Because the company uses oauth2 for authentication and authentication. It took me a while to understand the framework. Overall, the framework is still relatively heavy and difficult to understand
Mainly because it relies on filters, many of which need to be configured. It can be configured through properties and java code. Many times we don't know what it is
But after studying, I feel that as long as I know that it uses a lot of filters, it can be simpler
1. Certification process
From the figure, we can know that UsernamePasswordAuthenticationFilter encapsulates the request. What he does is limited and relies on AuthenticationManager for authentication.
And AuthenticationManager relies on DaoAuthenticationProvider to work,
Authentication is to query user information based on username. This step needs to be done by developers, but password comparison requires security. The framework encrypts the original password and then compares it with the database password. On success, the authentication information is saved to the SecurityContextHolder,
This is a ThreadLocal, and understanding this will help us understand security.
This introduces the SecurityContextPersistenceFilter, which puts the authentication information into theadlocal and removes it when the method ends.
During authentication, you can find out the user's permissions by the way and put them in theadlocal
oauth2 authentication endpoint
AuthorizationEndpoint
oauth2 token endpoint
TokenEndpoint
oauth2 filter
OAuth2AuthenticationProcessingFilter