英文:
How to do a RESTful login API using Spring Security?
问题
I just started to work with Spring Security and just implemented HTTP basic authentication that works fine. Now I would like to create a login endpoint and try to get an authenticated user. I am not sure what I have to use for that? I did read online lots of stuff but not sure where to start. Any tip would be very appreciated!
This is the code that used for authentication.
SecurityConfiguration.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(encodePWD());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.csrf().disable();
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/rest/**").permitAll()
.and()
.authorizeRequests()
.antMatchers("/secure/**").hasAnyRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll();
}
@Bean
public BCryptPasswordEncoder encodePWD() {
return new BCryptPasswordEncoder();
}
}
CustomUserDetailsService.java
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username);
CustomUserDetails userDetails = null;
if(user != null){
userDetails = new CustomUserDetails();
userDetails.setUser(user);
}else{
throw new UserNotFoundException("User doesn't exist with this username: " + username);
}
return userDetails;
}
}
CustomUserDetails.java
@Getter
@Setter
public class CustomUserDetails implements UserDetails {
private User user;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role.getRole())).collect(Collectors.toSet());
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
UPDATE
I am sending my data like JSON using Postman
{
"username": "admin",
"password": "admin35"
}
英文:
I just started to work with Spring security and just implemented HTTP basic authentication that works fine.
Now I would like to create login endpoint and try to get authenticated user.
I am not sure what do I have to use for that? I did read online lots of stuff but not sure where to start.
Any tip would be very appreciated!
This is the code that used for authentication.
SecurityConfiguration.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(encodePWD());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
.csrf().disable();
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/rest/**").permitAll()
.and()
.authorizeRequests()
.antMatchers("/secure/**").hasAnyRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll();
}
@Bean
public BCryptPasswordEncoder encodePWD() {
return new BCryptPasswordEncoder();
}
}
CustomUserDetailsService.java
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username);
CustomUserDetails userDetails = null;
if(user != null){
userDetails = new CustomUserDetails();
userDetails.setUser(user);
}else{
throw new UserNotFoundException("User doesn't exist with this username: " + username);
}
return userDetails;
}
}
CustomUserDetails.java
@Getter
@Setter
public class CustomUserDetails implements UserDetails {
private User user;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return user.getRoles().stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role.getRole())).collect(Collectors.toSet());
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
UPDATE
I am sending my data like JSON using Postman
{
"username": "admin",
"password": "admin35"
}
答案1
得分: 1
在传统的MVC Spring Boot应用中,Spring Security会检查SecurityContextHolder以获取认证信息。如果未找到信息,那么会将您重定向到登录页面。
对于REST API端点,您不会从服务器收到典型的登录表单。您会从客户端(如AngularJS、ReactJS、VueJs、iOS应用等)收集凭据,然后将凭据POST到一个端点以检索用户信息。例如,以下代码对用户进行了身份验证,然后将经过身份验证的用户信息返回给客户端。
private static final Logger logger = LoggerFactory.getLogger(UserController.class);
@GetMapping("/user")
public ResponseEntity<UserResponse> getUser(@AuthenticationPrincipal DmsUserDetails dmsUser) {
logger.info("User " + dmsUser.getFirstName() + " " + dmsUser.getLastName() + " logged in.");
UserResponse user = new UserResponse();
user.setUserId(dmsUser.getUserId());
user.setFirstName(dmsUser.getFirstName());
user.setLastName(dmsUser.getLastName());
user.setEmail(dmsUser.getUsername());
return ResponseEntity.ok(user);
}
客户端会跟踪用户是否已登录,并在每次后续请求中传递cookie或令牌。
在这种情况下,我将端点命名为/user,但如果您愿意,也可以将其命名为/login。
英文:
In a traditional MVC Spring Boot application, Spring Security would check the SecurityContextHolder for the authentication information. If not found, then you would be redirected to a login page.
For a REST API endpoint, you would not have a typical login form sent from the server. You would collect the credentials from a form on the client (AngularJS, ReactJS, VueJs, iOS app, etc) and POST the credentials to an endpoint to retrieve user information. For example, the following authenticates the user, then returns the authenticated user information to the client.
private static final Logger logger = LoggerFactory.getLogger(UserController.class);
@GetMapping("/user")
public ResponseEntity<UserResponse> getUser(@AuthenticationPrincipal DmsUserDetails dmsUser) {
logger.info("User " + dmsUser.getFirstName() + " " + dmsUser.getLastName() + " logged in.");
UserResponse user = new UserResponse();
user.setUserId(dmsUser.getUserId());
user.setFirstName(dmsUser.getFirstName());
user.setLastName(dmsUser.getLastName());
user.setEmail(dmsUser.getUsername());
return ResponseEntity.ok(user);
}
The client would keep track of whether the user is logged in, and pass either a cookie or a token on each subsequent request.
In this case, I've named the endpoint /user, but you can call it /login if you prefer.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论