如何在Spring Boot Application中实现自定义身份验证 [英] How to implement customized authentication in Spring Boot Application

问题描述

我正在使用Spring Boot构建一个Web应用程序.电话应用程序可以发出发布请求，以xml格式将数据上传到云.允许推送数据的电话必须是注册的公司电话.验证API调用的方法是在公司数据库中查找手机的android ID.仅当存在Android ID时，它才会接受数据.想法是将android ID嵌入请求的标头中.由于这不是典型的身份验证方式，我该如何使用Spring Security来实现它?否则我们甚至不需要Spring Security.只需从标题中提取Android ID，然后在数据库中查找它即可.如果该请求不是有效的ID，则拒绝该请求.任何建议都会有所帮助.

I am building a web app with Spring Boot. Post requests can be made by a phone app to upload data in form of xml to the cloud. The phones that are allowed to push data are required to be registered company phones. The way to authenticate the APIs calls is to look up the android ID of the phone in a corporate database. It will accept the data only if the Android ID exists. The idea is to embed the android ID in the header of requests. Since it is not a typical way for authentication, how do I implement it with Spring Security? Or we don't even need Spring Security. Just extract the Android ID from the header and look it up in database. Reject the request if it is not a valid ID. Any advice would help.

推荐答案

没有什么可以阻止您以创造性的方式使用Authorization标头，即通过将Android ID嵌入其中.然后，为了向终端添加身份验证，可以使用AOP拦截器:

Nothing prevents you from using Authorization header in a creative way, i.e., by embedding the Android ID into it. Then, in order to add authentication to your endpoints, you can use an AOP interceptor:

受保护的操作标记界面:

Protected operation marker interface:

@Target({ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface ProtectedOperation {
}

拦截器:

@Aspect
@Component
public class SecurityAspect {
    private CorporateService corpService; // this is your custom service to check Android IDs
    @Autowired
    public SecurityAspect(CorporateService corpService) {
        this.corpService = corpService;
    }
    @Around("@annotation(operation)")
    public Object protectedOperationPermissionCheck(final ProceedingJoinPoint pjp, final ProtectedOperation operation) throws Throwable {
        ServletRequestAttributes requestAttributes = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
        String header = requestAttributes.getRequest().getHeader("Authorization");
        String androidId = // get the ID from header - try not to use existing authorization header formats like Bearer, Negotiate etc. to avoid collision with other authentication systems
        if (corpService.isAuthorized(androidId)) {
            return pjp.proceed();
        }
        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
        response.flushBuffer();
        return null;
    }
}

确保为您的@Aspect支持添加spring-boot-starter-aop依赖项到pom.xml中

Make sure to add the spring-boot-starter-aop dependency to your pom.xml, for @Aspect support

保护端点，在@ProtectedOperation中注释控制器中的端点方法，然后将@EnableAspectJAutoProxy添加到您的Spring Boot应用程序中

to protect an endpoint, annotate the endpoint method in your controller with @ProtectedOperation, and add @EnableAspectJAutoProxy to your Spring Boot application

这篇关于如何在Spring Boot Application中实现自定义身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！