英文:
If using Jwt token, there is a need of Spring Security?
问题
我试图创建一个使用Jwt Bearer令牌的Spring微服务项目。我找到了这个有趣的资源: https://springframework.guru/jwt-authentication-in-spring-microservices-jwt-token/。
问题在于我没有看到它与Spring Security一起实现。我一直在思考代码,我意识到这是一种在生产环境中进行身份验证而不使用Spring Security的良好替代方法。
这是正确的吗?在不使用Spring Security的情况下提供这种类型的应用程序保护在逻辑上是否正确?
此外,我正在考虑以下模式:
- CoreAuthorizationService => 包含所有User、Roles、User_Roles存储库以及具有实际登录/注册实现的服务。
- AuthService => 包含auth控制器,调用CoreAuthorisationService中定义的函数。(我已经将coreAuthorizationService添加到pom.xml文件中)
- 任何其他服务 => 包含过滤器类。
英文:
I was trying to create a Spring Microservice Project which makes use of the Jwt Bearer token. I have found this interesting resource: https://springframework.guru/jwt-authentication-in-spring-microservices-jwt-token/.
The issue here is that I do not see it implemented with Spring Security. I've been thinking about the code and I realized that this is a good alternative (even in prod) for authenticating WITHOUT using Spring Security.
Is this correct? Is it logically correct to provide this type of protection to the application, without Spring Security?
Moreover, I was thinking of the following pattern:
- CoreAuthorizationService => containing all of the User, Roles, User_Roles repositories, and the service with the actual login / register implementations.
- AuthService => containing the controller of the auth which calls the functions defined in the CoreAuthorisationService. (I added the coreAuthorizationService in the pom.xml file)
- Any other service => containing the filter classes
答案1
得分: 3
只要您只需要JWT身份验证,这是完全有效的。但是,Spring Security提供的安全功能远不止身份验证。例如,一个常见的功能是授权,它允许您保护端点或方法,以便只有具有足够权限的用户才能调用它(例如,使用@PreAuthorize),还有其他功能,如CORS支持,HttpFirewall和CSRF支持等。
所以,如果您现在只需要进行JWT身份验证,那就没有问题,可以继续。但是考虑到当您需要Spring Security已经提供的额外功能时,最好迁移到Spring Security,而不是重新发明轮子。
英文:
It is perfectly valid to do it if you just need JWT authentication.But spring security provides much more security feature than authentication. For example, one common feature is authorization which allows you to protect an endpoint or method such that it can only be invoked by the user who has enough permissions (e.g. using @PreAuthorize) , and other features such as CORS support, HttpFirewall and CSRF support etc.
So if you just need to do JWT authentication now, no problem and go ahead. And consider to migrate to spring security when come to the point you need the extra features that are already provided by spring-secrutiy rather than reinventing the wheel.
答案2
得分: 1
是的和不是的。
是的,因为Spring Security以复杂而不必要的声誉而闻名,因此一些团队完全避免使用它,并编写自定义身份验证代码。在过去的五年左右,我参与的大多数旧项目都完全避免了Spring Security。
不是的,因为这样你可能无法使用Spring Security提供的许多便利功能1 2。
英文:
Yes, and no.
Yes, because Spring Security has a reputation for being unnecessary complex, so some teams avoid it altogether and write custom code for auth. In the past 5 years or so, most brownfield projects I have worked on have avoided Spring Security altogether.
And no, because then you may be unable use many convenience features provided by Spring Security [1] [2].
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论