stackoom
  简体   繁体   中英

Spring boot 2 + Oauth2 - Securing the Rest Calls in Microservices

 原文  2019-04-15 03:05:18       spring/ spring-boot/ spring-security/ oauth-2.0/ spring-security-oauth2

Question

Im working on a spring boot 2 micro services . now im planning to secure to my rest calls using the OAUTH2 .

I found lot of articles reg that Spring 2 + OAUTH2 integration but does not match with my requirement , all of them use tables and secure calls using the roles ,

My application login works on Single Sign on using the SAML (SSO) , my requirement is to only authorize the each request . what are the best way to do that .

  1. do i really need table to store the token for the user , since login is already happened using SSO ?
  2. only thing here is to authorize request irrespective of the roles of the user .

Any suggestions or github link to match the simple requirement will be appreciated .

2 answers

solution1
 0  2019-04-15 05:56:03

@premKumarR

For your comments on which is better in-memory v/s JDBC. For Spring Docs,

Here's a description with some discussion of each of them

The default InMemoryTokenStore is perfectly fine for a single server (ie low traffic and no hot swap to a backup server in the case of failure). Most projects can start here, and maybe operate this way in development mode, to make it easy to start a server with no dependencies.

The JdbcTokenStore is the JDBC version of the same thing, which stores token data in a relational database. Use the JDBC version if you can share a database between servers, either scaled up instances of the same server if there is only one, or the Authorization and Resources Servers if there are multiple components. To use the JdbcTokenStore you need "spring-jdbc" on the classpath.

Docs Link: https://projects.spring.io/spring-security-oauth/docs/oauth2.html

solution2
 0 ACCPTED  2019-04-15 06:50:18

OAuth2 has different implementations of creating Tokens for authentication. By default it creates tokens via random value and handles everything except for the persistence of the tokens which it delegates to a TokenStore . The default store is an in-memory implementation, but there are some other implementations available.

The JdbcTokenStore is the JDBC version of the same thing, which stores token data in a relational database.

The JSON Web Token (JWT) version of the store but does not persist data.

So to answer your questions

  • do i really need table to store the token for the user , since login is already happened using SSO ?

    Not necessary. As i understand you only intend to authenticate not to generate the tokens.

  • only thing here is to authorize request irrespective of the roles of the user .

    You can use WebSecurityConfigurerAdapter to vaildate incoming request. eg as below

    public class Configuration extends WebSecurityConfigurerAdapter { 

     @Override public void configure(HttpSecurity http) throws Exception { http.csrf().disable() .authorizeRequests() .antMatchers("/authorization-server-1/**", "/login").permitAll() .anyRequest().authenticated(); } }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Issue in securing Spring REST service With OAuth2 in Spring Boot Securing Spring Rest with Spring Security and OAuth2 - Username/Password are exposed Securing Spring Boot API with oAuth2 | filter users SpringBoot 2.0 : Securing a REST API with Spring Security Oauth2 Need example for securing normal Spring REST APIs with Keycloack and oAuth2 Securing REST microservices with Spring Security Spring Boot (OAuth2 and REST) : BeanCreationError Microservices and Spring Security OAuth2 Spring Boot with Oauth2 OAuth2 with Spring Boot REST application - cannot access resource with token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM