[英]how to secure rest api with api keys without spring security
I have a rest api MyRestApi.war
which is a spring boot and spring mvc project. 我有一个MyRestApi.war
API MyRestApi.war
,它是一个Spring Boot和Spring MyRestApi.war
项目。
There is another web project A.war
which is a normal spring project. 还有另一个Web项目A.war
,这是一个普通的spring项目。 Its front-end such as javascript
and back-end such as java code
need to call MyRestApi
. 它的前端(如javascript
和后端(如java code
需要调用MyRestApi
。 User need to log in A.war
to use it. 用户需要登录A.war
才能使用。
I don't need to do permission control for MyRestApi
, only users login to A.war
can access MyRestApi
via front-end and back-end of A.war
我不需要对MyRestApi
进行权限控制,只有登录A.war
用户才能通过MyRestApi
的前端和后端访问A.war
There are some solutions, eg API key
, jwt
, OAuth
. 有一些解决方案,例如API key
, jwt
, OAuth
。
I want to try these three approaches then pick one. 我想尝试这三种方法,然后选择一种。
But when I search something like api key authentication
, they all use spring security
to do that. 但是当我搜索诸如api key authentication
类的东西时,它们都使用spring security
来做到这一点。
So how can I secure MyRestApi
with api key without spring security. 因此,如何在没有Spring安全性的情况下使用api密钥保护MyRestApi
。
You can write your own filter if you don't want to use spring security. 如果不想使用spring安全性,则可以编写自己的过滤器。 This filter will interecept all the URLs. 该过滤器将拦截所有URL。 In this filter you can check for the API key in the headers and validate. 在此过滤器中,您可以检查标题中的API密钥并进行验证。 If it's validate, let the chain continue else throw some meaningful error to the user/application. 如果通过验证,则让链继续进行,否则向用户/应用程序抛出一些有意义的错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.