我使用Spring Boot 1.2.1.RELEASE创建了一个Web服务。这有我在控制器中定义的POST ang GET方法。我还使用自己的应用程序数据库中的用户凭据配置了身份验证,并且还实现了OAuth。
这是我的Application.class,它具有所有必要的配置。
@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application extends SpringBootServletInitializer {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Override
protected SpringApplicationBuilder configure(
SpringApplicationBuilder application) {
return application.sources(Application.class);
}
@Service
protected static class ApplicationUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = this.userRepository.findByUsername(username);
if (user == null) {
return null;
}
List<GrantedAuthority> auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER");
String password = user.getPassword();
return new org.springframework.security.core.userdetails.User(username, password, auth);
}
}
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
protected static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private ApplicationUserDetailsService applicationUserDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(applicationUserDetailsService);
}
@Bean
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
}
@Configuration
@EnableResourceServer
protected static class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.and()
.authorizeRequests()
.antMatchers("/user/**").access("#oauth2.hasScope('read')")
.antMatchers("/car/**").access("#oauth2.hasScope('read')")
.antMatchers("/transaction/**").access("#oauth2.hasScope('read')");
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfig extends
AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients)
throws Exception {
clients.inMemory()
.withClient("my-trusted-client")
.authorizedGrantTypes("authorization_code", "password",
"refresh_token")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.accessTokenValiditySeconds(60);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security)
throws Exception {
security.allowFormAuthenticationForClients();
}
}
}
这是我的pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.demo.web.restservice</groupId>
<artifactId>restservice</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<name>restservice</name>
<description></description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.2.1.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<start-class>com.demo.web.restservice.Application</start-class>
<java.version>1.7</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<!-- <scope>runtime</scope> -->
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId>
</dependency>
<!-- Added for security purposes only -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.0.6.RELEASE</version>
<exclusions>
<exclusion>
<artifactId>jackson-mapper-asl</artifactId>
<groupId>org.codehaus.jackson</groupId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
这是我的一个控制器。
@RestController
@RequestMapping("/transaction")
public class TransactionController {
@Autowired
private TransactionHeaderRepository transactionHeaderRepository;
@RequestMapping("/header/{id}")
public ResponseEntity<TransactionHeader> findHeaderById(@PathVariable UUID id) {
return new ResponseEntity<>(this.transactionHeaderRepository.findById(id), HttpStatus.OK);
}
@RequestMapping(value = "/header/create", method = RequestMethod.POST)
public ResponseEntity<TransactionHeader> createHeader(@RequestBody TransactionHeader transactionHeader) {
this.transactionHeaderRepository.save(transactionHeader);
this.transactionLineRepository.save(transactionHeader.getTransactionLines());
return new ResponseEntity<>(HttpStatus.OK);
}
@RequestMapping(value = "/header/update", method = RequestMethod.POST)
public ResponseEntity<TransactionHeader> updateHeader(@RequestBody TransactionHeader transactionHeader) {
return new ResponseEntity<TransactionHeader>(this.transactionHeaderRepository.save(transactionHeader), HttpStatus.OK);
}
@RequestMapping(value = "/header/delete", method = RequestMethod.POST)
public ResponseEntity<TransactionHeader> deleteHeader(@RequestBody TransactionHeader transactionHeader) {
this.transactionHeaderRepository.delete(transactionHeader);
return new ResponseEntity<TransactionHeader>(HttpStatus.OK);
}
}
一切正常,除了我想限制用户的部分,并允许他们只更新自己的数据。
我应该怎么做呢?这应该在控制器中完成吗?或者spring提供了某种内置功能来处理这个问题?
感谢您的反馈。
为此,您可以创建自己的自定义注释(@Useridentifier)并使用它来映射到UserDetails.UserId(您的用户PK)。将其放在包含用户PK的DTO上。
接下来,您可以创建另一个放置在端点上的注释(@Useridentifiercheck)(如requestMapping)。如果值不匹配,则抛出异常并返回401或将userId替换为OAuth属性中的userId(如果将userId存储在OAuth数据中)。
注意:所有这些也可以通过服务和一些反射完成,但我喜欢注释:)
失败的地方如果你有一个没有UserId更新FK表的休息点,那么这个想法就会失败。
例
table - User { long userId; nvarchar name; long address_fk; }
table - Address { long addressId; nvarchar postcode; }
在这里我们可以更新地址,但是如果没有一些联接给我们userId,我们无法知道我们是否“被授权”编辑地址。
服务器端问题需要小心为管理员删除此功能,否则,他们将无法更新其他人的数据以太...
网关API
另一个例子是创建一个靠近UI的网关API(例如ExpressJS服务React和自定义API)
UI会话可以存储在Express中,并将进行过滤以确保自动更新的任何请求都具有“正确的”UserID。
例如:坏人发送以下JSON
put: { userId: 69, password: powned, firstname: Paul }
Express API采用DTO并剥离未授权的输入(userId,密码)。请注意,在这种情况下,请求将被传递到API,用正确的会话值替换“传入”userId。
核心API将位于VPN防火墙后面,并使用客户OAuth令牌进行限制。