春季安全使用REST架构 [英] Spring Security with REST architecture
问题描述
我一直在寻找与春季安全问题的REST API。而跳进实施之前,我想获得专家咨询或在github上一些样本项目,如果有的话。
I have been looking into a problem with Spring Security for a REST API. And before jumping into implementation I would like to get an expert advice or some sample project on github, if available.
我的应用程序将基于REST API。并将由两个客户端来访问:
My application will be based on REST API. And will be accessed by two clients:
- 手机
- 网站
如果我创建自定义登录页面一个REST API,那么它将永远被重定向到网络(按我的理解)。当我开始用什么手机消费呢?
If I create a REST API with custom login page, then it will always be redirected to Web (as per my understanding). What when I will start consuming it with Mobile Phone?
.formLogin()
.defaultSuccessUrl("/ui/index.html#/app/dashboard")
.loginProcessingUrl("/api/upuser/verifyUser")
.usernameParameter("username")
.passwordParameter("password")
.successHandler(new AjaxAuthenticationSuccessHandler(new SavedRequestAwareAuthenticationSuccessHandler()))
.loginPage("/ui/index.html#/access/signin")
我想从上面的code似乎很明显,这个应用程序将来自两个不同的地点进行访问:
I think from the above code it seems quite obvious that this application will be accessed from two different locations:
- 本地主机:8080 / API /原料药
- 本地主机:8383 / UI /对于Web(角JS)
不过,我会提出既为localhost / API /&安培;本地主机/ UI /使用nginx的。因此,以上两点将通过
But, I will move both to localhost/api/ & localhost/ui/ by using nginx. So, above two will be accessed by
- 本地主机/ API /
- 本地主机/ UI /
所以,我的第二个问题是什么将是实施春季安全的最佳途径:
So, my second question is what will be the best way to implement spring security:
- 基于令牌认证
- 基于会话的认证
问题是因为它是一个无状态的服务,我们都这么怎样实现基于会话的认证?
Problem is as it's a stateless service so how we are going to implement session based Authentication?
推荐答案
尝试是这样的:
You should try this, may be it will help you:
@Configuration
@EnableWebSecurity
@Profile("container")
public class SOAPSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationProvider authenticationProvider;
@Autowired
private AuthenticationProvider authenticationProviderDB;
@Override
@Order(1)
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Order(2)
protected void ConfigureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProviderDB);
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/scripts/**","/styles/**","/images/**","/error/**");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").authenticated()
.antMatchers("/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(
HttpServletRequest request,
HttpServletResponse response,
Authentication a) throws IOException, ServletException {
//To change body of generated methods,
response.setStatus(HttpServletResponse.SC_OK);
}
})
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException ae) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
})
.loginProcessingUrl("/access/login")
.and()
.logout()
.logoutUrl("/access/logout")
.logoutSuccessHandler(new LogoutSuccessHandler() {
@Override
public void onLogoutSuccess(
HttpServletRequest request,
HttpServletResponse response,
Authentication a) throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_NO_CONTENT);
}
})
.invalidateHttpSession(true)
.and()
.exceptionHandling()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.csrf()//Disabled CSRF protection
.disable();
}
}
这篇关于春季安全使用REST架构的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!