Spring 启动微服务授权
[英]Spring boot Microservices authorization
问题描述
I have two spring boot applications.
我有两个 spring 引导应用程序。 Backend part - with access to the database it is used as Rest API and admin panel.后端部分 - 可以访问数据库,它用作 Rest API 和管理面板。 Frontend part - using Rest API to display information for clients.前端部分 - 使用 Rest API 为客户端显示信息。
So I have a problem with configuration security for the client part (frontend), also for the admin panel, authorization is implemented through sessions.所以我对客户端部分(前端)的配置安全性有疑问,对于管理面板,授权是通过会话实现的。 Previously, authorization for client part was implemented through a JWT token, but I do not quite understand how to store a token for each individual client and use it when sending requests to Rest API.以前,客户端部分的授权是通过 JWT 令牌实现的,但我不太明白如何为每个单独的客户端存储一个令牌并在向 Rest ZDB974238714CA8DE634A7CE1D083A14 发送请求时使用它。
There is my Security Configuration:有我的安全配置:
@Configuration
@EnableWebSecurity
@ComponentScan(basePackages = "kg.nurtelecom.cashbackapi")
public class SecurityConfig {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Configuration
@Order(1)
public static class RestApiSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationTokenFilter jwtAuthFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.antMatcher("/api/**")
.authorizeRequests()
.antMatchers("/api/authenticate").permitAll()
.antMatchers("/api/**").permitAll()
.and()
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
@Configuration
@Order(2)
public static class AdminSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("customUserDetailsService")
private UserDetailsService userDetailsService;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authenticationProvider());
}
@Bean
public PasswordEncoder getPasswordEncoder() {
return new BCryptPasswordEncoder(8);
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(getPasswordEncoder());
return authenticationProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").authenticated()
.antMatchers("/login")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.loginPage("/login")
.failureUrl("/login?error")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login");
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**", "/static/**", "/assets/**", "/css/**", "/js/**");
}
}
}
So is it possible to configure authorization between two spring boot applications using JWT tokens?那么是否可以使用 JWT 令牌在两个 spring 引导应用程序之间配置授权?
1 个解决方案
解决方案1
0 2020-06-08 13:06:15
You have to request it whenever you need it, for example when the previous one has expired and when you acquiere it you have to storage somewhere in the clients side.您必须在需要时请求它,例如,当前一个已过期时,当您获取它时,您必须将其存储在客户端的某个位置。
For example, local storage or a cookie, so anytime you need to do a call to the backend you can attach it to the request in the authorization header例如,本地存储或 cookie,因此无论何时您需要调用后端,您都可以将其附加到授权 header 中的请求中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.