Spring 安全 - 使用授权进行身份验证 Header
[英]Spring Security - Authenticating with Authorization Header
问题描述
I'm trying to setup Authorization for my HTTP Requests in Spring Boot with Sprint Security framework.
我正在尝试使用 Sprint 安全框架在 Spring 引导中为我的 HTTP 请求设置授权。 I'm new to Spring Security and I couldn't find any documentation for my case.我是 Spring Security 的新手,我找不到任何适合我的案例的文档。
I understand we have to override WebSecurityConfigurerAdapter methods - configure(AuthenticationManagerBuilder ) & configure(HttpSecurity).我知道我们必须覆盖 WebSecurityConfigurerAdapter 方法 - 配置(AuthenticationManagerBuilder)和配置(HttpSecurity)。 It works fine for some basic cases.它适用于一些基本情况。 However for the Project i'm working on, i'm looking for a specific use case.但是对于我正在从事的项目,我正在寻找一个特定的用例。
This is the flow i'm trying to setup.这是我正在尝试设置的流程。 My front-end and back-end are hosted in different domains, so i'm looking for Authorization with Cross Origin as well.我的前端和后端托管在不同的域中,所以我也在寻找跨域授权。 Login by posting to the REST API, [ For this API alone, there should be no Authorization]通过发布到 REST API 登录,[对于这个 API 单独,应该没有授权]
https://atlan.co/login - POST
{
'user_name': 'mani',
'password': 'mani'
}
/login REST Controller receives the username and password, does LDAP Auth, once Authentication Successful, creates a Token and stores in an in-memory DB [Redis Preferably], with the username, user_email mapped to the token. /login REST Controller 收到用户名和密码,LDAP 是否进行身份验证,一旦身份验证成功,创建一个令牌并存储在内存中的 DBRedis 用户名 [最好映射到用户令牌]。 And sends a login success message, with Set Authorization Cookie - Token to the browser.并向浏览器发送登录成功消息,并带有 Set Authorization Cookie - Token。
After that, each request from Browser will be accompanied with the Authorization header, with the token value.之后,来自浏览器的每个请求都将附带授权 header 和令牌值。
The above part, i'm able to work it out.以上部分,我可以解决。 When the request comes in, I want to setup Spring Security so that it will read Authorization Header and get username, useremail from Redis in case if the token exists, pass the username, useremail to the Controller and the usual flow of the controller. When the request comes in, I want to setup Spring Security so that it will read Authorization Header and get username, useremail from Redis in case if the token exists, pass the username, useremail to the Controller and the usual flow of the controller. In case, if the token didn't exists, should throw 401 UnAuthorized HTTP Error in JSON format, along with a custom message.如果令牌不存在,则应以 JSON 格式抛出 401 UnAuthorized HTTP 错误以及自定义消息。
I've tried reading the questions in Stackoverflow, Spring documentation, but I couldn't work it out.我已经尝试阅读 Stackoverflow、Spring 文档中的问题,但我无法解决。 Would be very helpful, if someone can shed light on this.如果有人可以阐明这一点,那将非常有帮助。
1 个解决方案
解决方案1
1 2020-12-07 18:16:58
You need to add a custom spring filter to process your Authorization header您需要添加自定义 spring 过滤器来处理您的授权 header
public class YourAuthenticationFilter extends OncePerRequestFilter
{
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException
{
String xAuth = request.getHeader("Authorization");//here is your token value
//Place here your redis checks, get Authentication and so on
SecurityContextHolder.getContext().setAuthentication(auth);
filterChain.doFilter(request, response);
}
}
In your security config:在您的安全配置中:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
//...
.addFilterBefore(new YourAuthenticationFilter(), BasicAuthenticationFilter.class)
//...
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.