stackoom
  简体   繁体   中英

spring security login with rest web service

 原文  2011-07-26 10:01:52       java/ rest/ spring-security/ single-sign-on

Question

My company has a specific authentication provider which is an internal REST web service. In fact, you provide a login/password to the web service and it returns a token (which has a validity of a few hours) which must be given in the header for each next business request to the web service.

I need to create a web application and I need to plug it into this authentication provider. What is the best way to integrate it with Spring Security?

How can I manage the token expiration in my webapp without asking the user to re-login?

2 answers

solution1
 2 ACCPTED  2011-07-26 16:49:58

If you want to use spring security with authentication being delegated to a web service, You need to implement AuthenticationProvider interface provided by springs security framework. You can do some thing like this 

 public class AuthProviderImpl implements AuthenticationProvider 
 {
      @Override
   public Authentication authenticate(Authentication authentication)
     throws AuthenticationException 
        {
          WebServiceAuthClient client = //get an handle to your web service
          //get user name, password from authenticate object
          client.autheticat(username, pwd);
        }

 }

Configure your web app to use spring security http://static.springsource.org/spring-security/site/petclinic-tutorial.html

solution2
 1  2011-08-02 19:14:50

I just encountered a situation very similar to the original question, and this is what I'm going to work by: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html

EDIT:

In our situation the session and the cookie tied to it is all managed externally, and we must only validate and authorize each request based on the external session store.

So we'll be using a custom SecurityContextRepository instead.

EDIT2:

Writing a SecurityContextRepository which checks each request against the common token store was trivial, wiring it into Spring Security was insane: The http element in security-context.xml does not allow customization of the securityContextPersistenceFilter, so I had to emulate it with plain beans. Not fun at all.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Disable Spring Security Basic Login - Spring REST web service spring security in rest Web service REST and SOAP web service security with role based authentication and login in JBoss Calling a REST web service secured with Spring Security from Android Spring security with Html pages and Rest web service authentication Spring security and REST API login Spring security login to web by token Spring Security 3 Web + Restful Login Spring security provider for web login and api security web service with spring security in java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM