在RESTful API中存储身份验证令牌的位置?

时间:2014-03-04 06:52:17

标签: rest spring-security access-token

我想保护REST URL。为此,我决定采用基于令牌的身份验证。在那里,我如何创建具有过期时间的令牌,以及在哪里可以存储它以供以后验证令牌检查?

提前致谢。

This is my security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:sec="http://www.springframework.org/schema/security"
             xmlns:context="http://www.springframework.org/schema/context"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
    <beans:import resource="applicationContext.xml"/>
    <http pattern="/jaxrs/employess/**" create-session="stateless"  entry-point-ref="myAuthenticationEntryPoint">
        <intercept-url pattern='/jaxrs/employess/**' /> 
            <custom-filter position="PRE_AUTH_FILTER" ref="myAuthenticationFilter" />
    </http>
    <beans:bean id="myAuthenticationEntryPoint" class="restservice.security.MyAuthenticationEntryPoint"/>
    <global-method-security secured-annotations="enabled" />
    <beans:bean id="myAuthenticationFilter" class="restservice.security.MyAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
    </beans:bean>
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="myAuthenticationProvider"/>
    </authentication-manager>
    <!--<beans:bean id="restTemplate" class="org.springframework.web.client.RestTemplate"/>-->
    <beans:bean id="restTemplate" class="org.springframework.web.client.RestTemplate">
        <!--  <beans:property name="errorHandler" ref="customErrorHandler" /> -->
    </beans:bean>
    <beans:bean id="myAuthenticationProvider" class="restservice.security.MyAuthenticationProvider" >
        <beans:property name="restTemplate" ref="restTemplate"/>
    </beans:bean>
  <!--   <beans:bean id="customErrorHandler" class="com.AuthenticationResponseErrorHandler"/> -->
</beans:beans>*

1 个答案:

答案 0 :(得分:1)

您不应将其存储在任何位置,因为这意味着在服务器上存储一些会话状态。

相反,令牌本身应该是带符号的编码字符串,其中包含识别用户所需的信息。您可以通过检查签名来验证其真实性。如果您需要使其过期,只需在签名前为其添加时间戳,并根据当前时间计算令牌年龄。

相关问题
最新问题