spring-oauth2登录成功处理程序

此解决方案适用于密码流，对于其他人我不确定。 您可以在位于oauth-server配置的http标签中的“before = BASIC_AUTH_FILTER”位置添加自定义filter，并且可以通过“oauth / token”的解析响应来实现，因此创建ByteArrayResponseWrapper以获得响应，这里我使用的是TeeOutputStream来自“org.apache.commons commons-io”的课程，

private class ByteArrayResponseWrapper extends HttpServletResponseWrapper { public ByteArrayResponseWrapper(ServletResponse response) { super((HttpServletResponse) response); } private ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); @Override public ServletOutputStream getOutputStream() throws IOException { return new DelegatingServletOutputStream(new TeeOutputStream( super.getOutputStream(), byteArrayOutputStream)); } public byte[] getByteArray() { return this.byteArrayOutputStream.toByteArray(); } } 

我已经创建了令牌提取器来分离提取access_token的代码

 public class OAuth2AccessTokenExtractor implements OAuth2AccessTokenExtractor { private ObjectMapper mapper = new ObjectMapper(); public String getAccessTokenValue(byte[] response) { try { return mapper.readValue(response, OAuth2AccessToken.class) .getValue(); } catch (JsonParseException e) { e.printStackTrace(); } catch (JsonMappingException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } return null; } } 

创建你的filter后覆盖doFilter就像这样

 private DefaultTokenServices tokenServices; private OAuth2AccessTokenExtractor tokenExtractor; @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // create wrapper to read response body ByteArrayResponseWrapper responseWraper = new ByteArrayResponseWrapper( response); // led them go chain.doFilter(request, responseWraper); // get ClientAuthentication Authentication clientAuthentication = SecurityContextHolder .getContext().getAuthentication(); // is authenticated or not to proceed if (clientAuthentication != null && clientAuthentication.isAuthenticated()) { // callBack client authenticated successfully onSuccessfulClientAuthentication(request, response, clientAuthentication); // check response status is success of failure if (responseWraper.getStatus() == 200) { // extract accessToken from response String token = tokenExtractor .getAccessTokenValue(responseWraper.getByteArray()); if (token != null && !token.isEmpty()) { // load authentication from token OAuth2Authentication oAuth2Authentication = this.tokenServices .loadAuthentication(token); OAuth2AccessToken actualAccessToken = this.tokenServices .getAccessToken(oAuth2Authentication); // callBack user authenticated successfully onSuccessfulUserAuthentication(request, response, clientAuthentication, oAuth2Authentication, actualAccessToken); } else { log.error("access token is empty from extractor"); } } else { // callBack user authenticated failure onFailureUserAuthentication(request, response, clientAuthentication, request.getParameter("username")); } } else { // callBack client authenticated failure onFailClientAuthentication(request, response, request.getParameter(OAuth2Utils.CLIENT_ID)); } } protected void onSuccessfulClientAuthentication(ServletRequest request, ServletResponse response, Authentication authentication) { } protected void onFailClientAuthentication(ServletRequest request, ServletResponse response, String clientId) { } protected void onSuccessfulUserAuthentication(ServletRequest request, ServletResponse response, Authentication clientAuthentication, OAuth2Authentication userOAuth2Authentication, OAuth2AccessToken token) { } protected void onFailureUserAuthentication(ServletRequest request, ServletResponse response, Authentication clientAuthentication, String username) { } 

而create filter实例注入tokenServices。 现在onSuccessfulClientAuthentication，onFailClientAuthentication，onSuccessfulUserAuthentication和onFailureUserAuthentication将根据您的身份validation被调用

您可以在github上参考此代码

编辑：

当您有默认令牌响应时，上面的代码段工作正常，它只是使用ServletResponseWrapper并解压缩。 但仍然看起来很脆弱，所以你可以通过org.springframework.security.oauth2.provider.token.TokenEnhancer类来了解用户身份validation的成功。

请按照此答案了解详情。

我们构建了一个自定义身份validation管理器，我们将其连接到OAuth2AuthenticationProcessingFilter以完成此操作。 管理器的身份validation方法能够从身份validation主体中解压缩OAuth2Authentication和OAuth2AuthenticationDetails。