SpringSecurity之过滤器BearerTokenAuthenticationFilter

原创

已于 2025-04-26 09:17:14 修改 · 468 阅读

5 ·

CC 4.0 BY-SA版权

文章标签：

#java

于 2024-12-29 16:09:21 首次发布

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .oauth2ResourceServer(oauth2Configurer -> oauth2Configurer.jwt(jwtConfigurer -> jwtConfigurer.jwtAuthenticationConverter(jwt -> {
            Map<String, Collection<String>> realmAccess = jwt.getClaim("realm_access");
            Collection<String> roles = realmAccess.get("roles");
            var grantedAuthorities = roles.stream()
                    .map(role -> new SimpleGrantedAuthority("ROLE_" + role))
                    .toList();
            return new JwtAuthenticationToken(jwt, grantedAuthorities);
        })))
    ;
    httpSecurity.exceptionHandling(handleConfig -> handleConfig.accessDeniedHandler(m_AccessDeniedHandler));
    return httpSecurity.build();
}

1.OAuth2ResourceServerConfigurer

核心功能包含：

创建JwtConfigurer实例。
创建JwtConfigurer实例中实例变量jwtAuthenticationConverter：Converter【Lambda表达式】类型。该Lambda表达式真正实现逻辑是从jwt toke解析得到realm_access属性中value，最终将authorities抽象为JwtAuthenticationToken实例返回。

public final class OAuth2ResourceServerConfigurer{

	private JwtConfigurer jwtConfigurer;
	private BearerTokenRequestMatcher requestMatcher = new BearerTokenRequestMatcher();

	public OAuth2ResourceServerConfigurer<H> jwt(Customizer<JwtConfigurer> jwtCustomizer) {
		if (this.jwtConfigurer == null) {
			this.jwtConfigurer = new JwtConfigurer(this.context);
		}
		// JwtConfigurer#jwtAuthenticationConverter
		jwtCustomizer.customize(this.jwtConfig