如何知道请求是否是通过 oauth2 授权发出的? [英] How to know if request is made via oauth2 authorization?
问题描述
我有某些端点/ui/";和/non-ui/".在/ui/"上端点,启用 Oauth2 代码授权类型.但是,同一个ui用户,成功oauth2登录后可以访问/non-ui/";端点也.我也不希望 ui 用户能够访问/non-ui/"为/non-ui/"启用端点或 oauth2 登录;端点.
I have certain endpoints "/ui/" and "/non-ui/". On "/ui/" endpoints, Oauth2 code grant type is enabled. However, same ui user , after successful oauth2 login can access "/non-ui/" endpoints also. Neither I want that ui user should be able to access "/non-ui/" endpoints nor oauth2 login is enabled for "/non-ui/" endpoints.
排除/non-ui/**"来自 oauth2 登录的端点,我可以使用以下代码:
To exclude "/non-ui/**" endpoints from oauth2 login, I can use below code:
public void configure(WebSecurity webSecurity) {
webSecurity.ignoring().antMatchers("/non-ui/**");
}
如何限制 ui 用户访问/non-ui/"?端点.如上代码只是将其公开,ui 用户可以访问/non-ui/";端点?
How can I restrict ui users from accessing "/non-ui/" endpoints. As above code just makes it public and ui users can access "/non-ui/" endpoints ?
有什么方法可以让我知道请求是否是通过 oauth2 身份验证发出的?我想通过这种方式我可以使用一些过滤器和控制访问.
Is there a way by which I can get to know if request is made via oauth2 authentication ? I think by that way I can use some filter and control access.
关于用例的更多上下文.就像刚才我添加了一个安全过滤器并删除了/non-ui/**"来自 webSecurity.ignoring() 的端点并获得了额外的标头信息.
Some more context around the use-case. As just now I added a security filter and removed "/non-ui/**" endpoints from webSecurity.ignoring() and got additional header information.
由于在非 ui 端点上已启用基本身份验证,这就是为什么我可以从中获取其他信息,即请求是否通过基本身份验证机制触发.当 UI 用户访问非 ui 端点时,相同的标头字段会反映为未经身份验证.
Since on non-ui endpoints basic authentication is already enabled and that's why I can get additional information from that i.e. if request was triggered via basic authentication mechanism or not. While same header fields are reflected as unauthenticated when non-ui endpoints are hit by UI users.
根据此信息,我将拒绝具有未经身份验证的标头信息的请求.但是,我仍然无法理解是否发出了经过身份验证的非 ui 请求,那么我如何绕过 oauth2 身份验证机制.
Based on this information , I will deny requests having unauthenticated header information. However, I am still unable to understand if authenticated non-ui request is made then how can i bypass oauth2 authentication mechanism.
推荐答案
您可以将 ROLES 添加到 ROLE_UI 和 ROLE_NONUI 等用户,并检查角色以通过像这样的角色访问端点
You can add ROLES to users like ROLE_UI and ROLE_NONUI and check roles to access to endpoints by roles like
.antMatchers("/ui/*").hasRole("ROLE_UI")
或
.antMatchers("/non-ui").hasRole("ROLE_NONUI")
这篇关于如何知道请求是否是通过 oauth2 授权发出的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
