堆栈内存溢出
  简体   繁体   English

Spring 引导 - 通过许多服务器实例持有经过身份验证的用户

[英]Spring boot - holding authenticated user through many server instances

 原文  2023-01-29 22:27:19       spring-boot/ security/ spring-security

问题描述

I have got spring security STATELESS application based on JWT tokens.我有基于JWT令牌的STATELESS安全无状态应用程序。 Here is my custom authorization filter这是我的自定义授权过滤器

override fun doFilterInternal(
        request: HttpServletRequest,
        response: HttpServletResponse,
        chain: FilterChain,
    ) {
        val header = request.getHeader(Objects.requireNonNull(HttpHeaders.AUTHORIZATION))
        if (header != null) {
            val authorizedUser = tokensService.parseAccessToken(header)
            SecurityContextHolder.getContext().authentication = authorizedUser
        }
        chain.doFilter(request, response)
    }

so as you can see, I save the authorizedUser into SecurityContextHolder .如您所见,我将authorizedUser保存到SecurityContextHolder中。 Then I use this saved user to eg secure my app before retrieving data of user A by user B like this:然后我使用这个保存的用户来保护我的应用程序,然后再通过用户B检索用户A的数据,如下所示:

    @Target(AnnotationTarget.FUNCTION)
    @Retention(AnnotationRetention.RUNTIME)
    @PreAuthorize("authentication.principal.toString().equals(#employerId.toString())")
    annotation class IsEmployer


    @IsEmployer
    @GetMapping("/{employerId}")
    fun getCompanyProfile(@PathVariable employerId: Long): CompanyProfileDTO {
        return companyProfileService.getCompanyProfile(employerId)
    }

But it works when the app runs as a single instance while I would like to deploy this app on many intances so the但是当应用程序作为单个实例运行时它会起作用,而我想在许多实例上部署这个应用程序所以

authentication.principal.toString().equals(#employerId.toString()

will no work anymore becuase context holders are different on different instances.将不再起作用,因为上下文持有者在不同的实例中是不同的。

1 个解决方案

解决方案1
 1 已采纳  2023-01-30 11:43:10

For any request the ServletFilter (authentication) is ALWAYS on the same server as the ServletController that processes it.对于任何请求,ServletFilter(身份验证)始终与处理它的 ServletController 在同一台服务器上。 The filterChain passes the request on to the controller and has the same security context. filterChain 将请求传递给 controller 并具有相同的安全上下文。 With JWT every single request is authenticated (because every request goes through the filter) and allows the service to be stateless.使用 JWT,每个请求都经过身份验证(因为每个请求都通过过滤器)并允许服务无状态。 The advantage of this is scalability - you can have as many instances as you need.这样做的优点是可扩展性——您可以根据需要拥有任意数量的实例。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Boot:为CommandLineRunner传递许多实例是否安全? - Spring Boot: Is it safe to pass many Instances for CommandLineRunner Spring Boot端点未通过身份验证 - Spring boot endpoint is not authenticated Spring Boot + Mustache:仅当用户通过身份验证时才呈现html - Spring Boot + Mustache: render html only when user is authenticated 如何在Spring Boot中的JWT内部发送Authenticated用户的ID? - How to send The Authenticated user's ID inside JWT in spring Boot? Spring boot + jpa,通过表单提交多对多关联 - Spring boot + jpa, many to many association through form submission Spring 启动 AzureAD 查看用户是否已启用/禁用,而当前未通过用户身份验证 - Spring Boot AzureAD see if User is enabled/disabled without the user beeing currently authenticated spring boot中同时在多个服务器实例中运行计划任务 - Running scheduled tasks in multiple server instances at same time in spring boot Spring-Boot @PreAuthorize仅允许对admin进行操作,或者如果经过身份验证的用户ID与path参数id相同 - Spring-Boot @PreAuthorize allow operation only for admin or if the authenticated user id is same as path parameter id 手动设置Authenticated Spring User - Manually set Authenticated Spring User 没有任何请求在oauth spring boot中得到认证 - None of the request are getting authenticated in oauth spring boot
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM