
org.springframework.security.authentication.ProviderManager@55d49663
com.XXX.mplus.grant.FlymePasswordTokenGranter@5a889cd6
org.springframework.security.authentication.ProviderManager@60813c84


org.springframework.beans.factory.support.ConstructorResolver
org.springframework.web.servlet.handler.MappedInterceptor#0


clientAuthenticationManager
org.springframework.security.authenticationManager
userAuthenticationManager
phoneAuthenticationManager
flymeAuthenticationManager
userIdAuthenticationManager
rememberMeAuthenticationManager
phonePasswordGranter

http配置
org.springframework.security.config.authentication.AuthenticationManagerFactoryBean

org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
FilterComparator
...
        put(RequestCacheAwareFilter.class, order);
        order += STEP;
        put(SecurityContextHolderAwareRequestFilter.class, order);
        order += STEP;
        put(JaasApiIntegrationFilter.class, order);
...



org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter

UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(clientId,
clientSecret);

return this.getAuthenticationManager().authenticate(authRequest);



org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);

        return this.getAuthenticationManager().authenticate(authRequest);
       
       
org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter
PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken(principal, credentials);
            authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
            authResult = authenticationManager.authenticate(authRequest);
           
           
com.XXX.mplus.grant.FlymePasswordTokenGranter
Authentication userAuth = new UsernamePasswordAuthenticationToken(
flyme, password);
try {
userAuth = authenticationManager.authenticate(userAuth);




spring web:
org.springframework.web.method.support.InvocableHandlerMethod


spring web 核心接口：
org.springframework.web.method.support.InvocableHandlerMethod.getMethodArgumentValues(NativeWebRequest, ModelAndViewContainer, Object...)
自动获取参数接口实现
org.springframework.web.servlet.mvc.method.annotation.ServletRequestMethodArgumentResolver.resolveArgument(MethodParameter, ModelAndViewContainer, NativeWebRequest, WebDataBinderFactory)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(HttpServletRequest, HttpServletResponse, HandlerMethod)
org.springframework.web.servlet.mvc.method.annotation.ServletRequestMethodArgumentResolver.resolveArgument(MethodParameter, ModelAndViewContainer, NativeWebRequest, WebDataBinderFactory)
org.springframework.web.servlet.mvc.method.annotation.ServletResponseMethodArgumentResolver

getAccessToken:
org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(Principal, String, Map<String, String>)

org.springframework.security.authentication.AuthenticationTrustResolverImpl

org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(ServletRequest, ServletResponse, FilterChain)


重点：
org.springframework.web.servlet.mvc.method.annotation.ServletRequestMethodArgumentResolver.resolveArgument(MethodParameter, ModelAndViewContainer, NativeWebRequest, WebDataBinderFactory)


org.springframework.web.method.annotation.RequestParamMapMethodArgumentResolver@68d259f1


org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint
@FrameworkEndpoint
@SessionAttributes("authorizationRequest")
@RequestMapping(value = "/oauth/authorize")
public class AuthorizationEndpoint extends AbstractEndpoint implements InitializingBean {