I'm about to implement user authentication in my app.
我即将在我的应用程序中实现用户身份验证。
Since it is my first Angular + Spring project i would like to know what are the possible options for authentication. I don't wait for detailed instructions, concept level is enough, so that i know where to dig.
由于这是我的第一个Angular + Spring项目,我想知道有哪些可能的身份验证选项。我不等待详细的说明,概念水平就足够了,所以我知道在哪里挖。
I consider two ways of further back-end app development:
我考虑了两种进一步后端应用程序开发的方法:
- REST like;
- regular spring MVC, however i don't know how to combine angular and spring in this case. Any suggestions in this regard are also appreciated.
常规弹簧MVC,但在这种情况下我不知道如何组合角度和弹簧。对此方面的任何建议也表示赞赏。
1 个解决方案
#1
1
There are various ways to accomplish this. The general idea is that the angular clients adds a credential to every request (typically in the authorization header) which a servlet Filter on the backend verifies before executing the request.
有多种方法可以实现这一目标。一般的想法是角度客户端为每个请求(通常在授权头中)添加凭证,后端的servlet过滤器在执行请求之前验证。
There are various standard ways to accomplish this, ranging from simple HTTP Basic Authentication (which spring security can do easily) to full fledged single sign on protocols like OAuth 2 (and its extension OpenID Connect).
有各种标准方法可以实现这一目标,从简单的HTTP基本身份验证(弹簧安全性可以轻松实现)到完整的单点登录协议(如OAuth 2(及其扩展OpenID Connect))。
I've heard that jwt has drawbacks, one of them is impossibility to block user until his jwt token is expired, which is pretty important in my case
我听说jwt有缺点,其中一个是不可能阻止用户,直到他的jwt令牌过期,这在我的情况下非常重要
Not necessarily. JWT is a standard for authentication, not access control. That is, it simply describes a way to identify users, but does not constrain how you make access control decisions. In particular, it is entirely possible that an authorization framework will load user permissions for every request, though doing so may not be its default configuration.
不必要。 JWT是身份验证的标准,而不是访问控制。也就是说,它只是描述了识别用户的方法,但并不限制您如何制定访问控制决策。特别是,授权框架完全有可能为每个请求加载用户权限,但这样做可能不是其默认配置。
#1
1
There are various ways to accomplish this. The general idea is that the angular clients adds a credential to every request (typically in the authorization header) which a servlet Filter on the backend verifies before executing the request.
有多种方法可以实现这一目标。一般的想法是角度客户端为每个请求(通常在授权头中)添加凭证,后端的servlet过滤器在执行请求之前验证。
There are various standard ways to accomplish this, ranging from simple HTTP Basic Authentication (which spring security can do easily) to full fledged single sign on protocols like OAuth 2 (and its extension OpenID Connect).
有各种标准方法可以实现这一目标,从简单的HTTP基本身份验证(弹簧安全性可以轻松实现)到完整的单点登录协议(如OAuth 2(及其扩展OpenID Connect))。
I've heard that jwt has drawbacks, one of them is impossibility to block user until his jwt token is expired, which is pretty important in my case
我听说jwt有缺点,其中一个是不可能阻止用户,直到他的jwt令牌过期,这在我的情况下非常重要
Not necessarily. JWT is a standard for authentication, not access control. That is, it simply describes a way to identify users, but does not constrain how you make access control decisions. In particular, it is entirely possible that an authorization framework will load user permissions for every request, though doing so may not be its default configuration.
不必要。 JWT是身份验证的标准,而不是访问控制。也就是说,它只是描述了识别用户的方法,但并不限制您如何制定访问控制决策。特别是,授权框架完全有可能为每个请求加载用户权限,但这样做可能不是其默认配置。