[英]Skipping Oauth 2.0 authorization using additional header param on API Request - Spring Security
I've implemented Oauth 2.0 in SpringBoot API using Spring Security.我已经使用 Spring Security 在 SpringBoot API 中实现了 Oauth 2.0。 It's working fine and for the moment there is a requirement on skipping authentication on requesting with an additional header after checking header availability.
它工作正常,目前需要在检查 header 可用性后请求额外的 header 时跳过身份验证。 Basically client-side will add
基本上客户端会添加
skip-auth:true //example
skip-auth:true //示例
then from the server-side, we've to add the filter to check skip-auth value, then if it is true we need to skip authorization and grant permission to access resources.然后从服务器端,我们必须添加过滤器来检查 skip-auth 值,如果它是真的,我们需要跳过授权并授予访问资源的权限。
Does anyone have experience with a working solution on this?有没有人有这方面的工作解决方案的经验? or any suggested method that could create this requested functionality
或任何可以创建此请求功能的建议方法
I think bypassing security with some kind of secret header is a really bad idea.我认为用某种秘密 header 绕过安全性是一个非常糟糕的主意。 Can you change the requirement that they send a fixed BasicAuth Header instead?
您可以更改他们发送固定的 BasicAuth Header 的要求吗?
Then you can allow Basic-Auth on the relevant endpoints in your WebSecurityConfig.然后,您可以在 WebSecurityConfig 中的相关端点上允许 Basic-Auth。
You should never keep backdoors to your backend.你永远不应该为你的后端保留后门。 This is clearly one.
这显然是一个。 A simple decompilation of an app or monitoring the network tab in a browser will reveal this seemingly obvious backdoor.
对应用程序进行简单的反编译或在浏览器中监视网络选项卡将揭示这个看似明显的后门。 You need to work with the people who sent the requirement and ask them to define what endpoints needs complete protection and what can be accessed anonymously.
您需要与发送需求的人合作,并要求他们定义哪些端点需要完全保护以及哪些可以匿名访问。
Endpoints that can be accessed anonymously can be protected with a ROLE_ANONYMOUS
and by defining AnonymousAuthenticationFilter
in the filter proxy chain.可以匿名访问的端点可以通过
ROLE_ANONYMOUS
和在过滤器代理链中定义AnonymousAuthenticationFilter
来保护。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.