如何在Spring Boot中的每个REST调用中使用Spring Security?

huangapple go评论76阅读模式
英文:

How to use spring security in each REST call in Spring Boot?

问题

我正在尝试理解是否有一种方法可以使用 Spring Security 来满足我的用例。基本上,我想在每次 Spring Boot 的 REST 调用中调用 Spring Security,而不是在应用程序启动时仅调用一次,并根据用户角色进一步限制端点。

我有三个不同的 REST 控制器,分别是 /admin1/*/admin2/*/admin3/*
我尝试了如下手动限制端点的方法。

http.authorizeRequests()
    .antMatchers("/admin1/**").permitAll()
    .and()
    .authorizeRequests()
    .antMatchers("/admin2/**").permitAll()
    .anyRequest().authenticated();

实际上,这会允许 /admin1/*/admin2/* 的 API 工作,并限制 /admin3/*。然而,我的用例如下所示。

在每次 REST 调用中,我们会在标头中传递用户ID。我想在每次 REST 调用中使用 Spring Security,并使用标头中的用户ID从数据库中查找用户角色。

如果用户具有 ADMIN 1 用户角色,我们只需启用 /admin1/* 端点,并限制 /admin2/*/admin3/*。类似地,如果用户具有 ADMIN 2 用户角色,我们只需启用 /admin2/* 端点,并限制 /admin1/*/admin3/*。以相同的方式,如果用户具有 ADMIN 3 用户角色,我们只需启用 /admin3/* 端点,并限制 /admin1/*/admin2/*

是否有办法使用 Spring Security 来实现这一点?

谢谢

英文:

I am trying to understand if there is a way to use spring security which helps my used case. Basically, I want to call spring security on each REST call in spring boot, rather than one time during the start of the application, and find the role of the user and further restrict endpoints based on the user roles.

I have 3 different rest controllers namely /admin1/*, /admin2/*, /admin3/*.
I have tried restricting endpoints manually as below.

http.authorizeRequests()
		.antMatchers("/admin1/**").permitAll()
		.and()
	.authorizeRequests()
		.antMatchers("/admin2/**").permitAll()
	.anyRequest().authenticated();

This will actually allow /admin1/* and /admin2/* APIs to work and restrict /admin3/*. However, my used case is as below.

In each rest call, we pass the user id in the header. I would like to use spring security on each rest call, and use the user id from the header to find the user roles from the database.

If user has ADMIN 1 user role, we have to just enable /admin1/* endpoints and restrict /admin2/* and /admin3/*. Similarly, if user has ADMIN 2 user role, we have to just enable /admin2/* endpoints and restrict /admin1/* and /admin3/*. In the same way, if user has ADMIN 3 user role, we have to just enable /admin3/* endpoints and restrict /admin1/* and /admin2/*.

Is there a way to achieve this using spring security?

Thank you

答案1

得分: 1

根据我理解,您希望在每次调用时对用户进行身份验证和授权。对吗?

一种方法是使用JWT(JSON Web Token)对您的REST API进行令牌化。

https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world 中的示例可能会有所帮助。

我还建议您在要保护的类或方法上方使用@PreAuthorize@PostAuthorize注解,而不是在configure方法中使用antMatchers来限制基于角色的URL访问。这种方式可以为您的限制策略提供更多灵活性。

https://www.baeldung.com/spring-security-method-security 中的示例也可能对您有所帮助。

英文:

AS far as I understood, you want to authenticate & authorize users on each call. True?

one way is tokenizing your REST APIs with JWT (JSON Web Token).

The example in https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world would probably help.

I Also suggest that instead of using antMatchers In configure method to restrict URL access based on Roles, you use @PreAuthorize and @PostAuthorize annotations above the classes or methods you want to secure. This way gives you more flexibility on your restriction policies.

The example in https://www.baeldung.com/spring-security-method-security also may help you with that.

huangapple
  • 本文由 发表于 2020年10月7日 16:04:21
  • 转载请务必保留本文链接:https://go.coder-hub.com/64239806.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定