如何保护具有身份提供者的 Spring Boot 微服务以无状态方式进行身份验证?
[英]How to secure spring boot microservices having identity provider for authentication in a stateless manner?
问题描述
How to implement security on spring-boot microservices integrated with angular UI.
如何在与 Angular UI 集成的 spring-boot 微服务上实现安全性。 I have an external identity provider(Ping Federate) to support SSO and all user roles/authorities are maintained in the application database.我有一个外部身份提供者(Ping Federate)来支持 SSO,并且所有用户角色/权限都在应用程序数据库中维护。
What is the best approach to secure APIs?保护 API 的最佳方法是什么? If Oauth is recommended way, how to implement it(Stateless).如果推荐使用 Oauth,如何实现它(无状态)。
Should the Authorization Server be customized to connect to the identity provider Authorization Server and generate tokens from the custom Authorization Server?是否应该自定义授权服务器以连接到身份提供者授权服务器并从自定义授权服务器生成令牌? or would it be better if Oauth2 client generates token by loading user details from the database after successful authentication with the identity provider?或者如果 Oauth2 客户端在与身份提供者成功认证后通过从数据库加载用户详细信息来生成令牌会更好吗?
I have tried to implement custom auth server, which internally connects to identity provider auth server taking reference from https://github.com/spring-projects/spring-authorization-server/tree/main/samples/federated-identity-authorizationserver我试图实现自定义身份验证服务器,它在内部连接到身份提供者身份验证服务器,并参考https://github.com/spring-projects/spring-authorization-server/tree/main/samples/federated-identity-authorizationserver
But it is stateful and I am looking for a stateless approach, also how to customize after successful authentication to load user roles/authorities and generated token from application database但它是有状态的,我正在寻找一种无状态的方法,以及如何在成功验证后自定义以加载用户角色/权限并从应用程序数据库生成令牌
Any code samples along with suggestions will be appreciated.任何代码示例以及建议将不胜感激。
Thanks in Advance提前致谢
1 个解决方案
解决方案1
0 2022-07-12 20:38:39
Why don't you just keep things simple with regular OpenID setup?为什么不通过常规的 OpenID 设置来保持简单?
- pingfederate: authorization-server responsible for issuing authorization token holding end-user identity and roles pingfederate:授权服务器,负责发布持有最终用户身份和角色的授权令牌
- angular UI: client角度用户界面:客户端
- spring Rest service: resource server with security based on end-user identity and roles from the authorization token spring Rest 服务:具有基于最终用户身份和来自授权令牌的角色的安全性的资源服务器
You might not need anything more.你可能不再需要任何东西了。
Get a look at this tutorial I wrote: https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials/resource-server_with_oauthentication看看我写的这个教程: https ://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials/resource-server_with_oauthentication
Adapting it to ping federate should be just a matter of setting a few properties:将其调整为 ping federate 只需设置一些属性:
- issuer URI发行者 URI
- which private claim to get roles from哪个私人声称从中获得角色
(but I haven't tried for ping federated yet). (但我还没有尝试过 ping federated)。
If you happen to need more than just RBAC in resource server (RoleBasedAccessControl => security decisions based on user authorities), you might have a look at this other tutorial too: https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials/resource-server_with_specialized_oauthentication如果您碰巧在资源服务器中需要的不仅仅是 RBAC(RoleBasedAccessControl => 基于用户权限的安全决策),您也可以看看这个其他教程: https ://github.com/ch4mpy/spring-addons/tree /master/samples/tutorials/resource-server_with_specialized_oauthentication
Edit: starting form the first tutorial, you could add this:编辑:从第一个教程开始,您可以添加:
@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class WebSecurityConfig {
@Bean
Jwt2AuthoritiesConverter authoritiesConverter(RolesService rolesService) {
return jwt -> rolesService.getRolesBySubject(jwt.getSubject()).stream().map(SimpleGrantedAuthority::new).toList();
}
}
@Service
public class RolesService {
@Cacheable("user_roles")
public Set<String> getRolesBySubject(String userSubject) {
// FIXME: call a JPA repository or remote WebService instead
return Set.of("MACHIN");
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.