堆栈内存溢出
  简体   繁体   English

从未经授权的客户端保护Angular / Spring REST Web服务的安全

[英]Securing Angular/Spring REST web services from unauthorized client

 原文  2018-08-13 10:33:34       angular/ rest/ spring-mvc/ security

问题描述

We are developing an application using Angular and Spring. 我们正在使用Angular和Spring开发应用程序。 We expose some REST web-services from back-end. 我们从后端公开了一些REST Web服务。

I know that it is highly recommended that REST web-services should be stateless and sessionless, so we are developing the webservices stateless and sessionless. 我知道强烈建议REST Web服务应该无状态和无会话,因此我们正在开发无状态和无会话的Web服务。

How can we protect the web services from being called from unauthorized clients. 我们如何保护Web服务免遭未经授权的客户端调用。 So I want these services just being called from the Angular application. 所以我只想从Angular应用程序中调用这些服务。

I know it is almost impossible to prevent calls from some tools like Selenium, but that's okay, cause that client is also the Angular app. 我知道阻止来自Selenium之类的工具的调用几乎是不可能的,但这没关系,因为客户端也是Angular应用程序。

1 个解决方案

解决方案1
 1  2019-06-17 07:10:53

  1. Develop a new authentication endpoint with Spring Security. 使用Spring Security开发新的身份验证端点。 Upon success authentication, return a JWT token with body containing generic data to feed your Angular app (like username, user profile, etc. but not password). 成功通过身份验证后,返回一个JWT令牌,其主体包含通用数据,以喂入Angular应用程序(例如用户名,用户个人资料等,但不提供密码)。 You might want to persist the token in SessionStorage/LocalStorage to be shared among Angular component/route. 您可能希望将令牌保留在SessionStorage / LocalStorage中,以在Angular组件/路由之间共享。 (or perhaps shared with a common Service) (或与通用服务共享)

  2. Every single call from your your Angular to server need to send along the JWT token in previous step as a Authorization header. 从Angular到服务器的每个调用都需要在上一步中将JWT令牌作为Authorization标头发送。 In Angular, You can implement this shared logic with HttpInterceptor instead of putting it all over the places in your Angular services layer. 在Angular中,您可以使用HttpInterceptor实现此共享逻辑,而不是将其全部放置在Angular服务层中。

    You backend have to check the existence of this JWT token for every single request (Spring Security Filter), validate token header & signature with JWTUtil (io.jsonwebtoken) java lib. 您的后端必须检查每个单个请求(Spring安全过滤器)是否存在此JWT令牌,并使用JWTUtil(io.jsonwebtoken)Java库验证令牌标头和签名。 Also extracting JWT body to know which user is requesting the data & perhaps just return relevant data for this user based on his role (authorization) 还提取JWT主体以了解哪个用户正在请求数据,也许只是根据其角色(授权)返回该用户的相关数据

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用从 Spring Boot REST API 生成的 Angular 客户端? - How to use generated Angular client from Spring Boot REST API? 从 Angular4 调用 Spring Rest 服务时出现 CORS(跨源问题) - CORS (Cross origin issue) while invoking Spring Rest services from Angular4 具有 REST 服务的 Angular 源:Web 应用程序和电子 - Angular sources with REST services for both: web app and electron 使用 Google 的 Angular/Spring OAuth2 身份验证,Rest 调用始终返回 401 Unauthorized - Angular/Spring OAuth2 authentication using Google, Rest calls always return 401 Unauthorized 保护Angular 2的.Net Core Web Api - Securing .Net Core Web Api for Angular 2 Spring boot REST Api 的 Angular 客户端发布请求 - Angular client post request for Spring boot REST Api 如何在我的Web门户中拥有rest api客户端-angular 6 - how to have rest api client in my web portal - angular 6 Angular Rest API 调用返回 401 Unauthorized - Angular Rest API call returning 401 Unauthorized 打电话给Spring从角度5获得休息服务 - Calling spring get rest service from angular 5 从Angular到Spring Rest API的POST请求 - POST request from angular to spring rest api
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM