Question

默认情况下，spring security通过将JSESSIONID cookie添加到您的会话来运行。我已经使用并看到了许多基于头的形式来完成相同的结果（通常使用一个或两个过滤器）。但我觉得这是我应该能够在配置中设置的东西。以这样的形式：

config.setTokenLocation(TokenLocationEnum.HEADER)
config.setTokenName("Bearer")

或

config.setTokenLocation(TokenLocationEnum.COOKIE)
config.setTokenName("JSESSIONID")

我想尝试自己实现这一点，但我首先想知道是否有人对这个想法有任何异议以及为什么它尚未实施。

由于

Answer 1

您可以根据需要配置Spring Security。通过JSESSIONID进行的会话管理只是开箱即用。例如，如果要使用Bearer OAuth 2.0令牌，则需要配置AuthServer。这是我的一个项目的配置示例：

@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter
{
    private final AuthenticationManager authenticationManager;

    private final InGridSecurityProperties inGridSecurityProperties;

    @Autowired
    public AuthorizationServerConfig(AuthenticationManager authenticationManager, InGridSecurityProperties inGridSecurityProperties, GoogleConnectionFactory connectionFactory) {
        this.authenticationManager = authenticationManager;
        this.inGridSecurityProperties = inGridSecurityProperties;
        this.connectionFactory = connectionFactory;
    }

    @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception
    {
        clients.inMemory()
                        .withClient( inGridSecurityProperties.getClientId() )
                        .secret( inGridSecurityProperties.getClientSecret() )
                        .authorities( "ROLE_TRUSTED_CLIENT" )
                        .authorizedGrantTypes( inGridSecurityProperties.getGrantTypes() )
                        .scopes( inGridSecurityProperties.getClientScope() )
                        .accessTokenValiditySeconds(
                                        inGridSecurityProperties.getAccessTokenValiditySeconds() )
                        .refreshTokenValiditySeconds(
                                        inGridSecurityProperties.getRefreshTokenValiditySeconds() );
    }

    @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception
    {
        security.tokenKeyAccess( "isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')" )
                        .checkTokenAccess( "hasAuthority('ROLE_TRUSTED_CLIENT')" );
    }

    @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                    throws Exception
    {
        endpoints
                        .authenticationManager( authenticationManager )
                        .tokenStore( jwtTokenStore() )
                        .tokenEnhancer( jwtAccessTokenConverter() );
    }


    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter()
    {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        KeyPair keyPair = new KeyStoreKeyFactory(
                        new ClassPathResource( inGridSecurityProperties.getJwtKeyStore() ),
                        inGridSecurityProperties.getJwtKeyStorePassword().toCharArray() )
                        .getKeyPair( inGridSecurityProperties.getJwtKeyPairAlias(),
                                        inGridSecurityProperties.getJwtKeyPairPassword().toCharArray() );
        converter.setKeyPair( keyPair );
        return converter;
    }


}

您可以在Spring Security文档中找到更多信息：http://docs.spring.io/spring-security/site/docs/current/reference/

基于Spring Security Header的身份验证

1 个答案: