使用Spring social进行Spring security REST身份验证
我正在创建一个应用程序,用户可以通过用户名和密码登录,也可以使用spring social通过facebook登录。我举了一个例子 ,但它是为SpringMVC而不是为REST配置的 作者创建特殊的UserDetailsService并将其分配给AuthenticationManager生成器使用Spring social进行Spring security REST身份验证,rest,token,spring-social,spring-java-config,spring-security-rest,Rest,Token,Spring Social,Spring Java Config,Spring Security Rest,我正在创建一个应用程序,用户可以通过用户名和密码登录,也可以使用spring social通过facebook登录。我举了一个例子 ,但它是为SpringMVC而不是为REST配置的 作者创建特殊的UserDetailsService并将其分配给AuthenticationManager生成器 @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService())
.passwordEncoder(passwordEncoder());
}
在这一点上,我认为一切都很好。UserDetailsService具有按用户id查找用户的方法
在安全配置类的http配置中,如果我想使用REST应用程序,是否应该将“form login”更改为http“basic authentication”?
如果我改变了这一点,我应该为每个请求添加正确的http授权头吗?或者我可以通过标准登录使用令牌身份验证(通过用户名和密码,而不是社交)?基于令牌的身份验证将与Spring社交登录配合使用(还有令牌)
安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserRepository userRepository;
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/static/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login/authenticate")
.failureUrl("/login?error=bad_credentials")
//Configures the logout function
.and()
.logout()
.deleteCookies("JSESSIONID")
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
//Configures url based authorization
.and()
.authorizeRequests()
//Anyone can access the urls
.antMatchers(
"/auth/**",
"/login",
"/signup/**",
"/user/register/**",
"/greeting"
).permitAll()
//The rest of the our application is protected.
.antMatchers("/**").hasRole("USER")
//Adds the SocialAuthenticationFilter to Spring Security's filter chain.
.and()
.apply(new SpringSocialConfigurer())
.and()
.csrf().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService())
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(10);
}
@Bean
public SocialUserDetailsService socialUserDetailsService() {
return new AppSocialUserDetailsService(userDetailsService());
}
@Bean
public UserDetailsService userDetailsService() {
return new AppUserDetailsService(userRepository);
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserRepository userRepository;
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/static/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login/authenticate")
.failureUrl("/login?error=bad_credentials")
//Configures the logout function
.and()
.logout()
.deleteCookies("JSESSIONID")
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
//Configures url based authorization
.and()
.authorizeRequests()
//Anyone can access the urls
.antMatchers(
"/auth/**",
"/login",
"/signup/**",
"/user/register/**",
"/greeting"
).permitAll()
//The rest of the our application is protected.
.antMatchers("/**").hasRole("USER")
//Adds the SocialAuthenticationFilter to Spring Security's filter chain.
.and()
.apply(new SpringSocialConfigurer())
.and()
.csrf().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService())
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(10);
}
@Bean
public SocialUserDetailsService socialUserDetailsService() {
return new AppSocialUserDetailsService(userDetailsService());
}
@Bean
public UserDetailsService userDetailsService() {
return new AppUserDetailsService(userRepository);
}
}