简体繁体 English

使用Spring在微服务中进行身份验证

[英]Authentication in Microservices with spring

原文 2019-03-11 16:25:59 5 2 spring-boot/ authentication/ spring-security/ jwt/ microservices

I wanna refactor a monolithic spring boot application basically a web app with login and functionalities for customers. 我想重构一个整体的Spring Boot应用程序，基本上是一个具有登录功能的Web应用程序。 We already have a Security implementation which works with a session id stored as a cookie but I dont have much knowledge about it at all and im completetly new to this topic. 我们已经有一个Security实现，该实现可以将会话ID存储为cookie，但是我对此几乎一无所知，并且对于该主题来说是全新的。 It seems JWT is a better solution for Microservices because of an independent authentication service. 由于独立的身份验证服务，JWT似乎是微服务的更好解决方案。

So my questions are: 所以我的问题是：

is it alot of work to create a JWT authentication service and exchange the session id implemenation? 创建JWT身份验证服务并交换会话ID实现的大量工作吗？ (since im doing it for my bachelor thesis and have a clear deadline) （因为我是为了我的学士学位论文而做的，所以有明确的截止日期）
can I stay at the session ids while using microservices? 使用微服务时可以保留会话ID吗？
are there maybe other ways to implement authentication? 也许还有其他方法可以实现身份验证？

2 个解决方案

is it alot of work to create a JWT authentication service and exchange the session id implemenation? 创建JWT身份验证服务并交换会话ID实现的大量工作吗？ (since im doing it for my bachelor thesis and have a clear deadline) （因为我是为了我的学士学位论文而做的，所以有明确的截止日期）

This question is hard to answer, as it depends how tightly coupled your particular implementation is. 这个问题很难回答，因为它取决于您的特定实现的紧密程度。 It's certainly not trivial. 这当然不是小事。

can I stay at the session ids while using microservices? 使用微服务时可以保留会话ID吗？

Yes, but you need to figure out how to federate sessions across the microservices (ie how to get the information in the session from one service to the other). 是的，但是您需要弄清楚如何跨微服务联合会话（即，如何从一个服务到另一个服务获取会话中的信息）。 Overall, this represents a risk of tight coupling between services, so I'd recommend treating this as a transitionary step only. 总体而言，这表示服务之间存在紧密耦合的风险，因此我建议仅将此视为过渡步骤。

are there maybe other ways to implement authentication? 也许还有其他方法可以实现身份验证？

As many as the day is long. 一天多长。 That being said, without specific reason to do otherwise, I generally prefer to stick to the middle of the road. 话虽这么说，但没有特别的理由，我通常会选择坚持到底。

Typical user sessions is not recommended in microservices.You should use Stateless architecture and tokens (Tokens stored in database or JWT). 微服务中不建议使用典型的用户会话。您应使用无状态架构和令牌（存储在数据库或JWT中的令牌）。

It's better to use Spring Boot OAuth2 . 最好使用Spring Boot OAuth2 。

You should implement an Authorization server and Resource servers with Spring Boot. 您应该使用Spring Boot实现一个授权服务器和资源服务器。

Authorization server: 授权服务器：

Choose the token storage method (JWT,Jdbc,...) 选择令牌存储方式（JWT，Jdbc等）
Configure client details 配置客户端详细信息
Add a RESTful Api for user info or enable /oauth/check_token api.(Called by Resource servers) 添加用于用户信息的RESTful Api或启用/ oauth / check_token api。（由资源服务器调用）

Resource servers: 资源服务器：

Set user-info-uri or token-info-uri in Spring boot OAuth2 properties. 在Spring boot OAuth2属性中设置user-info-uri或token-info-uri。
Extends ResourceServerConfigurerAdapter class for securing url mappings. 扩展ResourceServerConfigurerAdapter类以保护URL映射。