授权一次后不需要令牌
Token not needed after authorizing once
我正在尝试使用 JWT 令牌实现基于令牌的身份验证。为此,我正在使用 JJWT 库。
这是我的安全配置
@Override
protected void configure(HttpSecurity http) throws Exception {
//http.csrf().disable();
String[] patterns = new String[] {
"/login",
"/bower_components/**/*",
"/app/**/*",
"/index.html",
"/home.html",
"/signin.html"
};
http.authorizeRequests()
.antMatchers(patterns)
.permitAll()
.antMatchers("/**/*").hasAuthority("ROLE_USER")
.antMatchers("/*").hasAuthority("ROLE_USER")
.and()
.addFilterBefore(jwtAuthFilter, CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(jwtAuthEndPoint)
;
}
我用的是springboot。
我通过以下方式调用此 api 来生成令牌。
curl -v -X POST "http://localhost:8080/login" -d '{"username":"greenrabbit948", "password":"celeste"}' --header "Content-Type: application/json" | jq .
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> POST /login HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 51
>
} [51 bytes data]
* upload completely sent off: 51 out of 51 bytes
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Token: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJqd3QtZGVtbyIsImV4cCI6MTQ2Nzc2Njk3MSwiaXNzIjoiaW4uc2RxYWxpLmp3dCJ9.eu_OuBIkc4BfcTsTu4t_6TCwyLkH4HcuQzvWIMzNQYdxXiWA77SfvwCe4mdc7C17mXdtBAsvFGDj7A9fzI0M1w
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Wed, 06 Jul 2016 06:02:51 GMT
{ [164 bytes data]
100 211 0 160 100 51 15071 4804 --:--:-- --:--:-- --:--:-- 16000
* Connection #0 to host localhost left intact
{
"username": "greenrabbit948",
"name": {
"title": "miss",
"first": "dionaura",
"last": "rodrigues"
},
"thumbnail": "https://randomuser.me/api/portraits/thumb/women/78.jpg"
}
使用令牌,我称我的 API 的其余部分,
像这样
curl -i -X POST "http://localhost:8080/login" -d '{"username":"greenrabbit948", "password":"celeste"}' --header "Content-Type: application/json"
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Token: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJncmVlbnJhYmJpdDk0OCIsImV4cCI6MTQ2ODE0MDg1MiwiaXNzIjoiaW4uc2RxYWxpLmp3dCJ9.t9pqrOmYfaVkzuAQgo4D4VbN2PibQuHPuPA6RKYU-keTzbFAX58l77hQTc4Cq28HpjFOeiDvNpNEgilNHFOfVA
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Sun, 10 Jul 2016 06:54:12 GMT
{"username":"greenrabbit948","name":{"title":"miss","first":"dionaura","last":"rodrigues"},"thumbnail":"https://randomuser.me/api/portraits/thumb/women/78.jpg"}
$ curl -s "http://localhost:8080/profile/details/yellowfrog347" --header "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJncmVlbnJhYmJpdDk0OCIsImV4cCI6MTQ2ODE0MDg1MiwiaXNzIjoiaW4uc2RxYWxpLmp3dCJ9.t9pqrOmYfaVkzuAQgo4D4VbN2PibQuHPuPA6RKYU-keTzbFAX58l77hQTc4Cq28HpjFOeiDvNpNEgilNHFOfVA" | jq .
{
"picture": {
"large": "https://randomuser.me/api/portraits/women/71.jpg",
"medium": "https://randomuser.me/api/portraits/med/women/71.jpg",
"thumbnail": "https://randomuser.me/api/portraits/thumb/women/71.jpg"
},
"name": {
"title": "ms",
"first": "sofia",
"last": "hansen"
},
"email": "sofia.hansen@example.com",
"username": "yellowfrog347"
}
现在,每当我在没有令牌的情况下再次调用我之前调用过的相同 API 时,就会显示数据。我怎样才能阻止这种情况发生?如何使令牌成为强制性的,以便仅在令牌存在时才显示数据?
这发生在我使用 POSTMAN 调用 APIs 时。
您可以编写函数 gettoken() 来获得可用的 token.If 令牌 return true 否则 false.hope 您将得到答案。
为了实现这一点,您需要实现一个像 OAuth2 这样的授权框架并添加以下注释
@PreAuthorize("#oauth2.hasScope('read') and #oauth2.hasScope('read')")
这将确保只有在传递有效令牌时,客户端才能访问该服务。
我正在尝试使用 JWT 令牌实现基于令牌的身份验证。为此,我正在使用 JJWT 库。
这是我的安全配置
@Override
protected void configure(HttpSecurity http) throws Exception {
//http.csrf().disable();
String[] patterns = new String[] {
"/login",
"/bower_components/**/*",
"/app/**/*",
"/index.html",
"/home.html",
"/signin.html"
};
http.authorizeRequests()
.antMatchers(patterns)
.permitAll()
.antMatchers("/**/*").hasAuthority("ROLE_USER")
.antMatchers("/*").hasAuthority("ROLE_USER")
.and()
.addFilterBefore(jwtAuthFilter, CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(jwtAuthEndPoint)
;
}
我用的是springboot。 我通过以下方式调用此 api 来生成令牌。
curl -v -X POST "http://localhost:8080/login" -d '{"username":"greenrabbit948", "password":"celeste"}' --header "Content-Type: application/json" | jq .
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> POST /login HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.43.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 51
>
} [51 bytes data]
* upload completely sent off: 51 out of 51 bytes
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Token: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJqd3QtZGVtbyIsImV4cCI6MTQ2Nzc2Njk3MSwiaXNzIjoiaW4uc2RxYWxpLmp3dCJ9.eu_OuBIkc4BfcTsTu4t_6TCwyLkH4HcuQzvWIMzNQYdxXiWA77SfvwCe4mdc7C17mXdtBAsvFGDj7A9fzI0M1w
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Wed, 06 Jul 2016 06:02:51 GMT
{ [164 bytes data]
100 211 0 160 100 51 15071 4804 --:--:-- --:--:-- --:--:-- 16000
* Connection #0 to host localhost left intact
{
"username": "greenrabbit948",
"name": {
"title": "miss",
"first": "dionaura",
"last": "rodrigues"
},
"thumbnail": "https://randomuser.me/api/portraits/thumb/women/78.jpg"
}
使用令牌,我称我的 API 的其余部分, 像这样
curl -i -X POST "http://localhost:8080/login" -d '{"username":"greenrabbit948", "password":"celeste"}' --header "Content-Type: application/json"
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Token: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJncmVlbnJhYmJpdDk0OCIsImV4cCI6MTQ2ODE0MDg1MiwiaXNzIjoiaW4uc2RxYWxpLmp3dCJ9.t9pqrOmYfaVkzuAQgo4D4VbN2PibQuHPuPA6RKYU-keTzbFAX58l77hQTc4Cq28HpjFOeiDvNpNEgilNHFOfVA
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Sun, 10 Jul 2016 06:54:12 GMT
{"username":"greenrabbit948","name":{"title":"miss","first":"dionaura","last":"rodrigues"},"thumbnail":"https://randomuser.me/api/portraits/thumb/women/78.jpg"}
$ curl -s "http://localhost:8080/profile/details/yellowfrog347" --header "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJncmVlbnJhYmJpdDk0OCIsImV4cCI6MTQ2ODE0MDg1MiwiaXNzIjoiaW4uc2RxYWxpLmp3dCJ9.t9pqrOmYfaVkzuAQgo4D4VbN2PibQuHPuPA6RKYU-keTzbFAX58l77hQTc4Cq28HpjFOeiDvNpNEgilNHFOfVA" | jq .
{
"picture": {
"large": "https://randomuser.me/api/portraits/women/71.jpg",
"medium": "https://randomuser.me/api/portraits/med/women/71.jpg",
"thumbnail": "https://randomuser.me/api/portraits/thumb/women/71.jpg"
},
"name": {
"title": "ms",
"first": "sofia",
"last": "hansen"
},
"email": "sofia.hansen@example.com",
"username": "yellowfrog347"
}
现在,每当我在没有令牌的情况下再次调用我之前调用过的相同 API 时,就会显示数据。我怎样才能阻止这种情况发生?如何使令牌成为强制性的,以便仅在令牌存在时才显示数据? 这发生在我使用 POSTMAN 调用 APIs 时。
您可以编写函数 gettoken() 来获得可用的 token.If 令牌 return true 否则 false.hope 您将得到答案。
为了实现这一点,您需要实现一个像 OAuth2 这样的授权框架并添加以下注释
@PreAuthorize("#oauth2.hasScope('read') and #oauth2.hasScope('read')")
这将确保只有在传递有效令牌时,客户端才能访问该服务。