Rest API: 基本认证和摘要认证

最新推荐文章于 2024-04-20 22:04:53 发布

zlh313_01

最新推荐文章于 2024-04-20 22:04:53 发布

阅读量1k

点赞数 1

分类专栏： Spring Security 系列安全加密技术 Spring Boot

安全同时被 3 个专栏收录

7 篇文章 0 订阅

订阅专栏

Spring Boot

7 篇文章 0 订阅

订阅专栏

加密技术

3 篇文章 0 订阅

订阅专栏

用spring security实现Rest API的基本认证（Basic）和摘要认证（Digest）:

Basic 认证

1. server - spring security配置

package com.pechen.config;
 
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
    public final static String REALM="MY_REALM";
     
    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN")
        .and().withUser("test").password("test").roles("USER");
    }
     
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    	http.csrf().disable()
        	.authorizeRequests()
	        .anyRequest().authenticated()
	        .and().httpBasic().realmName(REALM).authenticationEntryPoint(getBasicAuthEntryPoint());
//	        .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);//We don't need sessions to be created.
    }
    
    @Bean
    public CustomBasicAuthenticationEntryPoint getBasicAuthEntryPoint(){
        return new CustomBasicAuthenticationEntryPoint();
    }
    
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        // altough this seems like useless code,
        // its required to prevend spring boot auto-configuration
        return super.authenticationManagerBean();
    }
 
}

package com.pechen.config;
 
import java.io.IOException;
import java.io.PrintWriter;
 
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
 
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
 
public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {
 
	@Override
	public void commence(final HttpServletRequest request, final HttpServletResponse response,
			final AuthenticationException authException) throws IOException, ServletException {
		response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
		response.addHeader("WWW-Authenticate", "Basic realm=\"" + getRealmName() + "\"");
 
		PrintWriter writer = response.getWriter();
		writer.println("HTTP Status 401 : " + authException.getMessage());
	}
 
	@Override
	public void afterPropertiesSet() throws Exception {
		setRealmName(WebSecurityConfig.REALM);
		super.afterPropertiesSet();
	}
}

2. server - rest api

package com.pechen.rest;
 
import java.util.Map;
 
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
 
/**
 * Authentication service.
 */
@RestController
@RequestMapping(path = "/")
public class RestService {
    @RequestMapping(path = "/login", method = RequestMethod.GET)
    public String login(@RequestHeader Map<String, Object> headers){
    	return "Login success...";
    }
}

3. client - rest template（加上Authorization的头部即可）

package com.pechen.test;
 
import java.util.Base64;
 
import org.junit.Test;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.web.client.RestTemplate;
 
public class AuthServiceTest {
	private HttpHeaders getHeaders(){
		String plainCredentials="admin:admin";
		String base64Credentials = Base64.getEncoder().encodeToString(plainCredentials.getBytes());
		
		HttpHeaders headers = new HttpHeaders();
		headers.add("Authorization", "Basic " + base64Credentials);
		return headers;
	}
 
	@Test
	public void testLogin() {
		RestTemplate restTemplate = new RestTemplate();
		HttpEntity<String> request = new HttpEntity<String>(getHeaders());
		ResponseEntity<String> response = restTemplate.exchange("http://localhost:8080/login", HttpMethod.GET,
				request, String.class);
		System.out.println(response.getBody());
	}
}

Digest 认证

1. server - spring security配置

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.DigestAuthenticationFilter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        // username
	@Value("${rareporting.auth.username}")
	private String AUTH_USERNAME;
	
        // password
	@Value("${rareporting.auth.password}")
	private String AUTH_PASSWORD;
	
        // role
	@Value("${rareporting.auth.role}")
	private String AUTH_ROLE;
	
        // realm
	@Value("${rareporting.auth.realm}")
	private String AUTH_REALM;
	
        // key
	@Value("${rareporting.auth.key}")
	private String AUTH_KEY;
	

	@Autowired
	public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication().withUser(AUTH_USERNAME).password(AUTH_PASSWORD).roles(AUTH_ROLE);
	}

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().sessionManagement()
				.sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling()
				.authenticationEntryPoint(getDigestEntryPoint()).and()
				.addFilter(getDigestAuthenticationFilter(getDigestEntryPoint()));

	}

	public DigestAuthenticationEntryPoint getDigestEntryPoint() {
		DigestAuthenticationEntryPoint digestAuthenticationEntryPoint = new DigestAuthenticationEntryPoint();
		digestAuthenticationEntryPoint.setKey(AUTH_KEY);
		digestAuthenticationEntryPoint.setNonceValiditySeconds(10);
		digestAuthenticationEntryPoint.setRealmName(AUTH_REALM);
		return digestAuthenticationEntryPoint;
	}

	public DigestAuthenticationFilter getDigestAuthenticationFilter(
			DigestAuthenticationEntryPoint digestAuthenticationEntryPoint) throws Exception {
		DigestAuthenticationFilter digestAuthenticationFilter = new DigestAuthenticationFilter();
		digestAuthenticationFilter.setAuthenticationEntryPoint(digestAuthenticationEntryPoint);
		digestAuthenticationFilter.setUserDetailsService(userDetailsServiceBean());
		return digestAuthenticationFilter;
	}

	@Override
	public UserDetailsService userDetailsServiceBean() throws Exception {
		return super.userDetailsServiceBean();
	}

}

2. server - rest api 同上
3. client - 配置rest template使用Digest认证

package com.pechen.rest;
 
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;
 
public class RestTempleteConfig {
 
	public RestTemplate getRestTemplate() {
		CloseableHttpClient client = HttpClientBuilder.create().setDefaultCredentialsProvider(provider())
				.useSystemProperties().build();
		HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactoryDigestAuth(
				client);
 
		return new RestTemplate(requestFactory);
	}
 
	private CredentialsProvider provider() {
		CredentialsProvider provider = new BasicCredentialsProvider();
		UsernamePasswordCredentials credentials = new UsernamePasswordCredentials("admin", "admin");
		provider.setCredentials(AuthScope.ANY, credentials);
		return provider;
	}
}

package com.pechen.rest;
 
import java.net.URI;
import org.apache.http.HttpHost;
import org.apache.http.client.AuthCache;
import org.apache.http.client.HttpClient;
import org.apache.http.client.protocol.ClientContext;
import org.apache.http.impl.auth.DigestScheme;
import org.apache.http.impl.client.BasicAuthCache;
import org.apache.http.protocol.BasicHttpContext;
import org.apache.http.protocol.HttpContext;
import org.springframework.http.HttpMethod;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 
public class HttpComponentsClientHttpRequestFactoryDigestAuth extends HttpComponentsClientHttpRequestFactory {
	 
    public HttpComponentsClientHttpRequestFactoryDigestAuth(HttpClient client) {
        super(client);
    }
 
    @Override
    protected HttpContext createHttpContext(HttpMethod httpMethod, URI uri) {
        return createHttpContext(uri);
    }
 
    private HttpContext createHttpContext(URI uri) {
        // Create AuthCache instance
        AuthCache authCache = new BasicAuthCache();
        // Generate DIGEST scheme object, initialize it and add it to the local auth cache
        DigestScheme digestAuth = new DigestScheme();
        // If we already know the realm name
        digestAuth.overrideParamter("realm", "myrealm");
        HttpHost targetHost = new HttpHost(uri.getHost(), uri.getPort());
        authCache.put(targetHost, digestAuth);
 
        // Add AuthCache to the execution context
        BasicHttpContext localcontext = new BasicHttpContext();
        localcontext.setAttribute(ClientContext.AUTH_CACHE, authCache);
        return localcontext;
    }
}

4. 使用rest template发送请求

package com.pechen.test;
 
import org.junit.Test;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.web.client.RestTemplate;
 
import jdk.nashorn.internal.ir.annotations.Ignore;
 
public class RestClient {
	
	@Test
	public void whenSecuredRestApiIsConsumed_then200OK() {
	    RestTemplate restTemplate = new RestTempleteConfig().getRestTemplate();
	    String uri = "http://localhost:8080/login";
	    ResponseEntity<String> entity = restTemplate.exchange(uri, HttpMethod.GET, null, String.class);
	    System.out.println(entity.getStatusCode());
	    System.out.println(entity.getBody());
	}
}

zlh313_01

关注

1
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
Rest API: 基本认证和摘要认证

用spring security实现Rest API的基本认证（Basic）和摘要认证（Digest）:Basic 认证1. server - spring security配置package com.pechen.config; import org.springframework.beans.factory.annotation.Autowired;import org.s...
复制链接

扫一扫