Reputation: 192
Spring Security Header Based Authentication
By default spring security operates by adding the JSESSIONID cookie to your session. And I have used and seen many header based forms of accomplishing the same result(often making use of a filter or two). But I feel this is something I should be able to set in the configuration. In the form of something like this:
config.setTokenLocation(TokenLocationEnum.HEADER)
config.setTokenName("Bearer")
or
config.setTokenLocation(TokenLocationEnum.COOKIE)
config.setTokenName("JSESSIONID")
I would like to try implementing this myself but I'd first like to see if anyone has any objections to the idea and why it is not already implemented.
Thanks
Upvotes: 0
Views: 1470
Answers (1)
Reputation: 684
You can configure Spring Security as you want. Session management via JSESSIONID is just working out of box. For example, if you want to use Bearer OAuth 2.0 tokens you need to configure AuthServer. This is example of configuration from one of my projects:
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter
{
private final AuthenticationManager authenticationManager;
private final InGridSecurityProperties inGridSecurityProperties;
@Autowired
public AuthorizationServerConfig(AuthenticationManager authenticationManager, InGridSecurityProperties inGridSecurityProperties, GoogleConnectionFactory connectionFactory) {
this.authenticationManager = authenticationManager;
this.inGridSecurityProperties = inGridSecurityProperties;
this.connectionFactory = connectionFactory;
}
@Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception
{
clients.inMemory()
.withClient( inGridSecurityProperties.getClientId() )
.secret( inGridSecurityProperties.getClientSecret() )
.authorities( "ROLE_TRUSTED_CLIENT" )
.authorizedGrantTypes( inGridSecurityProperties.getGrantTypes() )
.scopes( inGridSecurityProperties.getClientScope() )
.accessTokenValiditySeconds(
inGridSecurityProperties.getAccessTokenValiditySeconds() )
.refreshTokenValiditySeconds(
inGridSecurityProperties.getRefreshTokenValiditySeconds() );
}
@Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception
{
security.tokenKeyAccess( "isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')" )
.checkTokenAccess( "hasAuthority('ROLE_TRUSTED_CLIENT')" );
}
@Override public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception
{
endpoints
.authenticationManager( authenticationManager )
.tokenStore( jwtTokenStore() )
.tokenEnhancer( jwtAccessTokenConverter() );
}
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter()
{
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
KeyPair keyPair = new KeyStoreKeyFactory(
new ClassPathResource( inGridSecurityProperties.getJwtKeyStore() ),
inGridSecurityProperties.getJwtKeyStorePassword().toCharArray() )
.getKeyPair( inGridSecurityProperties.getJwtKeyPairAlias(),
inGridSecurityProperties.getJwtKeyPairPassword().toCharArray() );
converter.setKeyPair( keyPair );
return converter;
}
}
More information you can find in Spring Security Documentation: http://docs.spring.io/spring-security/site/docs/current/reference/
Upvotes: 1
Related Questions
- Spring Security using HTTP headers
- Implementing Authorization in Spring
- Spring Security - Authenticating with Authorization Header
- Form Login and HTTP Authorization header
- Spring Security Authorization
- Spring security RequestHeaderAuthenticationFilter
- Passing basic authentication details in spring security using http headers in java
- Spring security authenticaton
- Handle HTTP Basic Authorization header in Spring
- Spring 3.0 Security - Authorization with Authentication