Rest API中的Spring Security
[英]Spring Security in Rest API
问题描述
I have problem to choose security type to our REST API. 
我在选择REST API的安全性类型时遇到问题。 Firstly I describe a problem. 首先,我描述一个问题。 There is an application which will be using this REST API. 有一个应用程序将使用此REST API。 This application has front end and back end side. 该应用程序具有前端和后端。 It implements spring security with library spring-security-oauth2 and spring-boot-starter-security. 它通过库spring-security-oauth2和spring-boot-starter-security实现了弹簧安全性。 It uses JWT and will be on AWS. 它使用JWT,并将在AWS上。 It will be using tokens from AWS. 它将使用来自AWS的令牌。 This application will be using rest service which extracts data from another database. 该应用程序将使用rest服务,该服务从另一个数据库提取数据。
I would like to use in REST API spring security oauth2 and JWT but this REST API will be deployed on the old JBOSS 4.2 with JAVA 1.5 (it can't be changed unfortunately with java 1.5, it is restriction which I got). 我想在REST API春季安全性oauth2和JWT中使用,但是此REST API将在具有JAVA 1.5的旧JBOSS 4.2上部署(不幸的是,在Java 1.5中无法更改,这是我得到的限制)。 Spring security oauth2 as I checked uses 1.6 and above versions. 我检查过的Spring security oauth2使用1.6及更高版本。 And my question is this, can someone advise me what to use in REST API for security purpose? 我的问题是,有人可以建议我出于安全目的在REST API中使用什么吗?
In future this REST API could be used by different apllications. 将来,该REST API可能会被不同的应用程序使用。 I would like to use something safer than basic authentication. 我想使用比基本身份验证更安全的方法。 I searched for solution but nothing meaningful and useful I found. 我在寻找解决方案,但没有发现任何有意义和有用的东西。 I would like to ask for opinion who uses spring security. 我想征询谁使用Spring Security的意见。
EDIT : 编辑 :
I decided to use Basic Authentication with in memory user and password hold. 我决定在内存用户和密码保持中使用基本身份验证。 I added two classes to implementation: 我为实现添加了两个类:
@Configuration
@EnableWebSecurity
public class SecurityConfiration extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}
Second class: 第二类:
public class SecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
public SecurityApplicationInitializer() {
super(SecurityConfiration.class);
}
}
Basically that is it. 基本上就是这样。 It doesn't work. 没用 Calling rest api works fine and results are showing. 调用rest api可以正常工作,并且显示结果。 401 not working. 401无法正常工作。 Did I forget about something? 我忘了什么吗? Moreover I don't want to use redirecting to login or showing window with credentials to enter. 此外,我不想使用重定向登录或显示带有凭据的窗口。 I want sent in body or header information with error or message. 我要发送带有错误或消息的正文或标题信息。 Can I override something to do that? 我可以覆盖一些东西来做到这一点吗?
Environment: deploying on Jboss 4.2 (Java 1.5), and Spring Security 3.2.10. 环境:部署在Jboss 4.2(Java 1.5)和Spring Security 3.2.10上。
1 个解决方案
解决方案1
0 已采纳 2017-07-02 13:51:10
This might not be the answer you are looking for, but here is suggestion : 这可能不是您要找的答案,但这是建议:
Don't confine yourself in thinking "what kind of framework should I use". 不要只局限于思考“我应该使用哪种框架”。 In the end rest is about http and is not aware about spring(-security) or java altogether, It's all just passing requests with headers that contain some authorization tokens. 最后,其余部分是关于http的,并且完全不了解spring(-security)或java,它们只是传递带有包含一些授权令牌的标头的请求。
In normal circumstances making custom oauth(2) implementation would be discouraged, but under some restrictions like Java 1.5 might be only option. 在正常情况下,不鼓励执行自定义oauth(2)实现,但是在某些限制下,例如Java 1.5可能是唯一的选择。 Or depending on situation (non critical resources, internal vpn) some simple token based authorization might be enough. 或者根据情况(非关键资源,内部VPN),基于简单令牌的授权可能就足够了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.