# OAuth2.0资源服务器 Spring 安全性支持使用两种形式的OAuth2.0[不记名代币](https://tools.ietf.org/html/rfc6750.html)来保护端点: * [JWT](https://tools.ietf.org/html/rfc7519) * 不透明令牌 在应用程序已将其权限管理委托给[授权服务器](https://tools.ietf.org/html/rfc6749)(例如,OKTA或ping标识)的情况下,这很方便。资源服务器可以参考此授权服务器来授权请求。 本节详细介绍了 Spring Security如何为OAuth2.0[不记名代币](https://tools.ietf.org/html/rfc6750.html)提供支持。 | |[JWTs](https://github.com/spring-projects/spring-security-samples/tree/5.6.x/servlet/spring-boot/java/oauth2/resource-server/jwe)和[不透明令牌](https://github.com/spring-projects/spring-security-samples/tree/5.6.x/servlet/spring-boot/java/oauth2/resource-server/opaque)的工作样例都可以在[Spring Security Samples repository](https://github.com/spring-projects/spring-security-samples/tree/5.6.x)中找到。| |---|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 让我们来看看承载令牌身份验证在 Spring 安全性中是如何工作的。首先,我们看到,像[基本身份验证](../../authentication/passwords/basic.html#servlet-authentication-basic)一样,[WWW-认证](https://tools.ietf.org/html/rfc7235#section-4.1)头被发送回未经验证的客户机。 ![BeareRauthenticationCentryPoint](https://docs.spring.io/spring-security/reference/_images/servlet/oauth2/bearerauthenticationentrypoint.png) 图1.发送WWW-身份验证报头 上面的图是基于我们的[`SecurityFilterChain`](../../architecture.html# Servlet-SecurityFilterchain)图构建的。 ![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)首先,用户向资源`/private`发出未经授权的请求。 ![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png) Spring security的[`FilterSecurityInterceptor`](.../授权/authorization/authorization/authorization-requests.html# Servlet-authorization-filtersecurityinterceptor)通过抛出`AccessDeniedException`表示未经验证的请求是*拒绝*。 ![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)由于用户未经过身份验证,[`ExceptionTranslationFilter`](..../architecture.html# Servlet-ExceptionTranslationFilter)发起*启动身份验证*。已配置的[`AuthenticationEntryPoint`](...../authentication/architecture.html# Servlet-authentication-authentryPoint)是[`BearerTokenAuthenticationEntryPoint`](https://DOCS. Spring.io/ Spring-security/site/DOCS/5.6.2/api/org/springframework/security/oauth2/server/resource/web/bearerertokenauthentrypoint.html)的一个实例,它发送一个WWW-authenticate报`RequestCache`通常是不保存请求的`NullRequestCache`,因为客户机能够重放它最初请求的请求。 当客户端收到`WWW-Authenticate: Bearer`头时,它知道应该使用承载令牌进行重试。下面是正在处理的承载令牌的流程。 ![BeareRtoKenAuthenticationFilter](https://docs.spring.io/spring-security/reference/_images/servlet/oauth2/bearertokenauthenticationfilter.png) 图2.不记名令牌的认证 该图构建于我们的[`SecurityFilterChain`](../../architecture.html# Servlet-SecurityFilterchain)图。 ![number 1](https://docs.spring.io/spring-security/reference/_images/icons/number_1.png)当用户提交其承载令牌时,`BearerTokenAuthenticationFilter`通过从`HttpServletRequest`中提取令牌来创建`BearerTokenAuthenticationToken`,这是[`Authentication`](../../authentication/architecture.html# Servlet-authentication-authentication)的一种类型。 ![number 2](https://docs.spring.io/spring-security/reference/_images/icons/number_2.png)接下来,将`HttpServletRequest`传递给`AuthenticationManagerResolver`,后者选择`AuthenticationManager`。将`BearerTokenAuthenticationToken`传递到要进行身份验证的`AuthenticationManager`中。`AuthenticationManager`的详细内容取决于你是为[JWT](jwt.html#oauth2resourceserver-jwt-minimalconfiguration)还是[不透明令牌](opaque-token.html#oauth2resourceserver-opaque-minimalconfiguration)配置的。 ![number 3](https://docs.spring.io/spring-security/reference/_images/icons/number_3.png)如果身份验证失败,则*失败* * [SecurityContextholder](../../authentication/architecture.html#servlet-authentication-securitycontextholder)被清除。 * 调用`AuthenticationEntryPoint`以触发要再次发送的WWW-Authenticate头。 ![number 4](https://docs.spring.io/spring-security/reference/_images/icons/number_4.png)如果身份验证成功,则*成功*。 * [认证](../../authentication/architecture.html#servlet-authentication-authentication)设置在[SecurityContextholder](../../authentication/architecture.html#servlet-authentication-securitycontextholder)上。 * `BearerTokenAuthenticationFilter`调用`FilterChain.doFilter(request,response)`以继续应用程序逻辑的其余部分。 [OAuth2授权客户](../client/authorized-clients.html)[JWT](jwt.html)