Java Spring RESTful令牌Web服务评论
我一直在尝试使用Spring.IO实现一个新的restfulweb服务。我已经研究了大概30个不同的在线示例,这些示例本应提供此示例,但没有一个是“开箱即用”的 更复杂的是,95%的示例专门使用XML配置,我个人认为这不如纯java配置可读 经过许多小时的努力,我终于拼凑出了一些“有效”的东西,但我非常希望得到关于我具体实现的反馈。具体而言:Java Spring RESTful令牌Web服务评论,java,spring,rest,spring-mvc,Java,Spring,Rest,Spring Mvc,我一直在尝试使用Spring.IO实现一个新的restfulweb服务。我已经研究了大概30个不同的在线示例,这些示例本应提供此示例,但没有一个是“开箱即用”的 更复杂的是,95%的示例专门使用XML配置,我个人认为这不如纯java配置可读 经过许多小时的努力,我终于拼凑出了一些“有效”的东西,但我非常希望得到关于我具体实现的反馈。具体而言: 假设客户端授权令牌未被破坏,则我的实现是安全的 由于构造函数需要AuthenticationManager,我无法在WebSecurityConfig中正
WebSecurityConfig
中正确自动连接AuthenticationTokenProcessingFilter
类。如果有一种方法可以帮你清理一下@ComponentScan({"webservice"})
@Configuration
@EnableAutoConfiguration
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
WebSecurityConfig
类(AFAIK完成了以前由XML执行的大部分工作):
在客户端连接上执行令牌身份验证的AuthenticationTokenProcessingFilter
:
public class AuthenticationTokenProcessingFilter extends GenericFilterBean {
AuthenticationManager authManager;
public AuthenticationTokenProcessingFilter(AuthenticationManager authManager) {
this.authManager = authManager;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@SuppressWarnings("unchecked")
Map<String, String[]> parms = request.getParameterMap();
if(parms.containsKey("authToken")) {
String token = parms.get("authToken")[0];
// Validate the token
User user = TokenUtils.getUserFromToken(token);
// If we managed to get a user we can finish the authentication
if (user!=null) {
//Add a default authority for all users
List<GrantedAuthority> grantedAuths = new ArrayList();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
// build an Authentication object with the user's info
AbstractAuthenticationToken authentication =
new UsernamePasswordAuthenticationToken(user, token, grantedAuths);
// set the authentication into the SecurityContext
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
// continue thru the filter chain
chain.doFilter(request, response);
}
}
CustomAuthenticationEntryPoint
,如果用户未成功通过身份验证,则返回403:
@Component
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized: Authentication token was either missing or invalid." );
}
}
最后是我的web服务入口点:
@RestController
public class EntryPoints {
@RequestMapping(value = "/login", method={RequestMethod.POST})
public LoginResponse login(@RequestParam(value="username", required=true) String username,
@RequestParam(value="password", required=true) String password) {
LoginRequest loginRequest = new LoginRequest(username, password);
//Authenticate the user using the provided credentials
//If succesfull return authentication token
//return new LoginResponse(token);
throw new UnsupportedOperationException("Not implemented yet!");
}
@RequestMapping(value = "/account", method={RequestMethod.POST})
public AccountResponse account(@RequestParam(value="accountId", required=true) long accountId) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
//Return the request account information
throw new UnsupportedOperationException("Not implemented yet!");
}
}
这对于代码审查可能更好;我看不出具体的问题。另外,看一看Spring会话。@chrylis-谢谢你的评论,我的具体问题在顶部,编号为1和2。在我看来,你给了所有用户管理员权限——这不太安全。这有效吗?和所有人一样,我对spring安全性很挑剔,但我们也有类似的东西,但是ldap和sso,但是我们的rest控制器对安全方法有@PreAuthorize…@EngineerDollery-我的理解是,用户角色只是一个字符串,您也可以在以后的阶段匹配它。目前我没有任何“@Secured”端点,因此它实际上是冗余的。它似乎运行得很好,没有遗漏一些次要的实现部分。
@Component
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized: Authentication token was either missing or invalid." );
}
}
@RestController
public class EntryPoints {
@RequestMapping(value = "/login", method={RequestMethod.POST})
public LoginResponse login(@RequestParam(value="username", required=true) String username,
@RequestParam(value="password", required=true) String password) {
LoginRequest loginRequest = new LoginRequest(username, password);
//Authenticate the user using the provided credentials
//If succesfull return authentication token
//return new LoginResponse(token);
throw new UnsupportedOperationException("Not implemented yet!");
}
@RequestMapping(value = "/account", method={RequestMethod.POST})
public AccountResponse account(@RequestParam(value="accountId", required=true) long accountId) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
//Return the request account information
throw new UnsupportedOperationException("Not implemented yet!");
}
}