Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
474 views
in Technique[技术] by (71.8m points)

spring - Spring Security:Passwort和Access Token的不同身份验证提供程序或使用什么?(Spring Security: Different Authentication Provider for Passwort and Access Token or what to use?)

Spring Security is fairly new to me and I'm consuming a lot of documentation and tutorials to get the hang of it but there are a few things I haven't understood so far and maybe you can help me by pointing me in the right direction.

(Spring Security对我来说还很陌生,我花了很多文档和教程来掌握这些知识,但是到目前为止我还没有了解一些事情,也许您可??以通过向正确的方向指出来帮助我。)

In my mobile app backend (a bunch of REST endpoints which consume various other backends in my company), I need to initially authenticate users by username and password.

(在我的移动应用程序后端(一堆使用我公司其他各种后端的REST端点)中,我首先需要通过用户名和密码对用户进行身份验证。)

When a login request comes in, I need to consume another backend which holds the usernames and password via a SOAP call.

(当出现登录请求时,我需要使用另一个后端,该后端通过SOAP调用保存用户名和密码。)

For this I believe I'll need to create a custom authentication provider which makes the soap call to verify the credentials.

(为此,我相信我需要创建一个自定义身份验证提供程序,该提供程序将进行肥皂调用以验证凭据。)

Once this is done, I need to send an access token and refresh token to the app client (OAuth2 password grant).

(完成此操作后,我需要向应用客户端发送访问令牌和刷新令牌(OAuth2密码授予)。)

Subsequent requests from the app will then use the access token to access secured resources.

(然后,来自应用程序的后续请求将使用访问令牌访问受保护的资源。)

Furthermore, there are a couple of endpoints which are especially protected.

(此外,还有两个端点受到特别保护。)

If one of those endpoints is called, the user has to be "recently verified" meaning that his last username/password authentication (on the current device) must not be older than 20 minutes.

(如果调用了这些端点中的一个,则必须“最近验证”用户,这意味着(在当前设备上)他的上一个用户名/密码认证不得超过20分钟。)

Otherwise, the app will show a screen to re-enter the credentials.

(否则,应用程序将显示一个屏幕以重新输入凭据。)

To allow users to log out/revoke tokens and to have the recently verified functionality, in the past we had some sort of self-written security and OAuth2 mechanism.

(为了允许用户注销/撤消令牌并拥有最近验证的功能,过去我们有某种自写的安全性和OAuth2机制。)

When a login was successful, we stored access token, refresh token and some other information like the expiration dates, username, time when the password was entered for the last time, customer id and some other stuff in a database.

(成功登录后,我们在数据库中存储了访问令牌,刷新令牌和其他一些信息,例如到期日期,用户名,上次输入密码的时间,客户ID和其他一些信息。)

Requests with an access token to secured endpoints were then checked via a filter agains the database and the http request was then enriched with the additional data from the database before being processed in the REST controllers (if the token were valid of course or in case of the recently verified endpoints, if the password was entered less than 20 minutes before the request).

(然后,通过过滤器再次检查对安全端点具有访问令牌的请求,然后再在数据库中对http请求进行充实,然后再在REST控制器中对其进行处理(如果该令牌当然有效,或者在最近验证的端点(如果在请求之前不到20分钟输入了密码)。)

Now my question is how could I recreate this behaviour in Spring Security.

(现在我的问题是如何在Spring Security中重新创建此行为。)

Besides that, I read about JWT and personally I would like to get rid of the database.

(除此之外,我还阅读了有关JWT的文章,并且我个人希望摆脱数据库。)

I think it would be good enough to store the additional information about the user in a JWT and use it as access and refresh token.

(我认为将有关用户的其他信息存储在JWT中并将其用作访问和刷新令牌就足够了。)

But then we would probably need some sort of blacklist database to revoke tokens.

(但是随后,我们可能需要某种黑名单数据库来撤销令牌。)

Any idea how this could work?

(知道这怎么工作吗?)

As I said, a hint in the right direction would be highly appreciated.

(正如我所说,朝着正确方向的提示将受到高度赞赏。)

  ask by xxtesaxx translate from so

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...