[英]Springboot + JWT +OAuth2 + AngularJS Stateless session
I am trying various Java Spring based security implementations as follows我正在尝试各种基于 Java Spring 的安全实现,如下所示
1. JWT Authentication 1. JWT 认证
Note: Stateless Session注意:无状态会话
2. OAuth2 authentication 2.OAuth2认证
@RequestMapping(value= {"/user")
public ResponseEntity<Map<String, String>> user(Principal principal) throws Exception {
OAuth2Authentication obj = (OAuth2Authentication) principal;
authentication = obj.getUserAuthentication();
OAuth2AuthenticationDetails oAuth2AuthenticationDetails = (OAuth2AuthenticationDetails) obj.getDetails();
String jwt = oAuth2AuthenticationDetails.getTokenValue();
Note: A Stateful Session is created in server side to store the session details.注意:在服务器端创建有状态会话来存储会话详细信息。 This required to decrypt the cookie and identify the user
这需要解密 cookie 并识别用户
Now I want to implement security using Oauth2+JWT but stateless at same time as follows现在我想使用 Oauth2+JWT 但同时无状态来实现安全性,如下所示
3. OAuth2 + JWT + Stateless 3. OAuth2 + JWT + 无状态
- /login is intercepted by Spring security.
/login 被 Spring 安全拦截。 Recognizes the code and state, extract JWT token by invoking OAuth2AuthenticationDetails.getTokenValue() and set in response header.
识别代码和状态,通过调用 OAuth2AuthenticationDetails.getTokenValue() 提取 JWT 令牌并在响应头中设置。 Redirect to /
重定向到 /
Question题
I am trying to figure out how to implement the highlighted step above我想弄清楚如何实现上面突出显示的步骤
Just an idea/direction, if I got you right: You can create a GenericFilterBean
and add that to the HttpSecurity filter chain.只是一个想法/方向,如果我给你正确:您可以创建一个
GenericFilterBean
并添加到HttpSecurity过滤器链。
When using JWT, there should be something similar (a filter, which extracts the bearer-token from the header) and then populates an Authentication
object for Spring Security.使用 JWT 时,应该有类似的东西(一个过滤器,它从头中提取承载令牌),然后为 Spring Security 填充一个
Authentication
对象。
So the new filter could grab the token from the request and set the response accordingly.因此,新过滤器可以从请求中获取令牌并相应地设置响应。 You could also handle that in an unprotected (!) callback endpoint like
login/callback?...
, which than sets the cookie for you.您还可以在不受保护的 (!) 回调端点中处理该问题,例如
login/callback?...
,它会为您设置 cookie。
In our application, the server (spring boot) is totally stateless and does not have any oauth nor stateful stuff.在我们的应用程序中,服务器(spring boot)是完全无状态的,没有任何 oauth 或有状态的东西。 Obviously it never redirects anything or has any other views/endpoints than
/
for AngularJS (and some REST-APIs under /api/...
).显然,它从不重定向任何东西或有任何其他视图/端点,而不是 AngularJS 的
/
(以及/api/...
下的一些 REST-API)。 Thus, the OAuth-flow is totally handled by AngularJS, which in turn checks the callback from the oauth-server and locally sets the JWT-Token (like in your first approach).因此,OAuth-flow 完全由 AngularJS 处理,AngularJS 反过来检查来自 oauth-server 的回调并在本地设置 JWT-Token(就像你的第一种方法)。 In first versions we also tried to mix up redirects with stateless JWT and stateful sessions etc., but this led to very strange behavior with the logins - the state (logged in or not) was not always clear and in some cases redirects were wrong etc.
在第一个版本中,我们还尝试将重定向与无状态 JWT 和有状态会话等混为一谈,但这导致登录时出现非常奇怪的行为 - 状态(已登录或未登录)并不总是清晰的,在某些情况下重定向是错误的等.
This might help you implement your desired solution. 这可能会帮助您实施所需的解决方案。
The author proposes that once a user successfully authenticates with Oauth2 providers (Google etc), you send a short-lived token as a URL param to your frontend application and use this short-lived token to exchange it for a longer-lived token.作者建议,一旦用户成功通过 Oauth2 提供商(Google 等)进行身份验证,您将一个短期令牌作为 URL 参数发送到您的前端应用程序,并使用此短期令牌将其交换为长期令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.