Spring Boot 和安全性:从 android 应用程序访问安全 URL. [英] Spring boot and Security: accessing secured URL from android app.
问题描述
我开发了一个简单的 Spring Boot 和 Spring Security 表单登录,配置如下
I have developed a simple Spring boot and spring security for form login with the below configuration
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/registration").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
http.csrf().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}
我还创建了自定义 userDetailsService 实现来获取用户.
I have also created custom userDetailsService Implementation to get the user.
现在,当我使用登录表单从网页登录时,我能够成功登录并能够访问安全端点(我也能够在后续响应中看到 JSESSIONID.
Now, When I login in from a web page using a login form, I am able to login successfully and able to access secured endPoints as well(I am able to see JSESSIONID as well in subsequent response.
但是当我尝试使用带有 url 的 httpPost 通过不同的服务(Android 应用程序)登录时:http://localhost:9090/login,我可以看到用户已通过身份验证.但是我无法从 android 应用程序访问受保护的端点.响应返回一个 HTML 字符串(登录页面数据).
But when I try to login via a different service(An Android app) using httpPost with url : http://localhost:9090/login, I can see that the user is authenticated.
But I am then unable to access the secured endPoints from the android app. The response returns back a HTML string(The login page data).
我也看不到响应中的 JSESSIONID.
I can also not see the JSESSIONID in the response.
总的来说,我的配置在网页上运行良好,但无法从其他 api 中得到它.
Overall, My configuration is working fine for web pages, but unable to get it worked from other api's.
推荐答案
它在您使用网页登录表单时有效,因为您的 UI 和服务器在同一个域中.当 Spring Security 对用户进行身份验证时,我相信它会在 cookie 标头中添加一个会话 ID,以便在您登录后能够对每个请求进行身份验证.当从另一个域访问您的 Spring API 时,在这种情况下是您的 Android 应用程序,它不再位于同一个域中,因此 Spring Security 不会将会话 ID 添加到 cookie 标头中.所以要做你想做的事情,我相信你必须编写自己的身份验证过滤器来向请求添加 cookie 或标头.这是一个使用 JSON Web Tokens 使用 Spring Boot 对 api 进行身份验证的链接.https://auth0.com/blog/implementing-jwt-authentication-on-spring-boot/
It works when you use the web page login form because your UI and server are in the same domain. When Spring Security authenticates a user I believe it adds a session id to the cookie header so it is able to authenticate every request after you login. When hitting your Spring API from another domain, in this case your Android App, it is no longer in the same domain, so Spring Security won't add the session id to the cookie header. So to do what you want to do I believe you have to write your own authentication filter to add a cookie or header to the request. Here is a link that uses JSON Web Tokens to authenticate an api using spring boot. https://auth0.com/blog/implementing-jwt-authentication-on-spring-boot/
这篇关于Spring Boot 和安全性:从 android 应用程序访问安全 URL.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
