java - User Authentication with REST in a web app secured with Spring Security -


my spring boot-based web app authenticates against remote rest api. so, have extended abstractuserdetailsauthenticationprovider so:

public class restauthenticationprovider extends abstractuserdetailsauthenticationprovider {     @override     protected void additionalauthenticationchecks(userdetails userdetails,             usernamepasswordauthenticationtoken authentication) throws authenticationexception {         // todo auto-generated method stub     }      @override     protected userdetails retrieveuser(string username, usernamepasswordauthenticationtoken authentication)             throws authenticationexception {         string password = (string) authentication.getcredentials();         credentials creds = new credentials();         creds.setusername(username);         creds.setpassword(password);          resttemplate template = new resttemplate();         try {             responseentity<authentication> auth = template.postforentity("http://localhost:8080/api/authenticate",                     creds, authentication.class);             if (auth.getstatuscode() == httpstatus.ok) {                  string token = auth.getheaders().get("authorization").get(0); // great! what?                  return new user(authentication.getname(), password,                         collections.singletonlist(new simplegrantedauthority("role_user")));             }              throw new badcredentialsexception("failed authenticate, server returned " + auth.getstatuscodevalue());          } catch (httpclienterrorexception e) { // check type of error             throw new badcredentialsexception(e.getstatustext());         }     } }

this works great. problem subsequent access api require api key being provided in resttemplate headers. line :

string token = auth.getheaders().get("authorization").get(0); // great! what?

what i'm after way persist token @ session level future access. down line, i'm trying along lines of:

    securitycontext context = securitycontextholder.getcontext();     authentication userdetails = context.getauthentication() ;

where somehow userdetails contain api key.

any suggestions?

thanks!

this you designing & implementing own security solution. framework provides way implement how resolve userdetails based on credentials.

i see question subsequent invocations of this. reason "old school" web apps have sessions, "new school" thinks it's "not cool" anymore "does not scale" ( or whatever other reasons ) , assume you're 1 of those.

if don't want use sessions - need user database ( or cache, or session store, or ) based on identified.

your current implementation provides feature using username , password, assume don't want keep in memory & send every request.

so want generate token, store in database ( or cache, or token store, or session store ) , implement authenticationprovider next time read userdetails based on token, not user credentials.

you use jwt token able serialize whole userdetails object token & send on wire, wouldn't recommend either there no way invalidate it, unless you're storing token id in database / session store.

more read here: invalidating json web tokens


Comments

Post a Comment

Popular posts from this blog

angular - Ionic slides - dynamically add slides before and after -

hi i'm using ngfor create set of 3 slides while starting in middle i'm guaranteed able slide left or right on start. when slide right can simple listen reachedend , push slide array i'm looping. but have problem adding slide beginning. if same above , use e.g. array.unshift() or spread add item beginning, view think it's on position 0 , snaps view new slide. the code below work animates slide change index 1. slide = [0,1,2] //example loop slidechanged(event) { if(this.slides.isbeginning()){ this.slide = [this.slide[0]-1, ...this.slide]; this.slides.update(); this.slides.slideto(1) } } <ion-slides [initialslide]="1" (ionslidedidchange)="slidechanged($event)"> <ion-slide *ngfor="let item of slide"> <h1>slide {{item}}</h1> </ion-slide> </ion-slides> any appreciated! you can using ionslidenextend , ionslideprevend events slides . please...
Read more

Add a dynamic header in angular 2 http provider -

i have http interceptor built via tutorial https://scotch.io/@kashyapmukkamala/using-http-interceptor-with-angular2 the problem need have dynamic header changes automatically once changes 'mode' in app. service able tell interceptor change header, or have interceptor pull header (which string)from service each request. able throwing away patch method, call http.patch('new header string') set header string. call in service controls 'mode' setting. wondering if there way interceptor pull recent value service each request or if can add method http provider via interceptor? i've tried call service in interceptor each request returns undefined. because creating new instance of service or copying value before service fired , loaded/changed data. i don't want pass header string every http provider call because defeats purpose of having interceptor, id able set once changes or have provider fetch service before makes request. tl;dr : need add autom...
Read more

minify - Minimizing css files -

i want know how css files can minimized. currently, using external sites css minifier compress css files. however, after removing whitespaces, comments, etc, file sizes reduced 10-15%. how frameworks bootstrap manage make minimized versions kilobytes. as example, css is: body { background-color: #ff0; } the reduction goes 28 bytes 22 bytes other css files have lot more characters still smaller this. actually minifying code means it's remove thing code white space characters new line characters comments block delimiters it reduces amount of code has transferred on web , speed site load fastly.but unreadable format.
Read more