使用 OAuth2 下载 Javascript 文件 [英] Download files in Javascript with OAuth2
问题描述
我正在使用客户端的 Javascript+AngularJS 和服务器端的 Spring MVC + Spring Security OAuth2 开发单页.Spring MVC 充当来自页面的任何 AJAX 请求的 REST 控制器.
对于授权,脚本会随每个 AJAX 请求发送一个授权:承载 ..."标头.这在请求少量数据时工作正常.要下载 XML 文件(导出用户数据),我通过 AJAX 下载它们,使用 OAuth2 标头并创建一个 Blob 以允许将文件保存在浏览器中:
var blob = new Blob([data.data], {'type': "text/xml"});var a = document.createElement("a");a.href = window.URL.createObjectURL(blob);a.download = "下载文件-" + new Date().toISOString() + ".xml";a.click();这种方法有效,但
- 使用内存,因此不适合下载大文件
- 未显示正确的进度/加载栏
那么,问题是:有没有更好的方式来下载 OAuth2 授权的文件?Javascript 不允许在进行重定向时指定标头,并且 OAuth 不允许通过 URL 参数指定授权令牌.我在考虑任何一个
- 添加特殊的 Spring MVC 控制器方法以提供从 URL 编码的令牌重定向到标头编码的 HTTP 请求的 URL
- 添加额外的 Spring Security 过滤器以允许从 URL 参数中提取令牌
- 转向基于 cookie 的授权而不是 OAuth2
如果有人遇到过类似的问题,能否请您分享一下您解决这个问题的方法?
原来在 spring-security-oauth2 2.0.7.RELEASE 中很容易做到:
只需将访问令牌作为 access_token 请求参数传递:
window.open("service/export?access_token=" + access_token);现在,这将与访问令牌以明文形式出现在下载历史记录中,因此为了适当的安全性,应正确实施注销"选项,否则下载将必须作为表单发布"完成.
I'm developing an single-page with Javascript+AngularJS on the client side and Spring MVC + Spring Security OAuth2 on the server side. Spring MVC acts as a REST controller for any AJAX requests from the page.
For authorization, the script sends an "Authorization: Bearer ..." headers with each AJAX request. This works fine when requesting small amounts of data. To download XML files (export user data) I download them via AJAX, using the OAuth2 headers and create a Blob to allow saving the file in the browser:
var blob = new Blob([data.data], {'type': "text/xml"});
var a = document.createElement("a");
a.href = window.URL.createObjectURL(blob);
a.download = "downloaded-file-" + new Date().toISOString() + ".xml";
a.click();
This approach works but
- Uses RAM and so is unsuitable for large file downloads
- Does not show a proper progress/loading bar
So, the question is: is there a better way of downloading files with OAuth2 authorization? Javascript does not allow to specify headers when doing redirects, and OAuth does not allow to specify the authorization token via URL parameters. I'm thinking of either
- adding a special Spring MVC controller method to provide an URL which redirects from an URL-encoded token to a header-encoded HTTP request
- adding an extra Spring Security filter to allows extracting the token from URL parameters
- moving to cookie-based authorization instead of OAuth2
If anyone had similar issues, could you please share your approach to this problem?
Turns out it's very easy to to in spring-security-oauth2 2.0.7.RELEASE:
Simply pass the access token as the access_token request parameter:
window.open("service/export?access_token=" + access_token);
Now, this will appear with the access token in plaintext in the download history, so for proper security a "logout" option should be properly implemented, or the download will have to be done as a "form post".
这篇关于使用 OAuth2 下载 Javascript 文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
