Spring Boot/REST Ajax应用程序-避免在一天中多次登录
基于代码,我使用AngularJS和Spring Boot构建了一个单页web应用程序 这一切都很好,但是,用户抱怨他们需要在一天中多次重新登录。我对Spring安全性之类的东西不是很精通,但我想这是因为身份验证令牌是在1小时到期的情况下创建的。见: 例如,将过期时间延长到24小时是一个好主意吗?或者我需要更改Spring安全配置中的某些内容:Spring Boot/REST Ajax应用程序-避免在一天中多次登录,ajax,angularjs,spring,spring-boot,Ajax,Angularjs,Spring,Spring Boot,基于代码,我使用AngularJS和Spring Boot构建了一个单页web应用程序 这一切都很好,但是,用户抱怨他们需要在一天中多次重新登录。我对Spring安全性之类的东西不是很精通,但我想这是因为身份验证令牌是在1小时到期的情况下创建的。见: 例如,将过期时间延长到24小时是一个好主意吗?或者我需要更改Spring安全配置中的某些内容: @EnableWebMvcSecurity @EnableWebSecurity @Configuration @Profile("security")
@EnableWebMvcSecurity
@EnableWebSecurity
@Configuration
@Profile("security")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
...
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );
http.authorizeRequests()
.antMatchers( "/api/datasheets/*/documents/*/download" ).anonymous() // Workaround to allow download of the files again. This is insecure. Hopefully I get an answer soon: http://stackoverflow.com/questions/23413701/download-a-file-that-needs-authentication-token
.antMatchers( "/api/**" ).hasRole( "READONLY" );
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
http.apply( securityConfigurer );
}
@Override
protected void configure( AuthenticationManagerBuilder auth ) throws Exception
{
auth.userDetailsService( new LocalUserDetailsService() )
.and().ldapAuthentication()
.contextSource( contextSource() )
.ldapAuthoritiesPopulator( authoritiesPopulator() )
.userSearchFilter( LDAP_USER_FILTER )
.userDnPatterns( "OU=local,OU=Users" )
.groupSearchBase( "OU=Security Groups" );
}
@EnableWebMvcSecurity
@启用Web安全性
@配置
@简介(“担保”)
公共类WebSecurityConfig扩展了WebSecurityConfigureAdapter
{
...
@凌驾
受保护的无效配置(HttpSecurity http)引发异常
{
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy(sessionCreationPolicy.STATELESS);
http.authorizeRequests()
.antMatchers(“/api/datasheets/*/documents/*/download”).anonymous()//允许再次下载文件的解决方法。这是不安全的。希望我很快就能得到答案:http://stackoverflow.com/questions/23413701/download-a-file-that-needs-authentication-token
.antMatchers(“/api/**”).hasRole(“只读”);
SecurityConfigurer SecurityConfigurer=新的XAuthTokenConfigurer(userDetailsServiceBean());
http.apply(SecurityConfigure);
}
@凌驾
受保护的无效配置(AuthenticationManagerBuilder auth)引发异常
{
auth.userDetailsService(新的LocalUserDetailsService())
.and().ldapAuthentication()
.contextSource(contextSource())
.ldapAuthoritiesPopulator(authoritiesPopulator())
.userSearchFilter(LDAP\u用户\u筛选器)
.userDnPatterns(“OU=local,OU=Users”)
.groupSearchBase(“OU=安全组”);
}
我想这取决于你是否认为持续24小时的代币是安全的(有些人这样认为,而另一些人则喜欢短期代币和刷新机制,如OAuth2)。如果你对这种风险水平感到满意,那么就没有什么可以改变的了
@EnableWebMvcSecurity
@EnableWebSecurity
@Configuration
@Profile("security")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
...
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http.csrf().disable();
http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );
http.authorizeRequests()
.antMatchers( "/api/datasheets/*/documents/*/download" ).anonymous() // Workaround to allow download of the files again. This is insecure. Hopefully I get an answer soon: http://stackoverflow.com/questions/23413701/download-a-file-that-needs-authentication-token
.antMatchers( "/api/**" ).hasRole( "READONLY" );
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
http.apply( securityConfigurer );
}
@Override
protected void configure( AuthenticationManagerBuilder auth ) throws Exception
{
auth.userDetailsService( new LocalUserDetailsService() )
.and().ldapAuthentication()
.contextSource( contextSource() )
.ldapAuthoritiesPopulator( authoritiesPopulator() )
.userSearchFilter( LDAP_USER_FILTER )
.userDnPatterns( "OU=local,OU=Users" )
.groupSearchBase( "OU=Security Groups" );
}