Skipping Oauth 2.0 authorization using additional header param on API Request - Spring Security
Question
I've implemented Oauth 2.0 in SpringBoot API using Spring Security. It's working fine and for the moment there is a requirement on skipping authentication on requesting with an additional header after checking header availability. Basically client-side will add
skip-auth:true //example
then from the server-side, we've to add the filter to check skip-auth value, then if it is true we need to skip authorization and grant permission to access resources.
Does anyone have experience with a working solution on this? or any suggested method that could create this requested functionality
2 answers
solution1
2 2019-10-01 11:31:31
I think bypassing security with some kind of secret header is a really bad idea. Can you change the requirement that they send a fixed BasicAuth Header instead?
Then you can allow Basic-Auth on the relevant endpoints in your WebSecurityConfig.
solution2
0 ACCPTED 2019-10-01 11:49:08
You should never keep backdoors to your backend. This is clearly one. A simple decompilation of an app or monitoring the network tab in a browser will reveal this seemingly obvious backdoor. You need to work with the people who sent the requirement and ask them to define what endpoints needs complete protection and what can be accessed anonymously.
Endpoints that can be accessed anonymously can be protected with a ROLE_ANONYMOUS and by defining AnonymousAuthenticationFilter in the filter proxy chain.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.