简体繁体 English

如何在具有AngularJS UI和带有Spring Security的Spring Boot Rest Server的应用程序中对最终用户进行身份验证

[英]How to authenticate end users in an app having AngularJS UI and Spring Boot Rest Server with Spring Security

原文 2016-08-04 07:51:32 3 1 angularjs/ spring

I have two apps. 我有两个应用。

Front end - AngularJS website running on localhost:9000 and getting data from rest service (database) 前端-AngularJS网站在localhost:9000上运行，并从rest服务（数据库）获取数据

Back end - Spring Boot Rest Service localhost:8080 后端-Spring Boot Rest Service localhost:8080

How to create authenticate process for this two app? 如何为这两个应用程序创建身份验证过程？ Login from (user, password). 从（用户名，密码）登录。 I reading some tutorials on spring website, but front end are build in spring project on the /resouce folder, not separated. 我在spring网站上阅读了一些教程，但是前端是在/resouce文件夹中的spring项目中构建的，没有分开。

1 个解决方案

There are a couple of things you need to keep in mind if you are setting up your app the way you want to. 如果要按照自己的方式设置应用，则需要牢记一些注意事项。

What kind of authentication mechanism do you want? 您想要哪种身份验证机制？ For rest services Basic and oAuth2 are most common. 对于休息服务，Basic和oAuth2最常见。

With Basic auth you would send authorization header in each request. 使用基本身份验证，您将在每个请求中发送授权标头。

Each request will perform authentication all over again. 每个请求将再次执行身份验证。
There is no state between client and server 客户端和服务器之间没有状态
Https is mandatory if you use basic auth. 如果您使用基本身份验证，则Https是必需的。

With oAuth2 first you need to send basic authentication request to end point your.app/oauth/token? 首先使用oAuth2，您需要发送基本身份验证请求以结束您的.app / oauth / token？ --- parameters ---参数

Response will contain access_token": "CQPt2VR2HJuCY3mb0xA1BVMyDltgvnpf6N2CXdsds3423YkGQID7VO-Mmu4idymlz" 响应将包含access_token": "CQPt2VR2HJuCY3mb0xA1BVMyDltgvnpf6N2CXdsds3423YkGQID7VO-Mmu4idymlz"

Which you then include in every request with bearer token : Authorization Bearer CQPt2VR2HJuCY3mb0xA1BVMyDltgvnpf6N2CXVPXkaewYkGQID7VO-Mmu4idymlz 然后，您将其包含在带有承载令牌的每个请求中： Authorization Bearer CQPt2VR2HJuCY3mb0xA1BVMyDltgvnpf6N2CXVPXkaewYkGQID7VO-Mmu4idymlz

access_token has an expiration time. access_token具有到期时间。 You can also send refresh_token which has longer expiration time. 您也可以发送更新时间较长的refresh_token。
There is no state between client and server 客户端和服务器之间没有状态
For smaller applications oAuth2 is too complicated and basic will suffice. 对于较小的应用程序，oAuth2太复杂了，基本就足够了。

This is just an overview of common authentication methods. 这只是常见身份验证方法的概述。 There are a lot of implementation tutorials. 有很多实现教程。 Example : https://spring.io/guides/tutorials/spring-boot-oauth2/ and http://www.baeldung.com/rest-api-spring-oauth2-angularjs 示例： https ： //spring.io/guides/tutorials/spring-boot-oauth2/和http://www.baeldung.com/rest-api-spring-oauth2-angularjs

One thing to keep in mind is you will need to setup CORS filter. 要记住的一件事是，您将需要设置CORS过滤器。 If you run your service and client on different ports. 如果您在不同的端口上运行服务和客户端。 For starters annotate methods you want to use with @CrossOrigin(origins = "http://localhost:9000") You can of course register global cors filter. 对于初学者来说，注释您要与@CrossOrigin(origins = "http://localhost:9000")一起使用的方法，您当然可以注册全局cors过滤器。