Springboot + JWT + OAuth2 + AngularJS无状态会话 [英] Springboot + JWT +OAuth2 + AngularJS Stateless session
问题描述
我正在尝试以下各种基于Java Spring的安全性实现
I am trying various Java Spring based security implementations as follows
1. JWT身份验证
- 用户访问权限/
- Springboot标识为受保护资源,并将用户重定向到/login
- 用户输入凭据,浏览器执行POST进行/authenticate
- 服务器验证凭据并生成JWT令牌.设置到响应标头中,然后重定向到/
- 浏览器加载/. AngularJS在响应标头中识别JWT令牌,并将其存储在localStorage中
- 所有后续调用的标头中均带有Bearer令牌(通过httpInterceptor注入)
注意:无状态会话
2. OAuth2身份验证
- 用户访问权限
- Springboot标识为受保护资源,并将用户重定向到/login
- /login被Spring安全性拦截.重定向到具有生成状态的Oauth2授权服务器,并将URL重定向回应用程序
- 用户输入凭据
- Oauth服务器重定向回应用程序URL"/login?code = xxx& state = yyy"
- /login被Spring安全性拦截.识别代码和状态,生成Cookie并在响应标头中设置.重定向到/
- 浏览器加载/.浏览器会识别响应标头中的cookie并将其存储.
- 如果对/user进行了调用,则Principal对象将使用JWT填充,我可以按如下方式提取
@RequestMapping(value= {"/user")
public ResponseEntity<Map<String, String>> user(Principal principal) throws Exception {
OAuth2Authentication obj = (OAuth2Authentication) principal;
authentication = obj.getUserAuthentication();
OAuth2AuthenticationDetails oAuth2AuthenticationDetails = (OAuth2AuthenticationDetails) obj.getDetails();
String jwt = oAuth2AuthenticationDetails.getTokenValue();
- 所有后续调用将在请求中包含Cookie
- 用户访问权限
- Springboot标识为受保护资源,并将用户重定向到/login
- /login被Spring安全性拦截.重定向到具有生成状态的Oauth2授权服务器,并将URL重定向回应用程序
- 用户输入凭据
- Oauth服务器重定向回应用程序URL"/login?code = xxx& state = yyy"
- /login被Spring安全性拦截.识别代码和状态,通过调用提取JWT令牌 OAuth2AuthenticationDetails.getTokenValue()并进行响应设置 标头.重定向到/
- /login is intercepted by Spring security. Recognizes the code and state, extract JWT token by invoking OAuth2AuthenticationDetails.getTokenValue() and set in response header. Redirect to /
- 浏览器加载/. AngularJS在响应标头中识别JWT令牌,并将其存储在localStorage中
- 所有后续调用的标头中均带有Bearer令牌(通过httpInterceptor注入)
注意:在服务器端创建了一个有状态会话来存储会话详细信息.这需要解密cookie并识别用户
Note: A Stateful Session is created in server side to store the session details. This required to decrypt the cookie and identify the user
现在,我想使用Oauth2 + JWT来实现安全性,但同时实现如下所示的无状态
Now I want to implement security using Oauth2+JWT but stateless at same time as follows
3. OAuth2 + JWT +无状态
问题
我正在尝试弄清楚如何执行上面突出显示的步骤
I am trying to figure out how to implement the highlighted step above
推荐答案
如果我正确的话,只是一个想法/方向:
您可以创建一个GenericFilterBean并将其添加到HttpSecurity筛选器链.
Just an idea/direction, if I got you right:
You can create a GenericFilterBean and add that to the HttpSecurity filter chain.
使用JWT时,应该有类似的东西(一个过滤器,该过滤器从标头中提取不记名令牌),然后为Spring Security填充一个Authentication对象.
When using JWT, there should be something similar (a filter, which extracts the bearer-token from the header) and then populates an Authentication object for Spring Security.
因此,新过滤器可以从请求中获取令牌并相应地设置响应.
您也可以在不受保护的(!)回调终结点(如login/callback?...)中处理此问题,该终结点将为您设置Cookie.
So the new filter could grab the token from the request and set the response accordingly.
You could also handle that in an unprotected (!) callback endpoint like login/callback?..., which than sets the cookie for you.
在我们的应用程序中,服务器(春季启动)完全是无状态的,没有任何oauth或有状态的东西.显然,对于AngularJS(和/api/...下的一些REST-API),它从未重定向过任何内容,也没有重定向任何视图/端点,而/除外.因此,OAuth-flow完全由AngularJS处理,后者依次检查来自oauth-server的回调并在本地设置JWT-Token(就像您的第一种方法一样).在第一个版本中,我们还尝试将重定向与无状态的JWT和有状态的会话等混合使用,但这导致登录时出现非常奇怪的行为-状态(是否登录)并不总是很清晰,在某些情况下重定向是错误的,等等.
In our application, the server (spring boot) is totally stateless and does not have any oauth nor stateful stuff. Obviously it never redirects anything or has any other views/endpoints than / for AngularJS (and some REST-APIs under /api/...). Thus, the OAuth-flow is totally handled by AngularJS, which in turn checks the callback from the oauth-server and locally sets the JWT-Token (like in your first approach). In first versions we also tried to mix up redirects with stateless JWT and stateful sessions etc., but this led to very strange behavior with the logins - the state (logged in or not) was not always clear and in some cases redirects were wrong etc.
这篇关于Springboot + JWT + OAuth2 + AngularJS无状态会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
