使用Spring Security使用自定义无状态身份验证机制保护URL

时间:2021-02-28 11:24:11

I have a Spring REST application, being run on an embedded Tomcat via Spring Boot. I have various classes annotated @RestController with methods which are REST endpoints. I have Springfox Swagger, which produces Open API Specification JSON under the URL /v2/api-docs. Everything works fine.

我有一个Spring REST应用程序,通过Spring Boot在嵌入式Tomcat上运行。我有各种类注释@RestController与方法是REST端点。我有Springfox Swagger,它在URL / v2 / api-docs下生成Open API Specification JSON。一切正常。

Now I would like to protect the /v2/api-docs with the following authentication mechanism.

现在我想用以下身份验证机制来保护/ v2 / api-docs。

  • The user supplies a username in the Username HTTP header, and a password in the Password-Utf8-Base64 header (this is a base64 encoding of the UTF-8 encoding of the supplied password).
  • 用户在Username HTTP标头中提供用户名,在Password-Utf8-Base64标头中提供密码(这是所提供密码的UTF-8编码的base64编码)。

  • A back-end method (already existing) checks the username/password, and checks that they have authorization to view this URL.
  • 后端方法(已存在)检查用户名/密码,并检查他们是否有权查看此URL。

  • There should be no session, the headers should be supplied with every call and the authorization check done every call.
  • 应该没有会话,每次呼叫都应提供标头,每次呼叫都要进行授权检查。

  • If the authentication information is incorrect, a 401 or 403 error should be supplied to the client. A 401 in case the username/password is wrong, or 403 in the case it's correct but they don't have access to the URL. There should be no redirects to HTML login pages etc., as this is a REST application only.
  • 如果验证信息不正确,则应向客户端提供401或403错误。如果用户名/密码错误,则为401;如果是正确的,则为403,但是他们无权访问该URL。应该没有重定向到HTML登录页面等,因为这只是一个REST应用程序。

I am thinking, Spring Security is the right way to do this? Because with it, I should be able to specify, without altering the Springfox code offering the /v2/api-docs endpoint, that that endpoint should be secure via the above authentication mechanism.

我在想,Spring Security是正确的方法吗?因为有了它,我应该能够在不改变提供/ v2 / api-docs端点的Springfox代码的情况下指定该端点应该通过上述认证机制是安全的。

I am a bit of a loss to know where to begin. Spring Security's Getting Started Guide describes how to redirect to a login page in case the login is wrong. I think I can create by own UserDetails which performs the authentication but how do I get access to the HTTP headers to find the supplied username/password? How do I send the 401 vs 403 status codes?

知道从哪里开始,我有点失落。 Spring Security的入门指南介绍了如何在登录错误时重定向到登录页面。我想我可以通过自己的UserDetails创建执行身份验证但是如何访问HTTP标头以查找提供的用户名/密码?如何发送401 vs 403状态代码?

1 个解决方案

#1


1  

Sounds like you need basic authentication for REST (see the example).

听起来你需要REST的基本身份验证(参见示例)。

The only difference the token passing. Instead of 2 headers the solution expects one defined like this

令牌传递的唯一区别。而不是2个头,解决方案期望一个像这样定义

String plainClientCredentials="myusername:mypassword";
String base64ClientCredentials = new String(Base64.encodeBase64(plainClientCredentials.getBytes()));

HttpHeaders headers = getHeaders();
headers.add("Authorization", "Basic " + base64ClientCredentials);

#1


1  

Sounds like you need basic authentication for REST (see the example).

听起来你需要REST的基本身份验证(参见示例)。

The only difference the token passing. Instead of 2 headers the solution expects one defined like this

令牌传递的唯一区别。而不是2个头,解决方案期望一个像这样定义

String plainClientCredentials="myusername:mypassword";
String base64ClientCredentials = new String(Base64.encodeBase64(plainClientCredentials.getBytes()));

HttpHeaders headers = getHeaders();
headers.add("Authorization", "Basic " + base64ClientCredentials);