java - Spring Security 基于 header 的身份验证

Question

默认情况下，Spring Security 通过将 JSESSIONID cookie 添加到您的 session 来运行。我已经使用并看到了许多基于 header 的形式来实现相同的结果(通常使用一个或两个过滤器)。但我觉得这是我应该能够在配置中设置的东西。以这样的形式:

config.setTokenLocation(TokenLocationEnum.HEADER)
config.setTokenName("Bearer")

或

config.setTokenLocation(TokenLocationEnum.COOKIE)
config.setTokenName("JSESSIONID")

我想尝试自己实现这一点，但我首先想看看是否有人反对这个想法以及为什么它尚未实现。

谢谢

Answer 1

您可以根据需要配置 Spring Security。通过 JSESSIONID 进行的 session 管理是开箱即用的。例如，如果您想使用 Bearer OAuth 2.0 token ，则需要配置 AuthServer。这是我的一个项目的配置示例:

@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter
{
    private final AuthenticationManager authenticationManager;

    private final InGridSecurityProperties inGridSecurityProperties;

    @Autowired
    public AuthorizationServerConfig(AuthenticationManager authenticationManager, InGridSecurityProperties inGridSecurityProperties, GoogleConnectionFactory connectionFactory) {
        this.authenticationManager = authenticationManager;
        this.inGridSecurityProperties = inGridSecurityProperties;
        this.connectionFactory = connectionFactory;
    }

    @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception
    {
        clients.inMemory()
                        .withClient( inGridSecurityProperties.getClientId() )
                        .secret( inGridSecurityProperties.getClientSecret() )
                        .authorities( "ROLE_TRUSTED_CLIENT" )
                        .authorizedGrantTypes( inGridSecurityProperties.getGrantTypes() )
                        .scopes( inGridSecurityProperties.getClientScope() )
                        .accessTokenValiditySeconds(
                                        inGridSecurityProperties.getAccessTokenValiditySeconds() )
                        .refreshTokenValiditySeconds(
                                        inGridSecurityProperties.getRefreshTokenValiditySeconds() );
    }

    @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception
    {
        security.tokenKeyAccess( "isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')" )
                        .checkTokenAccess( "hasAuthority('ROLE_TRUSTED_CLIENT')" );
    }

    @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                    throws Exception
    {
        endpoints
                        .authenticationManager( authenticationManager )
                        .tokenStore( jwtTokenStore() )
                        .tokenEnhancer( jwtAccessTokenConverter() );
    }


    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter()
    {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        KeyPair keyPair = new KeyStoreKeyFactory(
                        new ClassPathResource( inGridSecurityProperties.getJwtKeyStore() ),
                        inGridSecurityProperties.getJwtKeyStorePassword().toCharArray() )
                        .getKeyPair( inGridSecurityProperties.getJwtKeyPairAlias(),
                                        inGridSecurityProperties.getJwtKeyPairPassword().toCharArray() );
        converter.setKeyPair( keyPair );
        return converter;
    }


}

您可以在 Spring Security 文档中找到更多信息:http://docs.spring.io/spring-security/site/docs/current/reference/