[英]Spring boot: Permit specific services to avoid security
I have multiple services.我有多种服务。 All of them use jwt for authorization.
全部使用jwt进行授权。 However when my services communicate between each other I don't want them to authenticate.
但是,当我的服务相互通信时,我不希望它们进行身份验证。 When Client sends a request to serviceA and serviceA needs data from serviceB it is enough for me that serviceA validates the token (also the other way around when the client sends a request to serviceB).
当客户端向 serviceA 发送请求并且 serviceA 需要来自 serviceB 的数据时,对我来说 serviceA 验证令牌就足够了(当客户端向 serviceB 发送请求时也是相反的)。 I am using eureka as registry and openfeign to communicate between the services.
我使用 eureka 作为注册表和 openfeign 在服务之间进行通信。 Right now I always get a 401 response like this:
现在我总是收到这样的 401 响应:
feign.FeignException$Unauthorized: [401] during [GET] to [http://userservice/eschuler]
To be more specific my authservice want to send a request to the userservice.更具体地说,我的 authservice 想要向 userservice 发送请求。
@FeignClient(name = "userservice")
public interface UserClient {
@GetMapping(value = "/{id}")
ResponseEntity<UserAccount> getUserById(@PathVariable String id);
}
This is the UserController containing the getUserById Method:这是包含 getUserById 方法的 UserController:
@RestController
@RequestMapping(value = "/kimoji/rest/users")
public class UserController {
private final UserRepository userRepository;
private final PasswordEncoder encoder;
private final JwtTokenService jwtTokenService;
public UserController(UserRepository userRepository, PasswordEncoder encoder, JwtTokenService jwtTokenService) {
this.userRepository = userRepository;
this.encoder = encoder;
this.jwtTokenService = jwtTokenService;
}
@GetMapping(value = "/{id}")
public ResponseEntity<UserAccount> getUserById(@PathVariable String id) {
Optional<UserAccount> userAccount = userRepository.findById(id);
return userAccount.map(ResponseEntity::ok).orElseGet(() -> ResponseEntity.notFound().build());
}
...
}
This is the WebSecurityConfig from my userservice:这是来自我的用户服务的 WebSecurityConfig:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
@Autowired
private JwtAuthenticationProvider jwtAuthenticationProvider;
@Autowired
public void configureAuthentication(AuthenticationManagerBuilder authenticationManagerBuilder) {
authenticationManagerBuilder.authenticationProvider(jwtAuthenticationProvider);
}
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilterBean() {
return new JwtAuthenticationTokenFilter();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/kimoji/rest/users/register").permitAll()
.anyRequest().authenticated();
httpSecurity.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
httpSecurity.headers().cacheControl();
}
}
Instead of avoiding security, what you want to do is always pass a token.您想要做的不是避免安全性,而是始终传递一个令牌。
If the Service A is calling Service B and the request is originated from an external Client.如果服务 A 正在调用服务 B,并且请求来自外部客户端。 Just pass the same token to Service B that originated from the Client to Service A.
只需将源自客户端的相同令牌传递给服务 B 到服务 A。
If Service A is initiating the call (some sort of maintenance job) then use the Client Credentials flow to go to your Identity Provider and create a token for Service A to pass to Service B.如果服务 A 正在启动调用(某种维护工作),则使用客户端凭据流到 go 到您的身份提供者,并为服务 A 创建一个令牌以传递给服务 B。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.