通过REST端点

时间:2015-04-22 10:01:55

标签: spring spring-mvc authentication spring-security spring-social

在使用RESTful webservices的Spring Boot应用程序中,我已将Spring Security与Spring Social和SpringSocialConfigurer一起配置。

现在我有两种身份验证/授权方式 - 通过用户名/密码和社交网络,例如Twitter。

为了在我的Spring MVC REST控制器中通过我自己的RESTful端点实现身份验证/授权,我添加了以下方法:

@RequestMapping(value = "/login", method = RequestMethod.POST)
public Authentication login(@RequestBody LoginUserRequest userRequest) {
    Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(userRequest.getUsername(), userRequest.getPassword()));
    boolean isAuthenticated = isAuthenticated(authentication);
    if (isAuthenticated) {
        SecurityContextHolder.getContext().setAuthentication(authentication);
    }
    return authentication;
}

private boolean isAuthenticated(Authentication authentication) {
    return authentication != null && !(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated();
}

但我不确定在成功/login端点调用后必须返回到客户端的确切内容。我认为返回完整的身份验证对象是多余的。

如果成功进行身份验证,应该将哪些内容返回给客户?

您能否告诉我如何正确实施此登录方法?

此外,在RESTfull登录的情况下,我将UsernamePasswordAuthenticationToken,如果通过Twitter登录,我将SocialAuthenticationToken是否可以在同一个应用程序中使用不同的令牌?

1 个答案:

答案 0 :(得分:3)

您可以通过覆盖SimpleUrlAuthenticationSuccessHandler

中的方法来配置成功验证时要返回的内容
public class CustomAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

    public CustomAuthenticationSuccessHandler() {
        super();
        setRedirectStrategy(new NoRedirectStrategy());
    }

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {

        super.onAuthenticationSuccess(request, response, authentication);
        ObjectMapper mapper = new ObjectMapper();

        response.setContentType("application/json;charset=UTF-8");
        response.getWriter().print(mapper.writeValueAsString(objectToBereturned);
        response.getWriter().flush();
    }

    protected class NoRedirectStrategy implements RedirectStrategy {

        @Override
        public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url)
                throws IOException {
            // any redirect if required. leave the implementation black if not needed
        }

    }
}

此外,您还可以处理失败响应:

public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    }
}