[英]Spring Boot / REST Ajax app - avoid having to login many times during the day
我已經基於x-auth-security示例代碼使用AngularJS和Spring Boot構建了一個單頁Web應用程序。
一切都很好,但是用戶抱怨他們白天需要多次重新登錄。 我對Spring Security等不是很精通,但是我想這是因為身份驗證令牌的有效期為1小時。 參見https://github.com/joshlong/boot-examples/blob/master/x-auth-security/src/main/java/demo/xauth/TokenUtils.java :
public String createToken(UserDetails userDetails) {
long expires = System.currentTimeMillis() + 1000L * 60 * 60;
return userDetails.getUsername() + ":" + expires + ":" + computeSignature(userDetails, expires);
}
例如,將有效期延長至24小時是個好主意嗎? 還是我需要在Spring Security配置中更改一些內容:
@EnableWebMvcSecurity
@EnableWebSecurity
@Configuration
@Profile("security")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
...
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );
http.authorizeRequests()
.antMatchers( "/api/datasheets/*/documents/*/download" ).anonymous() // Workaround to allow download of the files again. This is insecure. Hopefully I get an answer soon: http://stackoverflow.com/questions/23413701/download-a-file-that-needs-authentication-token
.antMatchers( "/api/**" ).hasRole( "READONLY" );
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
http.apply( securityConfigurer );
}
@Override
protected void configure( AuthenticationManagerBuilder auth ) throws Exception
{
auth.userDetailsService( new LocalUserDetailsService() )
.and().ldapAuthentication()
.contextSource( contextSource() )
.ldapAuthoritiesPopulator( authoritiesPopulator() )
.userSearchFilter( LDAP_USER_FILTER )
.userDnPatterns( "OU=local,OU=Users" )
.groupSearchBase( "OU=Security Groups" );
}
我想這取決於您是否認為可持續使用24小時的令牌是安全的(某些人確實如此,其他人則喜歡短暫的令牌和刷新機制,例如OAuth2中的令牌)。 如果您對這種風險水平感到滿意,則別無更改。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.