基于Spring Security Token的身份验证

本文介绍了基于Spring Security Token的身份验证的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我有一个rest api，我在使用spring security Basic Authorization进行身份验证，其中客户端为每个请求发送用户名和密码。 现在，我想实现基于令牌的身份验证，我将在用户首先进行身份验证时在响应头中发送令牌。对于进一步的请求，客户端可以在标头中包含该标记，该标记将用于向用户验证资源。我有两个身份验证提供程序tokenAuthenticationProvider和daoAuthenticationProvider

I have a rest api where I am authenticating using spring security Basic Authorization where client sends username and password for each request. Now, I wanted to implement token based authentication where I will send a token in response header when user is authenticated at first. For further requests, client can include that token in the header which will be used to authenticate the user to the resources. I have two authentication providers tokenAuthenticationProvider and daoAuthenticationProvider

@Component public class TokenAuthenticationProvider implements AuthenticationProvider { @Autowired private TokenAuthentcationService service; @Override public Authentication authenticate(final Authentication authentication) throws AuthenticationException { final RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes(); final HttpServletRequest request = ((ServletRequestAttributes) requestAttributes).getRequest(); final String token = request.getHeader(Constants.AUTH_HEADER_NAME); final Token tokenObj = this.service.getToken(token); final AuthenticationToken authToken = new AuthenticationToken(tokenObj); return authToken; } @Override public boolean supports(final Class<?> authentication) { return AuthenticationToken.class.isAssignableFrom(authentication); } }

在daoAuthenticationProvider中我设置自定义userDetailsS​​ervice并进行身份验证通过从数据库中获取用户登录详细信息（只要使用授权传递用户名和密码就可以正常工作：基本bGllQXBpVXNlcjogN21wXidMQjRdTURtR04pag ==作为标题）

And in daoAuthenticationProvider I am setting custom userDetailsService and authenticating against user login details by fetching it from the database (which is working fine as long as user name and password are passed using Authorization:Basic bGllQXBpVXNlcjogN21wXidMQjRdTURtR04pag== as header)

但是当我使用X-AUTH-TOKEN（即Constants.AUTH_HEADER_NAME）在标头中包含令牌，但未调用tokenAuthenticationProvider。我收到错误

But when I include token in the header using X-AUTH-TOKEN (which is Constants.AUTH_HEADER_NAME), tokenAuthenticationProvider is not being called. I am getting error as

{"timestamp":1487626368308,"status":401,"error":"Unauthorized","message":"Full authentication is required to access this resource","path":"/find"}

以下是我添加身份验证提供程序的方法。

And here is how I am adding authentication providers.

@Override public void configure(final AuthenticationManagerBuilder auth) throws Exception { final UsernamePasswordAuthenticationProvider daoProvider = new UsernamePasswordAuthenticationProvider(this.service, this.passwordEncoder()); auth.authenticationProvider(this.tokenAuthenticationProvider); auth.authenticationProvider(daoProvider); }

请建议如何在不损害弹簧当前行为的情况下实现基于令牌的身份验证安全性。

Please suggest how can I implement Token based authentication without hurting the current behavior of spring security.

推荐答案

以下是我能够实现基于令牌的身份验证和基本身份验证的方法

Here is how I was able to implement token based authentication and basic authentication

SpringSecurityConfig.java

SpringSecurityConfig.java

@Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override public void configure(final AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(this.participantService).passwordEncoder(this.passwordEncoder()); } @Override protected void configure(final HttpSecurity http) throws Exception { //Implementing Token based authentication in this filter final TokenAuthenticationFilter tokenFilter = new TokenAuthenticationFilter(); http.addFilterBefore(tokenFilter, BasicAuthenticationFilter.class); //Creating token when basic authentication is successful and the same token can be used to authenticate for further requests final CustomBasicAuthenticationFilter customBasicAuthFilter = new CustomBasicAuthenticationFilter(this.authenticationManager() ); http.addFilter(customBasicAuthFilter); } }

TokenAuthenticationFilter.java

TokenAuthenticationFilter.java

public class TokenAuthenticationFilter extends GenericFilterBean { @Override public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { final HttpServletRequest httpRequest = (HttpServletRequest)request; //extract token from header final String accessToken = httpRequest.getHeader("header-name"); if (null != accessToken) { //get and check whether token is valid ( from DB or file wherever you are storing the token) //Populate SecurityContextHolder by fetching relevant information using token final User user = new User( "username", "password", true, true, true, true, authorities); final UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities()); SecurityContextHolder.getContext().setAuthentication(authentication); } chain.doFilter(request, response); } }

CustomBasicAuthenticationFilter.java

CustomBasicAuthenticationFilter.java

@Component public class CustomBasicAuthenticationFilter extends BasicAuthenticationFilter { @Autowired public CustomBasicAuthenticationFilter(final AuthenticationManager authenticationManager) { super(authenticationManager); } @Override protected void onSuccessfulAuthentication(final javax.servlet.http.HttpServletRequest request, final javax.servlet.http.HttpServletResponse response, final Authentication authResult) { //Generate Token //Save the token for the logged in user //send token in the response response.setHeader("header-name" , "token"); } }

由于我们的CustomBasicAuthenticationFilter已经配置并添加为spring安全性的过滤器，

As our CustomBasicAuthenticationFilter has been configured and added as a filter to the spring security,

每当基本身份验证成功时，请求将被重定向到onSuccessfulAuthentication，我们在其中设置令牌和使用一些标题header-name在响应中发送它。

Whenever basic authentication is successful the request will be redirected to onSuccessfulAuthentication where we set the token and send it in the response with some header "header-name".

如果发送header-name用于进一步请求，则在尝试尝试基本身份验证之前，请求将首先通过TokenAuthenticationFilter。

If "header-name" is sent for further request, then the request will go through TokenAuthenticationFilter first before attempting to try Basic Authentication.