如何为基于Spring的Rest API和静态内容增加安全性
[英]How to add security to spring based rest api's and static content
问题描述
I have a web application + a set of rest APIs created with spring. 
我有一个Web应用程序+一组用spring创建的rest API。 It is essentially some html pages sending ajax requests to the rest server. 从本质上讲,这是一些将ajax请求发送到其余服务器的html页面。 The structure looks somewhat like this: 结构看起来像这样:
myWebapp -> src/main/webapp/public (public pages) myWebapp-> src / main / webapp / public(公共页面)
myWebapp -> src/main/webapp/resources (non - public pages, available only after login) myWebapp-> src / main / webapp / resources(非公共页面,仅在登录后可用)
I need to secure some of the static content (non-public above) and the rest APIs (Preferably with LDAP, but that's not important). 我需要保护一些静态内容(上述非公开内容)和其余API(最好使用LDAP,但这并不重要)。 How do i configure the filters and/or spring security intercepts so that: 如何配置过滤器和/或Spring安全性拦截器,以便:
- Same credentials work for both static content and rest calls. 静态内容和剩余呼叫都使用相同的凭据。
- User can login via a login page, and for further rest calls uses some token or something returned from server. 用户可以通过登录页面登录,并且要进行进一步的休息,请使用一些令牌或从服务器返回的内容。
I have checked spring security schemes for rest API's and also found some resources on securing static content, but not able to figure out how to fit this together as above. 我已经检查了其余API的spring安全性方案,还发现了一些用于保护静态内容的资源,但是无法像上面那样弄清楚如何将其组合在一起。
1 个解决方案
解决方案1
1 已采纳 2016-01-29 23:01:08
I guess you want to have two sets of resources. 我想您想拥有两组资源。 One of them is open for public access and available at, say, /public context and the other is protected and available at /protected . 其中一个是开放供公众访问的,并且可以在/public上下文中使用,而另一个是受保护的,并且可以在/protected 。
First, you should create some Resource Handlers in your Web Configuration : 首先,您应该在Web Configuration创建一些Resource Handlers :
@EnableWebMvc
@Configuration
public class WebConfig extends WebMvcConfigurerAdapter {
// other stuffs
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/public/**").addResourceLocations("classpath:/public/");
registry.addResourceHandler("/protected/**").addResourceLocations("classpath:/resources/");
}
}
This way all the static contents in /public directory will be served at /public/** endpoint and /protected/** endpoint will serve files in the /resources directory. 这样, /public目录中的所有静态内容都将在/public/**端点处提供,而/protected/**端点将在/resources目录中提供文件。
Then you should configure Spring Security in order to protect /protected/** endpoint: 然后,您应该配置Spring Security以保护/protected/**端点:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// other stuffs
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/protected/**").authenticated()
.anyRequest().authenticated();
}
}
Update For REST endpoints you can either use same the matchers or have finer grain control with Method Level Security . 更新对于REST端点,您可以使用相同的匹配器,也可以通过“ Method Level Security进行更精细的控制。 In order to enable method level security, add @EnableGlobalMethodSecurity(prePostEnabled = true) to your SecurityConfig . 为了启用方法级别的安全性,将@EnableGlobalMethodSecurity(prePostEnabled = true)到SecurityConfig 。 Then you can use PrePost annotations on hanlder methods, like following: 然后,您可以在hanlder方法上使用PrePost批注,如下所示:
@RestController
@RequestMapping("/greet")
public class GreetingService {
// it's a public rest endpoint
@PreAuthorize("permitAll()")
@RequestMapping("/public")
public void doGreetToPublicUsers() {...}
// it's a protected rest endpoint
@PreAuthorize("isAuthenticated()")
@RequestMapping("/protected")
public void doGreetToProtectedUsers() {...}
// it's a role protected rest endpoint
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping("/admin")
public void justForAdmin() {...}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.