Fatal编程技术网
  • java/
  • Java Spring RESTful令牌Web服务评论

Java Spring RESTful令牌Web服务评论

java spring rest spring-mvc

Java Spring RESTful令牌Web服务评论,java,spring,rest,spring-mvc,Java,Spring,Rest,Spring Mvc,我一直在尝试使用Spring.IO实现一个新的restfulweb服务。我已经研究了大概30个不同的在线示例,这些示例本应提供此示例,但没有一个是“开箱即用”的 更复杂的是,95%的示例专门使用XML配置,我个人认为这不如纯java配置可读 经过许多小时的努力,我终于拼凑出了一些“有效”的东西,但我非常希望得到关于我具体实现的反馈。具体而言: 假设客户端授权令牌未被破坏,则我的实现是安全的 由于构造函数需要AuthenticationManager,我无法在WebSecurityConfig中正

我一直在尝试使用Spring.IO实现一个新的restfulweb服务。我已经研究了大概30个不同的在线示例,这些示例本应提供此示例,但没有一个是“开箱即用”的

更复杂的是,95%的示例专门使用XML配置,我个人认为这不如纯java配置可读

经过许多小时的努力,我终于拼凑出了一些“有效”的东西,但我非常希望得到关于我具体实现的反馈。具体而言:

  • 假设客户端授权令牌未被破坏,则我的实现是安全的
  • 由于构造函数需要AuthenticationManager,我无法在
    WebSecurityConfig
    中正确自动连接
    AuthenticationTokenProcessingFilter
    类。如果有一种方法可以帮你清理一下
    • 主要应用程序类别:

    @ComponentScan({"webservice"})
@Configuration
@EnableAutoConfiguration
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

    WebSecurityConfig
    类(AFAIK完成了以前由XML执行的大部分工作):

    在客户端连接上执行令牌身份验证的
    AuthenticationTokenProcessingFilter

    public class AuthenticationTokenProcessingFilter extends GenericFilterBean {

    AuthenticationManager authManager;

    public AuthenticationTokenProcessingFilter(AuthenticationManager authManager) {
        this.authManager = authManager;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        @SuppressWarnings("unchecked")
        Map<String, String[]> parms = request.getParameterMap();

        if(parms.containsKey("authToken")) {
            String token = parms.get("authToken")[0];

            // Validate the token
            User user = TokenUtils.getUserFromToken(token);

            // If we managed to get a user we can finish the authentication
            if (user!=null) {
                //Add a default authority for all users
                List<GrantedAuthority> grantedAuths = new ArrayList();
                grantedAuths.add(new SimpleGrantedAuthority("ROLE_ADMIN"));

                // build an Authentication object with the user's info
                AbstractAuthenticationToken authentication = 
                    new UsernamePasswordAuthenticationToken(user, token, grantedAuths);

                // set the authentication into the SecurityContext
                SecurityContextHolder.getContext().setAuthentication(authentication);         
            }
        }

        // continue thru the filter chain
        chain.doFilter(request, response);
    }
}

    CustomAuthenticationEntryPoint
    ,如果用户未成功通过身份验证,则返回403:

    @Component
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException authException) throws IOException, ServletException {

        response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized: Authentication token was either missing or invalid." );
    }
}
    最后是我的web服务入口点:

    @RestController
public class EntryPoints {

    @RequestMapping(value = "/login", method={RequestMethod.POST})
    public LoginResponse login(@RequestParam(value="username", required=true) String username,
            @RequestParam(value="password", required=true) String password) {

        LoginRequest loginRequest = new LoginRequest(username, password);

        //Authenticate the user using the provided credentials

        //If succesfull return authentication token
        //return new LoginResponse(token);

        throw new UnsupportedOperationException("Not implemented yet!");
    }

    @RequestMapping(value = "/account", method={RequestMethod.POST})
    public AccountResponse account(@RequestParam(value="accountId", required=true) long accountId) {

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        //Return the request account information

        throw new UnsupportedOperationException("Not implemented yet!");
    }
}
    这对于代码审查可能更好;我看不出具体的问题。另外,看一看Spring会话。@chrylis-谢谢你的评论,我的具体问题在顶部,编号为1和2。在我看来,你给了所有用户管理员权限——这不太安全。这有效吗?和所有人一样,我对spring安全性很挑剔,但我们也有类似的东西,但是ldap和sso,但是我们的rest控制器对安全方法有@PreAuthorize…@EngineerDollery-我的理解是,用户角色只是一个字符串,您也可以在以后的阶段匹配它。目前我没有任何“@Secured”端点,因此它实际上是冗余的。它似乎运行得很好,没有遗漏一些次要的实现部分。 
    @Component
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException authException) throws IOException, ServletException {

        response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized: Authentication token was either missing or invalid." );
    }
}

    @RestController
public class EntryPoints {

    @RequestMapping(value = "/login", method={RequestMethod.POST})
    public LoginResponse login(@RequestParam(value="username", required=true) String username,
            @RequestParam(value="password", required=true) String password) {

        LoginRequest loginRequest = new LoginRequest(username, password);

        //Authenticate the user using the provided credentials

        //If succesfull return authentication token
        //return new LoginResponse(token);

        throw new UnsupportedOperationException("Not implemented yet!");
    }

    @RequestMapping(value = "/account", method={RequestMethod.POST})
    public AccountResponse account(@RequestParam(value="accountId", required=true) long accountId) {

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        //Return the request account information

        throw new UnsupportedOperationException("Not implemented yet!");
    }
}