JHipster:如何使用未经身份验证的用户从UAA服务器对微服务进行安全调用 [英] JHipster: How to make secure calls to microservices from UAA server with unauthenticated user
问题描述
尊敬的StackOverflow社区,
Dear StackOverflow Community,
I found that someone else already asked something similar to my problem here but didn't receive any good answers.
我想在用户在UAA服务器上被激活时(在AccountResource中调用activateAccount()时)在微服务A上创建一个实体. 在这一点上,用户尚未通过身份验证,因此我无法像在其他微服务上那样使用AuthenticatedFeignClient.当我在微服务A上禁用身份验证并按照 JHipster文档中所述使用FeignClient时,它可以按预期工作,但是我不想让端点从外部可以访问.有没有办法让UAA服务器对其自身进行身份验证,或者仅允许UAA服务器访问微服务A的API中的该特定端点?
I want to create an entity on microservice A as soon as a User gets activated on the UAA server (when activateAccount() is called in the AccountResource). At this point the user is not authenticated and therefor I'm not able to use an AuthenticatedFeignClient, as I would on other microservices. When I disable authentication on microservice A and use a FeignClient as described in the JHipster Docs, it works as expected, but I don't want to leave the endpoint reachable from the outside. Is there a way to let the UAA server authenticate itself or only allow the UAA server to access this specific endpoint in microservice A's API?
我终于通过使用AuthenticatedFeignClient使它工作了.我只是将客户端包和FeignConfiguration从微服务复制到uaa服务器,并按如下所示更改application-dev.yml和application-prod.yml中的安全设置:
I finally got it to work by using AuthenticatedFeignClient. I simply copied the client package and FeignConfiguration from the microservice to the uaa server and changed the security settings in application-dev.yml and application-prod.yml as follows:
security:
client-authorization:
access-token-uri: uaa/oauth/token
token-service-id: uaa
client-id: internal
client-secret: internal
推荐答案
尽管您已经找到了正确的解决方案,但我应该快速解释为什么这是正确的.
despite you already found the correct solution, I should quickly explain why this is correct.
JHipster UAA支持两种不同的授权流程:用户到服务和服务到服务.第一个是最常用的.这是您要控制允许用户在您的应用程序中执行的操作的时间.
JHipster UAA supports two different authorization flows: user-to-service and service-to-service. The first one is the most commonly used. This is when you want to control what a user is permitted to do in your application.
服务到服务的呼叫不包含任何与用户相关的问题,因为不是用户登录"而是您的微服务本身.这就是为什么要添加配置.
A service-to-service call doesn't consist of any user related issue, as not the user is "logging in" but your microservice itself. That's why should add the config.
将注释界面从其他应用程序复制到UAA的工作是有点糟糕的设计.我正在考虑将这些注释从生成的代码移到JHipster库中以解决此问题.
The stuff with copying the annotation interface from other apps into UAA is a little bad design. I'm considering to make a move of these annotations from generated code into the JHipster library to solve this.
这篇关于JHipster:如何使用未经身份验证的用户从UAA服务器对微服务进行安全调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
