将基于令牌的安全性集成到现有的 Spring Security Web 应用程序中 [英] Integrating Token based security into existing Spring Security web application

问题描述

我正在设计一个 RESTful Web 服务，需要在正确的身份验证后由用户访问.我已经使用 Spring Security 3.0 为我的应用程序开发了安全性.现在我想集成 TokenBasedAuthentication.但我坚持在这里我该怎么做.

I am designing a RESTful web services that needs to be accessed by user after proper authentication. I have already developed Security for my application using Spring Security 3.0. Now I want to integrate TokenBasedAuthentication. But I stuck here for how do i do this.

我的 ApplicationContextSecurity.xml:

<global-method-security pre-post-annotations="enabled">
    </global-method-security>
    <beans:bean id="myAccessDecisionManager"
        class="com.app.security.MyAccessDecisionManager">
    </beans:bean>
    <http auto-config="true" once-per-request="true"
        access-decision-manager-ref="myAccessDecisionManager"       
        access-denied-page="/jsp/errorPage.jsp">
        <intercept-url pattern="/*.app" access="ROLE_ANONYMOUS" />
        <form-login login-page="/login.app"
            login-processing-url="/j_spring_security_check" default-target-url="/login/checking.app"
            authentication-failure-url="/login.app?login_error=1" />
        <logout logout-url="/j_spring_security_logout"
            logout-success-url="/login.app" invalidate-session="true" />
        <session-management invalid-session-url="/login.app"
            session-fixation-protection="newSession">
            <concurrency-control max-sessions="100"
                error-if-maximum-exceeded="false" />
        </session-management>
    </http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="customAuthenticationProvider"></authentication-provider>
    </authentication-manager>

    <beans:bean id="customAuthenticationProvider"
        class="com.app.security.CustomAuthenticationProvider">
    </beans:bean>

我的 CustomAuthenticationProvider :

public class CustomAuthenticationProvider implements AuthenticationProvider {

@Autowired
private ILoginService loginService;

protected final transient Log log = LogFactory.getLog(getClass());

public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {

    UsernamePasswordAuthenticationToken usernamePassswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
            authentication.getPrincipal(), authentication.getCredentials());

    // Doing authentication process here and returning authentication token
    return usernamePassswordAuthenticationToken;
}

public boolean supports(Class<? extends Object> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}

我的要求是，

• 当用户第一次想访问rest web服务时，他应该从header中向服务器提供用户名/密码.
• 服务器将接受请求，检查身份验证并为特定时期的未来请求生成令牌.我还需要客户端代码来访问安全的 Web 服务.谢谢.

推荐答案

当用户想第一次访问休息网络服务时，他应该从头向服务器提供用户名/密码.

When user want to access rest web service at first time he should provide userName/password to the server from header.

服务器将接受请求，检查身份验证并生成特定时期未来请求的令牌

Server will accept the request, check the authentication and generate token for future requests for specific period

您可以使用 HTTP 标头或映射到 Spring MVC 控制器的普通 HTTP POST 请求来执行此操作(这就是我们在应用程序中执行的操作):

You can do this either using HTTP headers or a normal HTTP POST request mapped to a Spring MVC controller (this is how we do it in our apps):

@Controller
public class AuthenticationController {
    @Autowired
    @Qualifier("authenticationManager")
    AuthenticationManager     authenticationManager;

    @Autowired
    SecurityContextRepository securityContextRepository;

    @RequestMapping(method = RequestMethod.POST, value = "/authenticate")
    public @ResponseBody String authenticate(@RequestParam final String username, @RequestParam final String password, final HttpServletRequest request, final HttpServletResponse response) {
        final UsernamePasswordAuthenticationToken authenticationRequest = new UsernamePasswordAuthenticationToken(username, password);
        final Authentication authenticationResult = this.authenticationManager.authenticate(authenticationRequest);

        final String token = <some randomly generated secure token>;

        final Authentication authentication = new MyAuthenticationToken(authenticationResult, token);

        SecurityContextHolder.getContext().setAuthentication(authentication);

        this.securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);

        return token;
    }
}

完成此操作后，客户端应在每个后续请求的 HTTP 标头中发送令牌.

Once this is done, the client should send the token in an HTTP header with every subsequent request.

我还需要客户端代码来访问安全的网络服务

Also I need client side code for how to access secured web services

不确定您要在这里寻找什么.如果您的客户端是在 Web 浏览器中运行的 JavaScript 库，则将身份验证令牌设置为每个请求的 HTTP 标头应该很简单.如果您的客户端是设备，则该设备可以将令牌存储在内存中，并将其作为 HTTP 标头包含在每个使用您用来调用服务的 HTTP 客户端库的每个请求中.

Not sure what exactly you are looking for here. If your client is a JavaScript library running in a web browser, setting the authentication token as an HTTP header with every request should be straightforward. If your client is a device, the device could store the token in memory and include it as an HTTP header with every request using whatever HTTP client library you are using to invoke the services.

这篇关于将基于令牌的安全性集成到现有的 Spring Security Web 应用程序中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！