Spring 引导中匿名用户的 oAuth 令牌
[英]oAuth Token for Anonymous User in Spring boot
问题描述
Team
团队
Using Spring boot I am able to accomplish workflows, where oAuth server can generate the token for the logged-in user.使用 Spring 引导我能够完成工作流,其中 oAuth 服务器可以为登录用户生成令牌。 However, how does the oAuth server generate a unique token for each anonymous user?但是,oAuth 服务器如何为每个匿名用户生成唯一的令牌?
For eg if 2 concurrent users are trying to access the resource server from their respective browsers, then I would like the resource server to identify the 2 different users in each subsequent requests that they make.例如,如果 2 个并发用户试图从他们各自的浏览器访问资源服务器,那么我希望资源服务器在他们发出的每个后续请求中识别 2 个不同的用户。 For that, I would like to generate different tokens for each anonymous user.为此,我想为每个匿名用户生成不同的令牌。 Is that possible and if yes then how?那有可能吗?如果可以,那怎么办?
1 个解决方案
解决方案1
1 2019-09-27 20:13:49
It is simple thing, you are making it complex.这是简单的事情,你让它变得复杂。
I would like to generate different tokens for each anonymous user.
Once you generate valid token, user will become authenticated user.生成有效令牌后,用户将成为经过身份验证的用户。
You might think about validating token and setting ROLE='ROLE_ANONYMOUS' .您可能会考虑验证令牌并设置ROLE='ROLE_ANONYMOUS' 。 As I told it will be like making simple thing to complex.正如我所说,这就像把简单的事情变得复杂。 Making authenticated user to Anonymous user is not good approach.将经过身份验证的用户设置为匿名用户并不是一个好方法。 You can create a new role like ROLE_SEMIANONYMOUS and grant authorities which were open for ANONYMOUS user.您可以创建一个新角色,如ROLE_SEMIANONYMOUS并授予对 ANONYMOUS 用户开放的权限。
(but this approach doesn't make any sense for me so explaining alternative to achieve your requirement of identifying AnonymousUser) (但这种方法对我来说没有任何意义,因此解释实现您识别 AnonymousUser 要求的替代方法)
As "Anonymous User = UnAuthenticated User".作为“匿名用户 = 未经身份验证的用户”。
For anonymous user if you print principal对于匿名用户,如果您打印主体
String principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
principal = "anonymousUser"主体 = "anonymousUser"
You can create a session for anonymous user for identifying him as given below您可以为匿名用户创建一个 session 来识别他,如下所示
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
Object principal = authentication.getPrincipal();
if(principal instanceof String && ((String)principal).equalsIgnoreCase("anonymousUser"))
{
if(request.getSession(false) == null)
{
HttpSession session = request.getSession();
session.setMaxInactiveInterval(300); // As per Your requirement
// store session id from session and ip address from request in to DB or cache if required and use it
}
else
{
//identify anonymous user against session id and stored details
}
}
You can achieve this by registering a filter您可以通过注册过滤器来实现此目的
- In convetional spring order of filter should be after springSecurityFilterChain.在传统的 spring 过滤器顺序应该在 springSecurityFilterChain 之后。
- In spring boot you can achieve it by
FilterRegistrationBean在 spring 引导中,您可以通过FilterRegistrationBean实现它
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.