堆栈内存溢出
  简体   繁体   English

使用 API 请求上的附加 header 参数跳过 Oauth 2.0 授权 - Z38008DD81C2F4AFD71Z85 安全性

[英]Skipping Oauth 2.0 authorization using additional header param on API Request - Spring Security

 原文  2019-10-01 11:17:40       java/ spring/ api/ spring-security/ spring-security-oauth2

问题描述

I've implemented Oauth 2.0 in SpringBoot API using Spring Security.我已经使用 Spring Security 在 SpringBoot API 中实现了 Oauth 2.0。 It's working fine and for the moment there is a requirement on skipping authentication on requesting with an additional header after checking header availability.它工作正常,目前需要在检查 header 可用性后请求额外的 header 时跳过身份验证。 Basically client-side will add基本上客户端会添加

skip-auth:true //example skip-auth:true //示例

then from the server-side, we've to add the filter to check skip-auth value, then if it is true we need to skip authorization and grant permission to access resources.然后从服务器端,我们必须添加过滤器来检查 skip-auth 值,如果它是真的,我们需要跳过授权并授予访问资源的权限。

Does anyone have experience with a working solution on this?有没有人有这方面的工作解决方案的经验? or any suggested method that could create this requested functionality或任何可以创建此请求功能的建议方法

2 个解决方案

解决方案1
 2  2019-10-01 11:31:31

I think bypassing security with some kind of secret header is a really bad idea.我认为用某种秘密 header 绕过安全性是一个非常糟糕的主意。 Can you change the requirement that they send a fixed BasicAuth Header instead?您可以更改他们发送固定的 BasicAuth Header 的要求吗?

Then you can allow Basic-Auth on the relevant endpoints in your WebSecurityConfig.然后,您可以在 WebSecurityConfig 中的相关端点上允许 Basic-Auth。

解决方案2
 0 已采纳  2019-10-01 11:49:08

You should never keep backdoors to your backend.你永远不应该为你的后端保留后门。 This is clearly one.这显然是一个。 A simple decompilation of an app or monitoring the network tab in a browser will reveal this seemingly obvious backdoor.对应用程序进行简单的反编译或在浏览器中监视网络选项卡将揭示这个看似明显的后门。 You need to work with the people who sent the requirement and ask them to define what endpoints needs complete protection and what can be accessed anonymously.您需要与发送需求的人合作,并要求他们定义哪些端点需要完全保护以及哪些可以匿名访问。

Endpoints that can be accessed anonymously can be protected with a ROLE_ANONYMOUS and by defining AnonymousAuthenticationFilter in the filter proxy chain.可以匿名访问的端点可以通过ROLE_ANONYMOUS和在过滤器代理链中定义AnonymousAuthenticationFilter来保护。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 带有oauth2的Spring Security将其他参数添加到授权URL? - Spring security with oauth2 adding additional parameters to authorization URL? Spring 安全 5.3.2 OAuth 2,资源所有者密码凭证流程 - 如何将额外的 HEADER 参数添加到授权服务器 uri - Spring Security 5.3.2 OAuth 2, Resource Owner Password Credentials Flow - How to add additional HEADER parameters to authorization server uri 使用OAuth2在Spring Security中进行用户授权 - User authorization in spring security using OAuth2 如何通过添加其他参数来实现具有弹簧安全性的OAuth2.0 - How to implement OAuth2.0 with spring security by adding additional parameter 授权标头的 Spring Security OAuth2 CORS 问题 - Spring Security OAuth2 CORS issue for Authorization header 使用 Spring security oauth,使用自定义 OAuth 提供程序,我得到 [authorization_request_not_found],我应该自己处理回调方法吗? - Using Spring security oauth, using a custom OAuth provider, I get [authorization_request_not_found], should I handle the callback method myself? 使用 Spring 引导和 Spring 安全性的 OpenID (OAuth2) 授权失败 - OpenID (OAuth2) Authorization failing using Spring Boot and Spring Security Spring Security和Facebook OAuth 2.0与Graph API集成 - Spring Security & Facebook OAuth 2.0 Integration with Graph API Spring 安全 - 使用授权进行身份验证 Header - Spring Security - Authenticating with Authorization Header OAuth 2.0 使用 Spring Security + WSO2 身份服务器 - OAuth 2.0 using Spring Security + WSO2 Identity Server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM