Spring Security OAuth2 JWT 匿名令牌
[英]Spring Security OAuth2 JWT anonymous token
问题描述
What I Did
我做了什么
First I accept that I am lacking in spring security knowledge.首先,我承认我缺乏 spring 安全知识。
I am trying secure rest services for one of our product.我正在尝试为我们的一种产品提供安全休息服务。 I am using spring security OAuth2 JWT.我正在使用 Spring Security OAuth2 JWT。 I want to allow anonymous as well as registered users to access my resources.我想允许匿名用户和注册用户访问我的资源。
Suppose I have one service " http://localhost:8282/melayer/articles " and when I run following command假设我有一项服务“ http://localhost:8282/melayer/articles ” ,当我运行以下命令时
(1). (1). curl -X POST -vu melayer:12345 http://localhost:8282/melayer/oauth/token -H "Accept: application/json" -d "password=melayer&username=melayer&grant_type=password&scope=write&client_secret=12345&client_id=melayer" curl -X POST -vu melayer:12345 http://localhost:8282/melayer/oauth/token -H "Accept: application/json" -d "password=melayer&username=melayer&grant_type=password&scope=write&client_secret=12345&client_id=melayer"
I am able to receive access_token, refresh_token etc. Everything works fantastic, even I can access url http://localhost:8282/melayer/articles with received acces_token我能够接收 access_token、refresh_token 等。一切都很棒,即使我可以使用收到的 acces_token 访问 url http://localhost:8282/melayer/articles
(2). (2). curl http://localhost:8282/melayer/articles -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NjA3NzY5NDIsInVzZXJfbmFtZSI6ImVjb2tyeXB0IiwianRpIjoiNWI5ZmE4NjYtMTBlNS00NDA2LTgxYmMtYjM3NWVmNGE0ZmQ1IiwiY2xpZW50X2lkIjoiZWNva3J5cHQiLCJzY29wZSI6WyJ3cml0ZSJdfQ.4jO9euBz4TSSNh7M3l2YBD1QPblE0ZyOfGm4VtyFMFY"卷曲的http://本地主机:8282 / melayer /篇-H “授权:承载eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NjA3NzY5NDIsInVzZXJfbmFtZSI6ImVjb2tyeXB0IiwianRpIjoiNWI5ZmE4NjYtMTBlNS00NDA2LTgxYmMtYjM3NWVmNGE0ZmQ1IiwiY2xpZW50X2lkIjoiZWNva3J5cHQiLCJzY29wZSI6WyJ3cml0ZSJdfQ.4jO9euBz4TSSNh7M3l2YBD1QPblE0ZyOfGm4VtyFMFY”
What I want to understand我想了解什么
I want to receive access_token anonymously ie I dont want to pass user name, password or client secret, I want to run curl command in following way我想匿名接收 access_token 即我不想传递用户名、密码或客户端机密,我想以下列方式运行 curl 命令
curl -X POST http://localhost:8282/melayer/oauth/token -H "Accept: application/json" curl -X POST http://localhost:8282/melayer/oauth/token -H "Accept: application/json"
My one of the concern is, I want access_token with or without user credentials I am trying to achieve this from last week, Am I missing something ?我担心的一个问题是,我想要使用或不使用用户凭据的 access_token 我试图从上周开始实现这一目标,我错过了什么吗? is it possible ?是否可以 ? what is correct way to do this ?这样做的正确方法是什么?
It is kind request to help me on this :)在这方面帮助我是一种善意的请求:)
If anyone want to see my code please refer Git repo https://github.com/aniruddhha/spring-security-oauth2-jwt如果有人想看我的代码,请参考 Git repo https://github.com/aniruddhha/spring-security-oauth2-jwt
1 个解决方案
解决方案1
1 2016-04-20 04:08:04
I think you Misunderstood the access token concept, access tokens are meant to be used on behalf of authenticated user.我认为您误解了访问令牌的概念,访问令牌旨在代表经过身份验证的用户使用。
OAuth2 supports different grants types (password, authorization_code, etc) , check the spec Oauth2 Spec OAuth2 支持不同的授权类型(密码、授权码等),请查看规范Oauth2 Spec
In order to authenticate used you can use any one of those grants or could create your own (eg: login with Google token ) but you must send some form of user credentials to identify the user and the client credentials to identify the client.为了进行身份验证,您可以使用这些授权中的任何一种,也可以创建自己的授权(例如:使用 Google 令牌登录),但您必须发送某种形式的用户凭据来识别用户,并发送客户端凭据来识别客户端。
Access token cannot be used as some kind of ApiKey used to access public api访问令牌不能用作某种用于访问公共 api 的 ApiKey
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.