使用Security REST插件保护REST API
[英]Securing REST API with Security REST plugin
问题描述
I'm building a decision support tool in GRAILS for the room scheduling at my highschool. 
我正在GRAILS中建立一个决策支持工具,用于我高中的房间调度。 I'm using Spring Security and I want to secure the REST api. 我正在使用Spring Security,并且想保护REST api。 I've found very little information on the proper way to do this. 我发现有关执行此操作的正确方法的信息很少。 However I've been looking to the Spring Security REST plugin 但是我一直在寻找Spring Security REST插件
The documentation is not very clear to me, does anyone have a working example/tutorial using this plugin? 文档对我来说不是很清楚,是否有人使用此插件提供了有效的示例/教程?
Suggestions on how to implement this would be great. 关于如何实现这一点的建议会很棒。
1 个解决方案
解决方案1
3 已采纳 2014-02-24 15:05:43
I am just reading out the sequence diagram loud for you. 我只是为您大声读出时序图。 I am working on a sample app using this plugin and (AngularJS in client side) and will be releasing soon (probably tonight). 我正在使用此插件和(客户端的AngularJS)开发示例应用程序,并将很快发布(可能今晚发布)。
Here are the steps: 步骤如下:
- Client requests for a REST resource using any HTTP method. 客户端使用任何HTTP方法请求REST资源。
- Server responds to client's request with a 401 (unauthorized). 服务器使用401(未授权)响应客户端的请求。
- Client (on receiving a 401) redirects user to login page to provide username and password. 客户端(在收到401时)会将用户重定向到登录页面以提供用户名和密码。 (Remember Spring Security Core plugin) (记住Spring Security Core插件)
- User provides username and password. 用户提供用户名和密码。 (means, the client should issue a POST request hitting /api/login provided by spring security REST plugin with a request body/request param with user details) (意味着,客户端应发出POST请求,并点击Spring Security REST插件提供的/ api / login并带有带有用户详细信息的请求主体/请求参数)
- Server on receiving user info does 4 tasks: 服务器在接收用户信息时执行4个任务:
- Validate user. 验证用户。
- Generate a token (provided by the Spring Security REST plugin by default). 生成令牌(默认情况下由Spring Security REST插件提供)。
- Store the token (either in memcahe or GORM specified domain classes). 存储令牌(在memcahe或GORM指定的域类中)。
- Return back the token to callee (client). 将令牌返回给被调用方(客户端)。
- Validate user.
- On receiving the generated token from the server, client stores it in any local storage and uses for further API calls for that particular user. 客户端从服务器接收到生成的令牌后,会将其存储在任何本地存储中,并用于该特定用户的其他API调用。
- Every time an API is hit for any resource, the token is passed in the header as
X-Auth-Token(default) instead of passingBasic Authevery time.每次为任何资源命中API时,令牌都作为X-Auth-Token(默认值)传递到标头中,而不是每次都传递Basic Auth。
Therefore, you end up with a token based validation for the REST Endpoints. 因此,最终您将获得基于令牌的REST端点验证。 Go through plugin's FAQ for more answers. 浏览插件的常见问题以获取更多答案。
Author will be releasing the latest version of plugin (1.3.0) very soon and you would find some updates in the documentation. 作者将很快发布最新版本的插件(1.3.0),您会在文档中找到一些更新。
I have just touched the basic functionality of this plugin right now, but it has the flexibility to handle more than just generating token. 我刚刚接触了此插件的基本功能,但是它具有处理灵活性,而不仅仅是生成令牌。 Example, delegating auth to OAuth providers . 例如, 将auth委托给OAuth provider 。 I will update the link to the aforementioned sample app in this answer as soon as I push it to github. 一旦将其推送到github,我将在此答案中更新到上述示例应用程序的链接。
UPDATE: 更新:
Sample App 示例应用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.