使用Spring Security + Spring Boot进行基于令牌的REST服务授权

时间:2016-02-21 18:27:24

标签: spring rest spring-mvc spring-security

我正在为移动应用程序构建REST服务(JAVA / SPRING),其中必须处理身份验证和授权。对于身份验证,我使用的是外部工具,但对于基于角色的授权,我想使用Spring Security。该项目使用 Spring Boot + Spring Data JPA + Spring REST
我做了一个示例项目以获得Spring Security的一些实际操作,但是花了几个小时后我能够让它工作一些,但有特别的疑问。
Sample的几个类: - 

    @Configuration
    @EnableWebSecurity
    @ComponentScan("com.ezetap.security")
    @EnableGlobalMethodSecurity(prePostEnabled = true,securedEnabled=true)

    public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired DataSource dataSource;
    @Autowired CustomAuthenticationProvider authenticationProvider;
    @Autowired CustomerUserDetailService customerUserDetailService;//Overrides loadByUserName method 

    @Autowired
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        //auth.userDetailsService(customerUserDetailService);
        auth.authenticationProvider(authenticationProvider);    
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
      http.authorizeRequests()
        .antMatchers(HttpMethod.GET,"/spring-security/test/**").hasRole("USER");
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().disable();

      http.addFilterBefore(new RestAuthenticationFilter(authenticationProvider,customerUserDetailService), BasicAuthenticationFilter.class);

    }
}



public class RestAuthenticationFilter extends GenericFilterBean {
CustomerUserDetailService authenticationService;
AuthenticationProvider authenticationProvider;

public RestAuthenticationFilter() {


}
public RestAuthenticationFilter(CustomerUserDetailService customerUserDetailService) {
    this.authenticationService=customerUserDetailService;

}

public RestAuthenticationFilter(AuthenticationProvider authenticationProvider,
        CustomerUserDetailService customerUserDetailService) {
    this.authenticationProvider=authenticationProvider;
    this.authenticationService=customerUserDetailService;
}

public final String HEADER_SECURITY_TOKEN = "X-CustomToken";


public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
   if("test".equalsIgnoreCase(request.getHeader(HEADER_SECURITY_TOKEN))){
        UserDetails userDetails=authenticationService.loadUserByUsername("");//assume this is working
        UsernamePasswordAuthenticationToken authentication =
                new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());

        authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
        SecurityContextHolder.getContext().setAuthentication(authentication);
        chain.doFilter(request, response);
    }else{
        response.sendError(401, "Authorization failed");
        //response.getWriter().append("Access denied");
    }
} <br>
  1. 我必须在Header中使用基于令牌的授权。生成令牌然后加密并发送到浏览器的正确方法是什么,然后将其用于所有请求。

  2. 他们的任何服务都是Spring生成令牌并持续存在,或者我必须手动执行并生成令牌并将其存储在某处然后定期驱逐它?

  3. 我还应该能够获取所有令牌或使特定令牌或其他令牌相关服务无效。

    另外,如果我所遵循的方法是正确的或者是否需要考虑其他事项,请告诉我。这纯粹是针对REST服务,所以没有州或会议。由于复杂性和时间限制,不想使用 Spring Oauth

0 个答案:

没有答案
相关问题
最新问题