我有两个Spring Boot应用程序。后端部分-具有访问数据库的权限,它用作Rest API和管理面板。前端部分-使用Rest API为客户端显示信息。
所以我在客户端部分(前端)和管理面板的配置安全性方面存在问题,授权是通过会话实现的。以前,客户端部分的授权是通过JWT令牌实现的,但我不太了解如何为每个单独的客户端存储令牌,以及在向Rest API发送请求时如何使用令牌。
有我的安全配置:
@Configuration
@EnableWebSecurity
@ComponentScan(basePackages = "kg.nurtelecom.cashbackapi")
public class SecurityConfig {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Configuration
@Order(1)
public static class RestApiSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationTokenFilter jwtAuthFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.antMatcher("/api/**")
.authorizeRequests()
.antMatchers("/api/authenticate").permitAll()
.antMatchers("/api/**").permitAll()
.and()
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
@Configuration
@Order(2)
public static class AdminSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("customUserDetailsService")
private UserDetailsService userDetailsService;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authenticationProvider());
}
@Bean
public PasswordEncoder getPasswordEncoder() {
return new BCryptPasswordEncoder(8);
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(getPasswordEncoder());
return authenticationProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").authenticated()
.antMatchers("/login")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/login")
.failureUrl("/login?error")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login");
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**", "/static/**", "/assets/**", "/css/**", "/js/**");
}
}
}
那么可以使用JWT令牌在两个Spring Boot应用程序之间配置授权吗?
答案 0 :(得分:0)
您必须在需要时请求它,例如,当前一个过期时,或者当您获得它时,必须将其存储在客户端的某个位置。
例如本地存储或cookie,因此只要您需要调用后端,就可以将其附加到授权标头中的请求上