具有 REST 架构的 Spring Security

Question

我一直在研究 Spring Security 的 REST API 问题。在开始实施之前，我想在 github 上获得专家建议或一些示例项目，如果有的话。

我的应用程序将基于 REST API。并且将被两个客户端访问：

1. 手机
2. 网络

如果我使用自定义登录页面创建 REST API，那么它将始终被重定向到 Web（根据我的理解）。什么时候开始用手机消费？

 .formLogin()
                .defaultSuccessUrl("/ui/index.html#/app/dashboard")
                .loginProcessingUrl("/api/upuser/verifyUser")
                .usernameParameter("username")
                .passwordParameter("password")
                .successHandler(new AjaxAuthenticationSuccessHandler(new SavedRequestAwareAuthenticationSuccessHandler()))
                .loginPage("/ui/index.html#/access/signin")

我认为从上面的代码中可以很明显地看出，这个应用程序将从两个不同的位置访问：

1. localhost:8080/api/ 用于 API
2. localhost:8383/ui/ 用于 WEB (Angular JS)

但是，我将使用 nginx 将两者都移动到 localhost/api/ 和 localhost/ui/。因此，以上两个将被访问

1. localhost/api/
2. localhost/ui/

所以，我的第二个问题是实现 Spring Security 的最佳方式是什么：

1. 基于令牌的身份验证
2. 基于会话的身份验证

问题在于它是无状态服务，那么我们将如何实现基于会话的身份验证？

Answer 1

试试这样的：

You should try this, may be it will help you:

@Configuration
@EnableWebSecurity
@Profile("container")
public class SOAPSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private AuthenticationProvider authenticationProvider;

@Autowired
private AuthenticationProvider authenticationProviderDB;


@Override
@Order(1)

protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authenticationProvider);
}


@Order(2)
protected void ConfigureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authenticationProviderDB);
}

@Override
  public void configure(WebSecurity web) throws Exception {
    web
      .ignoring()
         .antMatchers("/scripts/**","/styles/**","/images/**","/error/**");
  }

@Override
public void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/rest/**").authenticated()
            .antMatchers("/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .successHandler(new AuthenticationSuccessHandler() {
                @Override
                public void onAuthenticationSuccess(
                        HttpServletRequest request,
                        HttpServletResponse response,
                        Authentication a) throws IOException, ServletException {
                            //To change body of generated methods,
                            response.setStatus(HttpServletResponse.SC_OK);
                        }
            })
            .failureHandler(new AuthenticationFailureHandler() {

                @Override
                public void onAuthenticationFailure(
                        HttpServletRequest request,
                        HttpServletResponse response,
                        AuthenticationException ae) throws IOException, ServletException {
                            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                        }
            })
            .loginProcessingUrl("/access/login")
            .and()
            .logout()
            .logoutUrl("/access/logout")                
            .logoutSuccessHandler(new LogoutSuccessHandler() {
                @Override
                public void onLogoutSuccess(
                        HttpServletRequest request, 
                        HttpServletResponse response, 
                        Authentication a) throws IOException, ServletException {
                    response.setStatus(HttpServletResponse.SC_NO_CONTENT);
                }
            })
            .invalidateHttpSession(true)
            .and()
            .exceptionHandling()
            .authenticationEntryPoint(new Http403ForbiddenEntryPoint())
            .and()
            .csrf()//Disabled CSRF protection
            .disable();
    }
}