[英]Securing Angular/Spring REST web services from unauthorized client
We are developing an application using Angular and Spring. 我们正在使用Angular和Spring开发应用程序。 We expose some REST web-services from back-end. 我们从后端公开了一些REST Web服务。
I know that it is highly recommended that REST web-services should be stateless and sessionless, so we are developing the webservices stateless and sessionless. 我知道强烈建议REST Web服务应该无状态和无会话,因此我们正在开发无状态和无会话的Web服务。
How can we protect the web services from being called from unauthorized clients. 我们如何保护Web服务免遭未经授权的客户端调用。 So I want these services just being called from the Angular application. 所以我只想从Angular应用程序中调用这些服务。
I know it is almost impossible to prevent calls from some tools like Selenium, but that's okay, cause that client is also the Angular app. 我知道阻止来自Selenium之类的工具的调用几乎是不可能的,但这没关系,因为客户端也是Angular应用程序。
Every single call from your your Angular to server need to send along the JWT token in previous step as a Authorization header. 从Angular到服务器的每个调用都需要在上一步中将JWT令牌作为Authorization标头发送。 In Angular, You can implement this shared logic with HttpInterceptor instead of putting it all over the places in your Angular services layer. 在Angular中,您可以使用HttpInterceptor实现此共享逻辑,而不是将其全部放置在Angular服务层中。
You backend have to check the existence of this JWT token for every single request (Spring Security Filter), validate token header & signature with JWTUtil (io.jsonwebtoken) java lib. 您的后端必须检查每个单个请求(Spring安全过滤器)是否存在此JWT令牌,并使用JWTUtil(io.jsonwebtoken)Java库验证令牌标头和签名。 Also extracting JWT body to know which user is requesting the data & perhaps just return relevant data for this user based on his role (authorization) 还提取JWT主体以了解哪个用户正在请求数据,也许只是根据其角色(授权)返回该用户的相关数据
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.