Spring 安全令牌认证 - RESTful JSON 服务 [英] Spring Security Token Authentication - RESTful JSON Service
问题描述
我希望将 Spring Security 用于严格意义上的 JSON Web 服务的 Spring MVC 应用程序.我做了一些研究并阅读了一些文章,但还没有真正找到任何完整的内容.我希望应用程序完全无状态并使用基于令牌的身份验证.我不希望 Spring MVC 应用程序有任何表单,或者使用表单进行身份验证.它应该严格接受JSON中的请求和数据,并返回JSON响应.
I'm looking to use Spring Security for a Spring MVC application which will strictly be a JSON web service. I've done some research and read a few articles but haven't really found anything complete. I want the application to be completely stateless and use token based authentication. I don't want the Spring MVC application to have any forms, or used forms to authenticate. It should strictly take requests and data in JSON, and return JSON responses.
将有一个 Angular JS 客户端应用程序,它需要发送用户名和密码,并从应用程序中获取要在顺序请求中使用的令牌.在某些时候,可能会有 Android 客户端也访问此网络服务.
There will be an Angular JS client application which will need to send the username and password and get the token from the application to be used in sequential requests. At some point there may be Android clients that access this web service as well.
我假设 Spring Security 在内部有将令牌映射到用户会话的方法,这意味着它知道令牌 XXXXXXXXXXXX 是管理员用户 Bob,令牌 AAAAAAAAAA 是标准用户 Joe.但是我对 Spring Security 没有太多经验,所以我不知道这一切是如何结合在一起的.我仍然希望能够在控制器和服务方法上使用安全注解.
I'm assuming Spring Security has its way internally to mapping a token to a user session, meaning it knows token XXXXXXXXXXXX is admin user Bob and token AAAAAAAAAA is standard user Joe. However I don't have much experience with Spring Security so I don't know how this all comes together. I still want to be able to use secured annotations on controller and service methods.
有没有办法在 Spring Security 中实现这一点?
Is there a way to accomplish this in Spring Security?
这个问题似乎是一个很好的起点,但我不确定这会像我想象的那样工作 通过 Spring 进行 RESTful 身份验证.
This question seems to be a good place to start but I'm not sure this will work as I envisioned it RESTful Authentication via Spring.
推荐答案
这将是一个很好的起点 Spring-Rest-Boilerplate.
This will be a good place to start with Spring-Rest-Boilerplate.
- 第一次你必须使用 http 基本身份验证和然后登录(发送用户名/密码),这将返回令牌.
- 在后续请求中,您将使用此令牌进行身份验证.
- 您必须向链中添加一个过滤器才能做到这一点基于令牌的身份验证.
你必须想出一个令牌格式和加密.理想情况下,您还需要为令牌保留一个到期时间,到期时间和用户名可能是令牌的一部分.使用 加密算法 像 MD5 这样的加密哈希函数并获取整个令牌的哈希值.
You have to come up with a token format and encryption for same. You ideally need to keep an expiry for the token too, expiry along with username could be a part of the token.Use an encryption algorithm a cryptographic hash function like MD5 and get hash of the whole Token.
编辑:正如 Maciej Stępyra 指出的那样,MD5 似乎已损坏,建议使用更强的哈希函数,如 SHA-256.
Edit : As pointed out by Maciej Stępyra MD5 seems to be broken and its advised to use a Stronger hash functions like SHA-256.
默认情况下,Spring security 会将您重定向到登录页面,但这在 REST 的情况下没有意义,因此请在配置中使用自定义 AuthenticationEntryPoint(参考示例 github 代码).
Spring security by default will redirect you to a login page, but this does not make sense in case of REST so use a custom AuthenticationEntryPoint in config(Ref sample github code).
我对我的令牌使用了这种格式:token:username:hash:expiry
I was using this format for my Token:
token:username:hash:expiry
hash=MD5(用户名+magickey)
hash=MD5(username+magickey)
expiry=current_timestamp+mins_to_expiry
expiry=current_timestamp+mins_to_expiry
<security:http realm="Protected API" use-expressions="true" auto-config="false" create-session="always" entry-point-ref="**CustomAuthenticationEntryPoint**">
<security:custom-filter ref="**authenticationTokenProcessingFilter**" position="PRE_AUTH_FILTER" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
注意:感谢 dhavaln 提供代码.我以此作为参考并开发了类似的东西.
NB:Thanks dhavaln for the code. I have used this as a reference and developed similar thing.
这篇关于Spring 安全令牌认证 - RESTful JSON 服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
