问题:
使用Spring Boot设置无状态身份验证
墨承泽
我正在使用Spring Boot的最新版本,并且正在尝试设置StatelessAuthenticaion。到目前为止,我一直在读的教程非常模糊,我不确定我做错了什么。我使用的教程是...
http://technicalrex.com/2015/02/20/Stateless-Authentication-with-spring-security-and-jwt/
package app.config;
import app.repo.User.CustomUserDetailsService;
import app.security.RESTAuthenticationEntryPoint;
import app.security.RESTAuthenticationFailureHandler;
import app.security.RESTAuthenticationSuccessHandler;
import app.security.TokenAuthenticationService;
import app.security.filters.StatelessAuthenticationFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.sql.DataSource;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
@Order(2)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static PasswordEncoder encoder;
private final TokenAuthenticationService tokenAuthenticationService;
private final CustomUserDetailsService userService;
@Autowired
private UserDetailsService customUserDetailsService;
@Autowired
private RESTAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
private RESTAuthenticationFailureHandler authenticationFailureHandler;
@Autowired
private RESTAuthenticationSuccessHandler authenticationSuccessHandler;
public WebSecurityConfig() {
this.userService = new CustomUserDetailsService();
tokenAuthenticationService = new TokenAuthenticationService("tooManySecrets", userService);
}
@Autowired
public void configureAuth(AuthenticationManagerBuilder auth,DataSource dataSource) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").authenticated();
http.csrf().disable();
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
http.formLogin().defaultSuccessUrl("/").successHandler(authenticationSuccessHandler);
http.formLogin().failureHandler(authenticationFailureHandler);
//This is ho
http.addFilterBefore(new StatelessAuthenticationFilter(tokenAuthenticationService),
UsernamePasswordAuthenticationFilter.class);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService);
}
@Bean
@Override
public CustomUserDetailsService userDetailsService() {
return userService;
}
@Bean
public TokenAuthenticationService tokenAuthenticationService() {
return tokenAuthenticationService;
}
}
code>TokenAuthenticationService成功调用了GetAuthentication方法,但在我阅读的教程中,没有关于如何调用AddAuthentication的适当解释
package app.security;
import app.repo.User.CustomUserDetailsService;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class TokenAuthenticationService {
private static final String AUTH_HEADER_NAME = "X-AUTH-TOKEN";
private final TokenHandler tokenHandler;
//This is called in my WebSecurityConfig() constructor
public TokenAuthenticationService(String secret, CustomUserDetailsService userService) {
tokenHandler = new TokenHandler(secret, userService);
}
public void addAuthentication(HttpServletResponse response, UserAuthentication authentication) {
final UserDetails user = authentication.getDetails();
response.addHeader(AUTH_HEADER_NAME, tokenHandler.createTokenForUser(user));
}
public Authentication getAuthentication(HttpServletRequest request) {
final String token = request.getHeader(AUTH_HEADER_NAME);
if (token != null) {
final UserDetails user = tokenHandler.parseUserFromToken(token);
if (user != null) {
return new UserAuthentication(user);
}
}
return null;
}
}
package app.security;
import app.repo.User.CustomUserDetailsService;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.core.userdetails.UserDetails;
public final class TokenHandler {
private final String secret;
private final CustomUserDetailsService userService;
public TokenHandler(String secret, CustomUserDetailsService userService) {
this.secret = secret;
this.userService = userService;
}
public UserDetails parseUserFromToken(String token) {
String username = Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody()
.getSubject();
return userService.loadUserByUsername(username);
}
public String createTokenForUser(UserDetails user) {
return Jwts.builder()
.setSubject(user.getUsername())
.signWith(SignatureAlgorithm.HS512, secret)
.compact();
}
}
在我的WebServiceConfig中。我添加以下内容
http.addFilterBefore(new StatelessAuthenticationFilter(tokenAuthenticationService),
UsernamePasswordAuthenticationFilter.class);
它调用以下类作为筛选器。它获得了身份验证,但实际上没有添加身份验证的地方。
package app.security.filters;
import app.security.TokenAuthenticationService;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* Created by anthonygordon on 11/17/15.
*/
public class StatelessAuthenticationFilter extends GenericFilterBean {
private final TokenAuthenticationService authenticationService;
public StatelessAuthenticationFilter(TokenAuthenticationService authenticationService) {
this.authenticationService = authenticationService;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
Authentication authentication = authenticationService.getAuthentication(httpRequest);
SecurityContextHolder.getContext().setAuthentication(authentication);
filterChain.doFilter(request, response);
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
SecurityContextHolder.getContext().setAuthentication(null);
}
}
以下类是在TokenAuthenticationService中传递的::AddAuthentication
package app.security;
import app.repo.User.User;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
public class UserAuthentication implements Authentication {
private final UserDetails user;
private boolean authenticated = true;
public UserAuthentication(UserDetails user) {
this.user = user;
}
@Override
public String getName() {
return user.getUsername();
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return user.getAuthorities();
}
@Override
public Object getCredentials() {
return user.getPassword();
}
@Override
public UserDetails getDetails() {
return user;
}
@Override
public Object getPrincipal() {
return user.getUsername();
}
@Override
public boolean isAuthenticated() {
return authenticated;
}
@Override
public void setAuthenticated(boolean authenticated) {
this.authenticated = authenticated;
}
}
就这样...
我的解决方案是在成功处理程序中设置TokenAuthenticationService::AddAuthentication方法...唯一的问题是教程将类TokenAuthenticationService添加到WebServiceConfig类中。那是唯一可以进入的地方。如果有一种方法我可以获得它在我的成功,我可能可以设置令牌。
package app.security;
import app.controllers.Requests.TriviaResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectWriter;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* Created by anthonygordon on 11/12/15.
*/
@Component
public class RESTAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
ObjectWriter ow = new ObjectMapper().writer().withDefaultPrettyPrinter();
TriviaResponse tresponse = new TriviaResponse();
tresponse.setMessage("You have successfully logged in");
String json = ow.writeValueAsString(tresponse);
response.getWriter().write(json);
clearAuthenticationAttributes(request);
}
}
共有1个答案
孔鸿宝
当用户第一次提供其登录凭据时,您必须自己调用TokenAuthenticationService.addAuthentication()。
本教程在用户使用其Google帐户成功登录后调用GoogleAuthorizationResponseServlet中的AddAuthentication()。下面是相关代码:
private String establishUserAndLogin(HttpServletResponse response, String email) {
// Find user, create if necessary
User user;
try {
user = userService.loadUserByUsername(email);
} catch (UsernameNotFoundException e) {
user = new User(email, UUID.randomUUID().toString(), Sets.<GrantedAuthority>newHashSet());
userService.addUser(user);
}
// Login that user
UserAuthentication authentication = new UserAuthentication(user);
return tokenAuthenticationService.addAuthentication(response, authentication);
}
如果您已经有一个身份验证成功处理程序,那么我认为您需要从那里调用TokenAuthenticationService.addAuthentication()是正确的。将tokenauthenticationservicebean注入您的处理程序,然后开始使用它。如果您的成功处理程序最终不是一个Spring bean,那么您可以通过调用WebApplicationContextTutils.getRequiredWebApplicationContext.getBean(TokenAuthenticationService.Class)来显式查找TokenAuthenticationService。
本教程的GitHub repo中还有一个问题,它将解决用户提供的初始登录和所有后续请求上发生的无状态身份验证之间的混淆。
类似资料:
-
我正在使用SpringBoot开发具有微服务架构的Rest Backend。为了保护endpoint,我使用了JWT令牌机制。我正在使用Zuul API网关。 如果请求需要权限(来自JWT的角色),它将被转发到正确的微服务。Zuul api网关的“WebSecurityConfigrerAdapter”如下。 这样,我必须在这个类中编写每个请求授权部分。因此,我希望使用方法级安全性,即“Enabl
-
我正在构建一个API,并试图在多个上下文中解决身份验证问题。 API需要为我们创建和部署的客户端应用程序提供服务,并使用密码处理经过身份验证的请求。在每个请求中都发送密码并不是一个好主意,因此首先点击登录endpoint并获得会话ID更有意义。问题中的webapp是用AngularJS编写的,应该在localStorage中跟踪自己的会话,以减轻会话劫持并消除对cookie的依赖以跟踪会话。 we
-
我试图理解为什么JWT认证是无状态的。在有状态认证中,会有一个会话id。这里有一张JWT的代币,上面有签名。所以身份验证服务器发布JWT令牌,但是我可以说后续请求中JWT令牌的验证是由endpoint服务器(应用服务器)而不是身份验证服务器来完成的吗?我相信这是可能的,因为JWT是用截止日期(还有一些其他信息)签名的,并且认证服务器的公共证书对所有endpoint服务器都是可用的。 因此,认证服务
-
我一直有一个问题,即JWT是否真的安全?因为在对声明和有效载荷进行编码时,我们可以很容易地对令牌进行解码,并且在那里的网站上也很好地给出了这种解码。所以我的观点是,任何人都可以简单地使用burpsuite之类的工具更改auth头,并提供一些其他有效的令牌,对假用户进行身份验证。按照许多人的建议,将令牌存储在本地存储中也可能不太安全。所以我的问题是,与加密的cookie或会话相比,它真的是安全的吗?
-
当应用程序依赖于无状态身份验证(使用类似HMAC的东西)时,是否有必要使用CSRF保护? 示例: > 我们有一个单页应用程序(否则我们必须在每个链接上添加令牌:。 此内标识将用于访问诸如之类的受限URL。 令牌将始终在HTTP头内传输。 没有Http会话,也没有cookie。
-
我已经实现了一个无状态服务器,它使用JWT让用户访问api。我关心的是安全问题。之前也有同样的问题,但没有得到很好的回答:JWT、无状态身份验证和安全性 问题:使用一些因素,如JWE(加密令牌)或使用强秘密来签署令牌 如果秘密钥匙被盗怎么办?然后,无论我们使用了多少安全层,黑客都可以使用密钥生成有效令牌并访问所有API。是否有任何解决方案使其更安全?