使用spring-security作权限控制时,登陆成功会创建对应授权信息,然后通过对应的TokenStore实现把对应的授权信息保存起来,当显示用户访问对应保护接口时就会根据客户端传入的token获取认证信息,我们先看下TokenStore接口定义:
代码语言:javascript复制public interface TokenStore {
/**
* Read the authentication stored under the specified token value.
*
* @param token The token value under which the authentication is stored.
* @return The authentication, or null if none.
*/
OAuth2Authentication readAuthentication(OAuth2AccessToken token);
/**
* Read the authentication stored under the specified token value.
*
* @param token The token value under which the authentication is stored.
* @return The authentication, or null if none.
*/
OAuth2Authentication readAuthentication(String token);
/**
* Store an access token.
*
* @param token The token to store.
* @param authentication The authentication associated with the token.
*/
void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication);
/**
* Read an access token from the store.
*
* @param tokenValue The token value.
* @return The access token to read.
*/
OAuth2AccessToken readAccessToken(String tokenValue);
/**
* Remove an access token from the store.
*
* @param token The token to remove from the store.
*/
void removeAccessToken(OAuth2AccessToken token);
/**
* Store the specified refresh token in the store.
*
* @param refreshToken The refresh token to store.
* @param authentication The authentication associated with the refresh token.
*/
void storeRefreshToken(OAuth2RefreshToken refreshToken, OAuth2Authentication authentication);
/**
* Read a refresh token from the store.
*
* @param tokenValue The value of the token to read.
* @return The token.
*/
OAuth2RefreshToken readRefreshToken(String tokenValue);
/**
* @param token a refresh token
* @return the authentication originally used to grant the refresh token
*/
OAuth2Authentication readAuthenticationForRefreshToken(OAuth2RefreshToken token);
/**
* Remove a refresh token from the store.
*
* @param token The token to remove from the store.
*/
void removeRefreshToken(OAuth2RefreshToken token);
/**
* Remove an access token using a refresh token. This functionality is necessary so refresh tokens can't be used to
* create an unlimited number of access tokens.
*
* @param refreshToken The refresh token.
*/
void removeAccessTokenUsingRefreshToken(OAuth2RefreshToken refreshToken);
/**
* Retrieve an access token stored against the provided authentication key, if it exists.
*
* @param authentication the authentication key for the access token
*
* @return the access token or null if there was none
*/
OAuth2AccessToken getAccessToken(OAuth2Authentication authentication);
/**
* @param clientId the client id to search
* @param userName the user name to search
* @return a collection of access tokens
*/
Collection<OAuth2AccessToken> findTokensByClientIdAndUserName(String clientId, String userName);
/**
* @param clientId the client id to search
* @return a collection of access tokens
*/
Collection<OAuth2AccessToken> findTokensByClientId(String clientId);
}场景的TokenStore实现有InMemoryTokenStore(保存本地内存)、JdbcTokenStore(保存到数据库)、JwkTokenStore(全部信息返回到客户端)以及RedisTokenStore(保存到redis),由于认证调用的频率,一般推荐使用RedisTokenStore或者JwkTokenStore两种,本文仅简单介绍下RedisTokenStore保存的内容,
上面5个键值是跟accessToken相关的,
代码语言:javascript复制auth_to_access:这个键值在OAuth2AccessToken getAccessToken(OAuth2Authentication authentication)方法用到,通过认证信息获取到OAuth2AccessToken对象client_id_to_access:这个键值在Collection<OAuth2AccessToken> findTokensByClientId(String clientId)方法中会用到uname_to_access:在Collection<OAuth2AccessToken> findTokensByClientIdAndUserName(String clientId, String userName)方法中用到auth:在OAuth2Authentication readAuthentication(String token)方法中用到PS:
Spring-security实现的RedisTokenStore没有使用Redis连接池,笔者在实际使用中对其进行了改造。
