Spring Security的3.2令牌认证 [英] Spring Security 3.2 Token Authentication
问题描述
我知道这已经被问了,但我无法得到它的工作。
这是我想什么得到实现:
I know this has been asked already, but I am not able to get it to work. Here is what I would like to get accomplished:
我使用Spring 3.2的安全,以确保一个REST式服务。没有服务器端的会话。
我不使用基本身份验证,因为这将意味着我需要存储的用户的密码在客户端的cookie。否则用户将需要与每个页面刷新/改变登录。存储代是我猜两害取其轻。
I am using Spring Security 3.2 to secure a REST-like service. No server side sessions. I am not using basic auth, because that would mean that I need to store the user's password in a cookie on client side. Otherwise the user would need to login with each page refresh/ change. Storing a token is I guess the lesser evil.
- Web客户端(浏览器,移动应用程序)调用一个REST式的网址登录/登录用户名和密码
- 服务器验证用户,并发送一个令牌返回给客户端
- 客户端存储的令牌,并把它添加到每个API调用 HTTP请求头
- 服务器检查令牌的有效性,并相应地发送一个响应
- A web client (browser, mobile app) calls a REST-like URL to login "/login" with username and password
- The server authenticates the user and sends a token back to the client
- The client stores the token and adds it to the http request header with each api call
- The server checks the validity of the token and sends a response accordingly
我甚至没有看令牌生成部分呢。我知道这是倒退,但我希望得到首次实施令牌验证的部分。
I did not even look at the token generation part yet. I know it is backwards, but I wanted to get the token validation part implemented first.
我想获得通过自定义文件管理器(执行AbstractAuthenticationProcessingFilter的)这种实现,但是我似乎有关于它的错误的观念。
I am trying to get this accomplished by using a custom filer (implementation of AbstractAuthenticationProcessingFilter), however I seem to have the wrong idea about it.
定义它是这样的:
public TokenAuthenticationFilter() {
super("/");
}
只会触发的过滤器这个网址。
我坚持一些示例实现,它调用AbstractAuthenticationProcessingFilter#requiresAuthentication不接受通配符。
当然,我可以改变这种行为,但不知何故这让我觉得我是在错误的道路上。
will only trigger the filter for this exact URL. I am sticking to some sample implementation, where it calls AbstractAuthenticationProcessingFilter#requiresAuthentication which does not accept wildcards. I can of course alter that behavior, but this somehow makes me think that I am on the wrong path.
我也开始实现自定义的AuthenticationProvider。也许这是正确的事情?
有人可以给我推到正确的方向?
I also started implementing a custom AuthenticationProvider. Maybe that is the right thing? Can someone give me a push into the right direction?
推荐答案
我觉得pre-auth的过滤器是为您的方案更适合。
覆盖摘要preAuthenticatedProcessingFilter的getPrincipal和getCredentials方法。
万一标记不是在头present,从getPrincipal返回null
I think pre-auth filter is a better fit for your scenario. Override AbstractPreAuthenticatedProcessingFilter's getPrincipal and getCredentials methods. In case the token is not present in the header, return null from getPrincipal.
流量:
- 在首次用户登录时,没有头过去了,所以没
认证对象的SecurityContext设置,普通的认证
过程如下即ExceptionTranslation过滤redirtects用户
基于表单登录过滤器或自定义的AuthenticationEntryPoint /登录页面 - 验证成功后,用户请求保护的URL,pre-auth的过滤器在设定头认证对象获得令牌
SecurityContext中,如果用户有机会,他被允许访问受保护
网址
这篇关于Spring Security的3.2令牌认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!