spring oauth2过滤器链初始化图

setApplicationContext()#1.authenticationBuilder:DefaultPasswordEncoderAuthenticationManagerBuilder2.localConfigureAuthenticationBldr:WebSecurityConfigurerAdapter

对securityFilterChainBuilders列表里面的SecurityBuilder<? extends SecurityFilterChain>依次进行build()操作，然后添加进securityFilterChains的列表中

@BeanwhitelabelApprovalEndpoint()return new whitelabelApprovalEndpoint()

设置clientDetailsService，AuthorizationServerEndpointsConfigurer#setClientDetailsService(ClientDetailsService clientDetailsService)

1.设置UserApprovalPage：\"/oauth/confirm_access\"；2.ProviderExceptionHandler；3.ErrorPage：\"/oauth/error\"；4.TokenGranter；5.clientDetailsService；6.authorizationCodeServices7.oauth2RequestFactory；8.oauth2RequestValidator；9.userApprovalHandler；10.redirectResolver

和①号构建过程相同，只不过少了AuthorizationServerSecurityConfigurer及其相关的过滤器和BasicAuthenticationFilter多了UsernamePasswordAuthenticationFilter，DefaultLoginPageGeneratingFilter，DefaultLogoutPageGeneratingFilter

WebSecurity#performBuild()

HttpSecurity#getOrApply(C configurer)

和前面的AuthorizationServerSecurityConfiguration对应的过滤器链步骤一致从#createSharedObjects()到configure(http)

AbstractConfiguredSecurityBuilder#apply(C configurer)

#add(C configurer)

@Beanoauth2EndpointHandlerMapping()

1.configure(localConfigureAuthenticationBldr)2.localConfigureAuthenticationBldr.build()构建authenticationManager对象，此处为ProviderManager

TokenKeyEndpointRegistrar#postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry)

子类一：Oauth2WebSecurityConfig#init()

#userDetailsService()

1.configure(localConfigureAuthenticationBldr)，其实并没有做任何操作2.localConfigureAuthenticationBldr.build()构建authenticationManager对象，此时返回的是null

子类一adapter初始化子流程

AutowiredWebSecurityConfigurersIgnoreParents#getWebSecurityConfigurers()返回子类一和二的两个cglib代理对象：Oauth2WebSecurityConfig$$enhanceAuthorizationServerSecurityConfiguration$$enhance

往下的箭头是整个流程主线，往右的是属于同一个类或者是当前方法的主要逻辑

2.的具体添加流程

这边创建的都是DefaultXXX比如：DefaultAccessTokenConverter

AuthorizationServerSecurityConfigurer#init(HttpSecurity http)

DefaultSecurityFilterChain#有参构造方法init

WebSecurityConfigurerAdapter   实现   WebSecurityConfigurer<WebSecurity>接口  继承  SecurityConfigurer接口  （主要就是对SB的init和configure）所以可以创建多个配置类继承WebSecurityConfigurerAdapter，甚至说可以添加多个@EnableWebSecurity，只要设置@Order不一致就行

WebSecurityConfiguration#setFilterChainProxySecurityConfigurer(）

@BeanauthorizationEndpoint()返回一个初始化好的new AuthorizationEndpoint（）

#createSharedObjects()

先对排在前面的securityFilterChainBuilder①号，这里可以指包含AuthorizationServerSecurityConfigurer

AuthorizationServerEndpointsConfigurer#tokenServices(AuthorizationServerTokenServices tokenServices)获取的是DefaultTokenServices，顺便将tokenServicesOverride变为了true

父类：WebSecurityConfigurerAdapter#init()

AbstractConfiguredSecurityBuilder#doBuild()然后经过一系列的#beforeInit()#init()#beforeConfigure()#configure()#performBuild()返回null

configure(http)

#createInstance()

endpoints里面的tokenServices由null变成了DefaultTokenServices

@Autowired注入AuthenticationConfiguration

1.new AuthorizationServerSecurityConfigurer()并通过http.apply(configurer)添加到configurers的list中2.configure(configurer);使自定义的AuthorizationServerSecurityConfigurer security生效3.对于http的一些增强，初始赋值，包括但不限于tokenEndpointPath等

@BeanwhitelabelErrorEndpoint()

WebSecurityConfiguration#autowiredWebSecurityConfigurersIgnoreParents(beanFactory)

AbstractConfiguredSecurityBuilder#init()

endpoints.isTokenServicesOverride()为false

@BeandefaultAuthorizationServerTokenServices()此时初始化的endpoints里面的属性还都是null或false

HttpSecurity#addFilter(Filter filter)往HttpSecurity#List<Filter> filters中添加WebAsyncManagerIntegrationFilter这边可以做个扩展，可以通过http.addFilter在当前这条过滤链上添加自定义过滤器

#createDefaultTokenServices()该方法设置以下东西：1.tokenStore（策略：只要不是accessTokenConverter，则为new InMemoryTokenStore()，否则为JwtTokenStore）2.SupportRefreshToken3.ReuseRefreshToken4.ClientDetailsService5.TokenEnhancer最后返回初始化好的DefaultTokenServices

依次对configurersAddedInInitializing列表中的SecurityConfigurer进行init，比如上一步中完成初始化的HttpBasicConfigurer

http.userDetailsService#改变默认的userdetailsService

1.clientDetailsService；2.ProviderExceptionHandler；3.TokenGranter；4.oauth2RequestFactory；5.oauth2RequestValidator；6.AllowedRequestMethods

AuthorizationServerEndpointsConfiguration#getEndpointsConfigurer()

添加一个Configurer具体流程比如：CsrfConfigurer

#performBuild()返回ProviderManager

子类二adapter初始化子流程

init所操作的一切

HttpSecurity#beforeConfigure()

#getHttp()获得一个HttpSecurity对象

1.获得一个globalAuthBuilder#DefaultPasswordEncoderAuthenticationManagerBuilder2.返回一个UserDetailsServiceDelegator（Arrays.asList(span style=\"font-size: inherit;\

AuthorizationServerSecurityConfigurer#registerDefaultAuthenticationEntryPoint

#authenticationManager()获得一个AuthenticationManager对象ProviderManager

创建过滤器链webSecurity.build()

AuthenticationManagerBuilder#构造函数将provider添加进List<AuthenticationProvider> authenticationProviders的list中

AbstractConfiguredSecurityBuilder#doBuild()最终返回一个DefaultSecurityFilterChain过滤器链

例：AuthorizationServerSecurityConfigurer

WebSecurity#addSecurityFilterChainBuilder

②号securityFilterChainBuilder开始构建

创建的是排好序的order为100Oauth2WebSecurityConfig对应的过滤器链

#init()此时的configurer是DaoAuthenticationConfigurer

WebSecurityConfiguration#springSecurityFilterChain()

创建的是排好序的order为0的AuthorizationServerSecurityConfiguration对应的过滤器链

分清XXXXConfiguration和XXXXConfigurer可以将前者理解把控大方向，后者为具体操作

AuthorizationServerEndpointsConfiguration#@PostConstruct#init()

1.设置AuthenticationEntryPoint的值为BasicAuthenticationEntryPoint

依次对configurers列表中的SecurityConfigurer进行init，比如：CsrfConfigurer，AuthorizationServerSecurityConfigurer

AbstractConfiguredSecurityBuilder#doBuild()

#configure()

postBuildAction

getAuthenticationRegistry().build()最后返回的是ProviderManager

HttpSecurity#getOrApply添加一系列XXXConfigurer<>比如：CsrfConfigurer

AbstractConfiguredSecurityBuilder#doBuild()最后返回一个ProviderManager

@BeancheckTokenEndpoint()返回一个初始化好的new CheckTokenEndpoint(getEndpointsConfigurer().getResourceServerTokenServices())

true

WebSecurityConfigurerAdapter#init(final WebSecurity web)

AbstractConfiguredSecurityBuilder#configure()对自定义类中configure(WebSecurity web)进行操作

@BeanconsumerTokenServices()

对List<AuthorizationServerConfigurer> configurers依次进行configure比如CustomAuthorizationServerConfig#configure(AuthorizationServerEndpointsConfigurer endpoints)

CustomAuthorizationServerConfig 继承 AuthorizationServerConfigurerAdapter 继承 AuthorizationServerConfigurer

必走

#authenticationManager()获得一个AuthenticationManager对象

!disableDefaults

①号securityFilterChainBuilder构建完成

静态类AuthorizationServerTokenServicesFactoryBean加载

1.对前面的两个代理对象进行排序2.将排好序的两个代理添加进AbstractConfiguredSecurityBuilderspan style=\"font-size: inherit;\

tokenServices为null

inti()

子类#authenticationManagerBean()引发父类创建AuthenticationManagerDelegator

@BeantokenEndpoint()返回一个初始化好的new TokenEndpoint()

AbstractDaoAuthenticationConfigurer#configure()给provider赋值DaoAuthenticationProvider

自定义对象Oauth2WebSecurityConfig#configure(HttpSecurity http)

AuthorizationServerSecurityConfiguration#configure(HttpSecurity http)

存在子类二的情况下AuthorizationServerSecurityConfiguration#init()

对http进行一些扩展填充

AuthorizationServerEndpointsConfigurer#getDefaultAuthorizationServerTokenServices()