发表新帖
发表新帖

Spring Security unexpected behavior for REST endpoints authentication?

前端 未结
关注
6 1595
暖寄归人
暖寄归人 2021-01-15 03:44

The scenario we are looking for is as follows:

  1. client connects with REST to a REST login url
  2. Spring microservice (using Spring Security) should return
6条回答
  • 一个人的身影
    一个人的身影 (楼主)
    2021-01-15 03:58

    http.formLogin()

    is designed for form-based login. So the 302 status and Location header in the response is expected if you attempt to access a protected resource without being authenticated.

    Based on your requirement/scenario,

    1. client connects with REST to a REST login url

    have you considered using HTTP Basic for authentication?

    http.httpBasic()

    Using HTTP Basic, you can populate the Authorization header with the username/password and the BasicAuthenticationFilter will take care of authenticating the credentials and populating the SecurityContext accordingly.

    I have a working example of this using Angular on the client-side and Spring Boot-Spring Security on back-end.

    If you look at security-service.js, you will see a factory named securityService which provides a login() function. This function calls the /principal endpoint with the Authorization header populated with the username/password as per HTTP Basic format, for example:

    Authorization : Basic base64Encoded(username:passsword)

    The BasicAuthenticationFilter will process this request by extracting the credentials and ultimately authenticating the user and populating the SecurityContext with the authenticated principal. After authentication is successful, the request will proceed to the destined endpoint /principal which is mapped to SecurityController.currentPrincipal which simply returns a json representation of the authenticated principal.

    For your remaining requirements:

    1. Spring microservice (using Spring Security) should return 200 OK and a login token
    2. the client keeps the token
    3. the client calls other REST endpoints using the same token.

    You can generate a security/login token and return that instead of the user info. However, I would highly recommend looking at Spring Security OAuth if you have a number of REST endpoints deployed across different Microservices that need to be protected via a security token. Building out your own STS (Security Token Service) can become very involved and complicated so not recommended.

    0 讨论(0)
 看不清?
提交回复
热议问题