热门文章
 当前位置:技术文章 > 编程面试题 >

带有REST体系结构的Spring Security

问题内容

我一直在研究REST API的Spring Security问题。在开始实施之前,我想在github上获得专家建议或一些示例项目(如果有)。

我的应用程序将基于REST API。并且将由两个客户端访问:

  1. 移动电话
  2. 网页

如果我使用自定义登录页面创建REST API,那么它将始终重定向到Web(根据我的理解)。当我开始使用手机消费时会怎样?

 .formLogin()
                .defaultSuccessUrl("/ui/index.html#/app/dashboard")
                .loginProcessingUrl("/api/upuser/verifyUser")
                .usernameParameter("username")
                .passwordParameter("password")
                .successHandler(new AjaxAuthenticationSuccessHandler(new SavedRequestAwareAuthenticationSuccessHandler()))
                .loginPage("/ui/index.html#/access/signin")

我认为从上面的代码看来,很显然,可以从两个不同的位置访问此应用程序:

  1. API的localhost:8080 / api /
  2. 本地主机:8383 / ui /用于WEB(Angular JS)

但是,我将使用nginx将它们都移至localhost / api /和localhost / ui /。因此,以上两个将被访问

  1. 本地主机/ api /
  2. 本地主机/用户界面/

因此,我的第二个问题是实现弹簧安全性的最佳方法是什么:

  1. 基于令牌的身份验证
  2. 基于会话的身份验证

问题在于它是无状态服务,因此我们将如何实现基于会话的身份验证?


问题答案:

尝试这样的事情:

You should try this, may be it will help you:

@Configuration
@EnableWebSecurity
@Profile("container")
public class SOAPSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private AuthenticationProvider authenticationProvider;

@Autowired
private AuthenticationProvider authenticationProviderDB;


@Override
@Order(1)

protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authenticationProvider);
}


@Order(2)
protected void ConfigureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authenticationProviderDB);
}

@Override
  public void configure(WebSecurity web) throws Exception {
    web
      .ignoring()
         .antMatchers("/scripts/**","/styles/**","/images/**","/error/**");
  }

@Override
public void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/rest/**").authenticated()
            .antMatchers("/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .successHandler(new AuthenticationSuccessHandler() {
                @Override
                public void onAuthenticationSuccess(
                        HttpServletRequest request,
                        HttpServletResponse response,
                        Authentication a) throws IOException, ServletException {
                            //To change body of generated methods,
                            response.setStatus(HttpServletResponse.SC_OK);
                        }
            })
            .failureHandler(new AuthenticationFailureHandler() {

                @Override
                public void onAuthenticationFailure(
                        HttpServletRequest request,
                        HttpServletResponse response,
                        AuthenticationException ae) throws IOException, ServletException {
                            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                        }
            })
            .loginProcessingUrl("/access/login")
            .and()
            .logout()
            .logoutUrl("/access/logout")                
            .logoutSuccessHandler(new LogoutSuccessHandler() {
                @Override
                public void onLogoutSuccess(
                        HttpServletRequest request, 
                        HttpServletResponse response, 
                        Authentication a) throws IOException, ServletException {
                    response.setStatus(HttpServletResponse.SC_NO_CONTENT);
                }
            })
            .invalidateHttpSession(true)
            .and()
            .exceptionHandling()
            .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
            .and()
            .csrf()//Disabled CSRF protection
            .disable();
    }
}