带有JWT的Spring Security Oauth2真的是无状态的吗?
[英]Is Spring Security Oauth2 with JWT really stateless?
问题描述
I am trying to setup a REST-API with Spring. 
我正在尝试使用Spring设置REST-API。 For securing it I currently play around with Spring Security oAuth2 with JWT tokens. 为了保护它,我目前使用带有JWT令牌的Spring Security oAuth2。 My REST-API application will be AuthorizationServer and ResourceServer both in one. 我的REST-API应用程序将是AuthorizationServer和ResourceServer两者合而为一。
My problem is now that once generated tokens, are not valid anymore after a restart of my REST-API application. 我的问题是,一旦生成令牌,在重新启动我的REST-API应用程序后将不再有效。 Same when I run 2 instances of it. 当我运行它的两个实例时相同。 Tokens that are generated and valid on one of them are not valid on the other. 在其中之一上生成并有效的令牌在另一端上无效。
I figured out that the implementation of the JwtAccessTokenConverter is generating a signingKey/verifierKey randomly on startup. 我发现JwtAccessTokenConverter的实现是在启动时随机生成一个signingKey / verifierKey。 Which of course explains my observations, but leaves me with the question: How can this be stateless? 当然,哪一个解释了我的观察结果,却给我留下了一个问题:这怎么可能是无状态的?
Please correct me if my thoughts here are wrong, or maybe I missed some important detail. 如果我的想法是错误的,或者我错过了一些重要的细节,请纠正我。 But to me right now this behavior seems to defeat the purpose of JWT. 但是对我而言,这种行为似乎无法达到JWT的目的。
1 个解决方案
解决方案1
0 2016-02-26 15:50:05
Thanks for the Answers so far, but I just figured it out myself. 到目前为止,感谢您的回答,但我自己才知道。
The randomly generated signing/verifier key is just a default that should probably not be used. 随机生成的签名/验证者密钥只是一个默认值,可能不应该使用。 Unfortunately this is not really documented. 不幸的是,这并没有真正记录在案。 I now set those keys manually on startup. 现在,我在启动时手动设置这些键。 The result is, that my tokens are valid on all my REST-API instances and also are still valid after a reboot. 结果是,我的令牌在我所有的REST-API实例上均有效,并且在重新引导后仍然有效。
I guess the random value is more a "secure default" so that people are not accidentally using the same known key. 我猜随机值更像是“安全默认值”,这样人们就不会偶然使用相同的已知密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.