Bahor xavfsizlik tokiga asoslangan autentifikatsiya

Mijoz har bir so'rov uchun foydalanuvchi nomi va parolni yuborgan holda, bahor xavfsizligi asosiy avtorizatsiyasi yordamida haqiqiyligini tekshiradigan joyim bor. Endi esa, foydalanuvchi birinchi marta autentifikatsiya qilinganida javob belgisida bir token yuboradigan joyga asoslangan autentifikatsiyani amalga oshirishni xohladim. Qo'shimcha so'rovlar uchun, mijoz bu ma'lumotni foydalanuvchidan resurslarga autentifikatsiya qilish uchun ishlatiladigan sarlavhani o'z ichiga olishi mumkin. Ikki autentifikatsiya provayderidan tokenAuthenticationProvider va daoAuthenticationProvider bor

@Component
public class TokenAuthenticationProvider implements AuthenticationProvider {

    @Autowired
    private TokenAuthentcationService service;

    @Override
    public Authentication authenticate(final Authentication authentication) throws AuthenticationException {

        final RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
        final HttpServletRequest request = ((ServletRequestAttributes) requestAttributes).getRequest();
        final String token = request.getHeader(Constants.AUTH_HEADER_NAME);
        final Token tokenObj = this.service.getToken(token);
        final AuthenticationToken authToken = new AuthenticationToken(tokenObj);
        return authToken;
    }

     @Override
        public boolean supports(final Class<?> authentication) {
            return AuthenticationToken.class.isAssignableFrom(authentication);
        }
}

VaoAuthenticationProvider da men foydalanuvchi foydalanuvchi ma'lumotlari va ma'lumotlar bazasidan (foydalanuvchi nomi va parolni avtorizatsiya: Asosiy bGllQXBpVXNlcjogN21wXidMQjRdTURtR04pag == sarlavhasi sifatida ishlatilsa)

Ammo X-AUTH-TOKEN (Constants.AUTH_HEADER_NAME) yordamida sarlavhani o'z ichiga olganimda, tokenAuthenticationProvider chaqirilmaydi. Men xato qilib qoldim

{"timestamp":1487626368308,"status":401,"error":"Unauthorized","message":"Full authentication is required to access this resource","path":"/find"}

Va men shu erda autentifikatsiya provayderlarini qanday qo'shmoqdaman.

    @Override
    public void configure(final AuthenticationManagerBuilder auth) throws Exception {

        final UsernamePasswordAuthenticationProvider daoProvider = new 

UsernamePasswordAuthenticationProvider(this.service, this.passwordEncoder());
    auth.authenticationProvider(this.tokenAuthenticationProvider);
    auth.authenticationProvider(daoProvider);
} 

Iltimos, bahor xavfsizlikning hozirgi xatti-harakatlariga ziyon etkazmasdan Token asosida autentifikatsiyani qanday amalga oshirishim mumkinligini tavsiya qilamiz.

16
Buning turli xil yo'llari bor, @ Filtrni to'g'ridan-to'g'ri har bir filtrda yechib olishingiz yoki Provayderlarni bitta haqiqiylikni tekshirish menejerida o'rnatishingiz va har ikkala faylda ham u bilan ishlashingiz mumkin. Albatta, har ikkala Filtrni Spring Security FilterChain-da o'rnatishingiz kerak.
qo'shib qo'ydi muallif Dani, manba
@ChrisZ quyidagi javobni tekshiring. Bu men uchun ishlaydi
qo'shib qo'ydi muallif Raghavendra, manba
@ChrisZ quyidagi javobni tekshiring. Bu men uchun ishlaydi
qo'shib qo'ydi muallif Raghavendra, manba
@ChrisZ quyidagi javobni tekshiring. Bu men uchun ishlaydi
qo'shib qo'ydi muallif Raghavendra, manba
autentifikatsiya protsedurasini ikki marotaba o'rnatgan bo'lsangiz, ikkinchisi, daoProvider, birinchi bajarilmasa, tokentAuthenticationProviderni bekor qilmaydimi?
qo'shib qo'ydi muallif ChrisZ, manba
autentifikatsiya protsedurasini ikki marotaba o'rnatgan bo'lsangiz, ikkinchisi, daoProvider, birinchi bajarilmasa, tokentAuthenticationProviderni bekor qilmaydimi?
qo'shib qo'ydi muallif ChrisZ, manba
autentifikatsiya protsedurasini ikki marotaba o'rnatgan bo'lsangiz, ikkinchisi, daoProvider, birinchi bajarilmasa, tokentAuthenticationProviderni bekor qilmaydimi?
qo'shib qo'ydi muallif ChrisZ, manba

6 javoblar

Token asosidagi autentifikatsiyani va asosiy autentifikatsiyani qanday amalga oshirishim mumkin

SpringSecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{

    @Override
    public void configure(final AuthenticationManagerBuilder auth) throws Exception
    {
        auth.userDetailsService(this.participantService).passwordEncoder(this.passwordEncoder());
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception
    {

        //Implementing Token based authentication in this filter
        final TokenAuthenticationFilter tokenFilter = new TokenAuthenticationFilter();
        http.addFilterBefore(tokenFilter, BasicAuthenticationFilter.class);

        //Creating token when basic authentication is successful and the same token can be used to authenticate for further requests
        final CustomBasicAuthenticationFilter customBasicAuthFilter = new CustomBasicAuthenticationFilter(this.authenticationManager() );
        http.addFilter(customBasicAuthFilter);

    }
}

TokenAuthenticationFilter.java

    public class TokenAuthenticationFilter extends GenericFilterBean
    {


        @Override
        public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
                throws IOException, ServletException
        {
            final HttpServletRequest httpRequest = (HttpServletRequest)request;

             //extract token from header
            final String accessToken = httpRequest.getHeader("header-name");
            if (null != accessToken) {
           //get and check whether token is valid ( from DB or file wherever you are storing the token)

          //Populate SecurityContextHolder by fetching relevant information using token
               final User user = new User(
                            "username",
                            "password",
                            true,
                            true,
                            true,
                            true,
                            authorities);
                    final UsernamePasswordAuthenticationToken authentication =
                            new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
                    SecurityContextHolder.getContext().setAuthentication(authentication);

            }

            chain.doFilter(request, response);
        }

      }

CustomBasicAuthenticationFilter.java

@Component
public class CustomBasicAuthenticationFilter extends BasicAuthenticationFilter {


    @Autowired
    public CustomBasicAuthenticationFilter(final AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void onSuccessfulAuthentication(final javax.servlet.http.HttpServletRequest request, final javax.servlet.http.HttpServletResponse response, final Authentication authResult) {
        //Generate Token
        //Save the token for the logged in user
        //send token in the response
        response.setHeader("header-name" , "token");


    }

}

CustomBasicAuthenticationFilter usuli tuzilgan va bahor xavfsizlik uchun filtr sifatida qo'shilganligi sababli,

Asosiy autentifikatsiya muvaffaqiyatli bajarilsa, spam bizda tokenni o'rnatib, uni "header-name" nomi bilan yuborish orqali yuboradi.

Keyinchalik so'rov uchun "header-name" yuborilsa, asosiy ID ning haqiqiyligini tekshirishdan avval, so'rov TokenAuthenticationFilter orqali amalga oshiriladi.

15
qo'shib qo'ydi
@selman agar token sarlavhasi bilan so'rovga biriktirilgan token mavjud bo'lsa. Asosiy autf filtridan o'tmaydi. Har ikkala filtr ham bajarilishi kerak bo'lgan ikkita holat mavjud. 1. Agar so'rovda token nom 2 bo'lmasa, asosiy identifikatsiya qilish filtrini ishga tushiradigan va foydalana oladigan asosiy autentifikatsiya qilish filtrida belgilashingiz mumkin. qo'shimcha so'rovlar uchun.
qo'shib qo'ydi muallif Raghavendra, manba
@selman Har safar foydalanuvchi/parolni jo'natishga hojat yo'q. BasicAuthenticationFilter shunday amalga oshirilganki, agar so'rovda asosiy autentifikatsiya sarlavhasi bo'lmasa, u faqat keyingi filtri. Shunday qilib, aslida har ikkala filtr ham xuddi shu so'rov uchun ishlaydi, agar bu so'rovda ikkita token boshi va asosiy auth nom bo'lishi bo'lsa. Va bu holatda asosiy auth nomini oladi (chunki u oxirgi).
qo'shib qo'ydi muallif djxak, manba
Shuning uchun agar Tokenning haqiqiyligini tekshirish muvaffaqiyatli bo'lsa ham, asosiy autentifikatsiyani ham to'g'ri deb bilib olasizmi? Bu yana bir filtri bo'lgani uchun. Har safar foydalanuvchi/parolni yuborish kerakmi?
qo'shib qo'ydi muallif selman, manba

Token asosidagi autentifikatsiyani va asosiy autentifikatsiyani qanday amalga oshirishim mumkin

SpringSecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{

    @Override
    public void configure(final AuthenticationManagerBuilder auth) throws Exception
    {
        auth.userDetailsService(this.participantService).passwordEncoder(this.passwordEncoder());
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception
    {

        //Implementing Token based authentication in this filter
        final TokenAuthenticationFilter tokenFilter = new TokenAuthenticationFilter();
        http.addFilterBefore(tokenFilter, BasicAuthenticationFilter.class);

        //Creating token when basic authentication is successful and the same token can be used to authenticate for further requests
        final CustomBasicAuthenticationFilter customBasicAuthFilter = new CustomBasicAuthenticationFilter(this.authenticationManager() );
        http.addFilter(customBasicAuthFilter);

    }
}

TokenAuthenticationFilter.java

    public class TokenAuthenticationFilter extends GenericFilterBean
    {


        @Override
        public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
                throws IOException, ServletException
        {
            final HttpServletRequest httpRequest = (HttpServletRequest)request;

             //extract token from header
            final String accessToken = httpRequest.getHeader("header-name");
            if (null != accessToken) {
           //get and check whether token is valid ( from DB or file wherever you are storing the token)

          //Populate SecurityContextHolder by fetching relevant information using token
               final User user = new User(
                            "username",
                            "password",
                            true,
                            true,
                            true,
                            true,
                            authorities);
                    final UsernamePasswordAuthenticationToken authentication =
                            new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
                    SecurityContextHolder.getContext().setAuthentication(authentication);

            }

            chain.doFilter(request, response);
        }

      }

CustomBasicAuthenticationFilter.java

@Component
public class CustomBasicAuthenticationFilter extends BasicAuthenticationFilter {


    @Autowired
    public CustomBasicAuthenticationFilter(final AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void onSuccessfulAuthentication(final javax.servlet.http.HttpServletRequest request, final javax.servlet.http.HttpServletResponse response, final Authentication authResult) {
        //Generate Token
        //Save the token for the logged in user
        //send token in the response
        response.setHeader("header-name" , "token");


    }

}

CustomBasicAuthenticationFilter usuli tuzilgan va bahor xavfsizlik uchun filtr sifatida qo'shilganligi sababli,

Asosiy autentifikatsiya muvaffaqiyatli bajarilsa, spam bizda tokenni o'rnatib, uni "header-name" nomi bilan yuborish orqali yuboradi.

Keyinchalik so'rov uchun "header-name" yuborilsa, asosiy ID ning haqiqiyligini tekshirishdan avval, so'rov TokenAuthenticationFilter orqali amalga oshiriladi.

15
qo'shib qo'ydi
@selman agar token sarlavhasi bilan so'rovga biriktirilgan token mavjud bo'lsa. Asosiy autf filtridan o'tmaydi. Har ikkala filtr ham bajarilishi kerak bo'lgan ikkita holat mavjud. 1. Agar so'rovda token nom 2 bo'lmasa, asosiy identifikatsiya qilish filtrini ishga tushiradigan va foydalana oladigan asosiy autentifikatsiya qilish filtrida belgilashingiz mumkin. qo'shimcha so'rovlar uchun.
qo'shib qo'ydi muallif Raghavendra, manba
@selman Har safar foydalanuvchi/parolni jo'natishga hojat yo'q. BasicAuthenticationFilter shunday amalga oshirilganki, agar so'rovda asosiy autentifikatsiya sarlavhasi bo'lmasa, u faqat keyingi filtri. Shunday qilib, aslida har ikkala filtr ham xuddi shu so'rov uchun ishlaydi, agar bu so'rovda ikkita token boshi va asosiy auth nom bo'lishi bo'lsa. Va bu holatda asosiy auth nomini oladi (chunki u oxirgi).
qo'shib qo'ydi muallif djxak, manba
Shuning uchun agar Tokenning haqiqiyligini tekshirish muvaffaqiyatli bo'lsa ham, asosiy autentifikatsiyani ham to'g'ri deb bilib olasizmi? Bu yana bir filtri bo'lgani uchun. Har safar foydalanuvchi/parolni yuborish kerakmi?
qo'shib qo'ydi muallif selman, manba

Token asosidagi autentifikatsiyani va asosiy autentifikatsiyani qanday amalga oshirishim mumkin

SpringSecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{

    @Override
    public void configure(final AuthenticationManagerBuilder auth) throws Exception
    {
        auth.userDetailsService(this.participantService).passwordEncoder(this.passwordEncoder());
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception
    {

        //Implementing Token based authentication in this filter
        final TokenAuthenticationFilter tokenFilter = new TokenAuthenticationFilter();
        http.addFilterBefore(tokenFilter, BasicAuthenticationFilter.class);

        //Creating token when basic authentication is successful and the same token can be used to authenticate for further requests
        final CustomBasicAuthenticationFilter customBasicAuthFilter = new CustomBasicAuthenticationFilter(this.authenticationManager() );
        http.addFilter(customBasicAuthFilter);

    }
}

TokenAuthenticationFilter.java

    public class TokenAuthenticationFilter extends GenericFilterBean
    {


        @Override
        public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
                throws IOException, ServletException
        {
            final HttpServletRequest httpRequest = (HttpServletRequest)request;

             //extract token from header
            final String accessToken = httpRequest.getHeader("header-name");
            if (null != accessToken) {
           //get and check whether token is valid ( from DB or file wherever you are storing the token)

          //Populate SecurityContextHolder by fetching relevant information using token
               final User user = new User(
                            "username",
                            "password",
                            true,
                            true,
                            true,
                            true,
                            authorities);
                    final UsernamePasswordAuthenticationToken authentication =
                            new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
                    SecurityContextHolder.getContext().setAuthentication(authentication);

            }

            chain.doFilter(request, response);
        }

      }

CustomBasicAuthenticationFilter.java

@Component
public class CustomBasicAuthenticationFilter extends BasicAuthenticationFilter {


    @Autowired
    public CustomBasicAuthenticationFilter(final AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void onSuccessfulAuthentication(final javax.servlet.http.HttpServletRequest request, final javax.servlet.http.HttpServletResponse response, final Authentication authResult) {
        //Generate Token
        //Save the token for the logged in user
        //send token in the response
        response.setHeader("header-name" , "token");


    }

}

CustomBasicAuthenticationFilter usuli tuzilgan va bahor xavfsizlik uchun filtr sifatida qo'shilganligi sababli,

Asosiy autentifikatsiya muvaffaqiyatli bajarilsa, spam bizda tokenni o'rnatib, uni "header-name" nomi bilan yuborish orqali yuboradi.

Keyinchalik so'rov uchun "header-name" yuborilsa, asosiy ID ning haqiqiyligini tekshirishdan avval, so'rov TokenAuthenticationFilter orqali amalga oshiriladi.

15
qo'shib qo'ydi
@selman agar token sarlavhasi bilan so'rovga biriktirilgan token mavjud bo'lsa. Asosiy autf filtridan o'tmaydi. Har ikkala filtr ham bajarilishi kerak bo'lgan ikkita holat mavjud. 1. Agar so'rovda token nom 2 bo'lmasa, asosiy identifikatsiya qilish filtrini ishga tushiradigan va foydalana oladigan asosiy autentifikatsiya qilish filtrida belgilashingiz mumkin. qo'shimcha so'rovlar uchun.
qo'shib qo'ydi muallif Raghavendra, manba
@selman Har safar foydalanuvchi/parolni jo'natishga hojat yo'q. BasicAuthenticationFilter shunday amalga oshirilganki, agar so'rovda asosiy autentifikatsiya sarlavhasi bo'lmasa, u faqat keyingi filtri. Shunday qilib, aslida har ikkala filtr ham xuddi shu so'rov uchun ishlaydi, agar bu so'rovda ikkita token boshi va asosiy auth nom bo'lishi bo'lsa. Va bu holatda asosiy auth nomini oladi (chunki u oxirgi).
qo'shib qo'ydi muallif djxak, manba
Shuning uchun agar Tokenning haqiqiyligini tekshirish muvaffaqiyatli bo'lsa ham, asosiy autentifikatsiyani ham to'g'ri deb bilib olasizmi? Bu yana bir filtri bo'lgani uchun. Har safar foydalanuvchi/parolni yuborish kerakmi?
qo'shib qo'ydi muallif selman, manba

Autentifikatsiya qilish filtrida o'zingizning AuthenticationToken belgisini sozlashingiz mumkin, masalan:

public class AuthenticationFilter extends GenericFilterBean {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        final String authTokenHeader = ((HttpServletRequest)request).getHeader(Constants.AUTH_HEADER_NAME);

        if (authTokenHeader != null) {
            SecurityContextHolder.getContext().setAuthentication(createAuthenticationToken(authTokenHeader));
        }

        chain.doFilter( request, response );
    }
}
2
qo'shib qo'ydi
Salom, javobingiz uchun rahmat. Men sizning so'zingizga o'xshash yechimga erishdim. Tez orada hal qilmoqchiman.
qo'shib qo'ydi muallif Raghavendra, manba

Autentifikatsiya qilish filtrida o'zingizning AuthenticationToken belgisini sozlashingiz mumkin, masalan:

public class AuthenticationFilter extends GenericFilterBean {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        final String authTokenHeader = ((HttpServletRequest)request).getHeader(Constants.AUTH_HEADER_NAME);

        if (authTokenHeader != null) {
            SecurityContextHolder.getContext().setAuthentication(createAuthenticationToken(authTokenHeader));
        }

        chain.doFilter( request, response );
    }
}
2
qo'shib qo'ydi
Salom, javobingiz uchun rahmat. Men sizning so'zingizga o'xshash yechimga erishdim. Tez orada hal qilmoqchiman.
qo'shib qo'ydi muallif Raghavendra, manba

Autentifikatsiya qilish filtrida o'zingizning AuthenticationToken belgisini sozlashingiz mumkin, masalan:

public class AuthenticationFilter extends GenericFilterBean {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        final String authTokenHeader = ((HttpServletRequest)request).getHeader(Constants.AUTH_HEADER_NAME);

        if (authTokenHeader != null) {
            SecurityContextHolder.getContext().setAuthentication(createAuthenticationToken(authTokenHeader));
        }

        chain.doFilter( request, response );
    }
}
2
qo'shib qo'ydi
Salom, javobingiz uchun rahmat. Men sizning so'zingizga o'xshash yechimga erishdim. Tez orada hal qilmoqchiman.
qo'shib qo'ydi muallif Raghavendra, manba