将授权和用户主体从其余客户端传递到服务器春季启动

编程问答 2022-06-09

问题描述

我必须从其余客户端调用一个安全的端点,在控制器端,它要求从客户端发送权限和用户主体信息。

 String  endpoint="http://localhost:8096/polygons/34";
           // endpoint="https://dop-int.edosdp.ericsson.se/polygon-manager/polygons/34";
            HttpHeaders headers = new HttpHeaders();
            headers.setBasicAuth("mahi","ChangeM6");
            headers.setConnection("keep-alive");       
             httpentity<String> httpentity = new httpentity<String>(headers);       
            ResponseEntity<Long> exchange = restTemplate.exchange(endpoint,HttpMethod.GET,httpentity,Long.class);

如何从client发送至少一个角色(ADMIN或GUEST_USER)信息。 有什么办法可以将所有用户信息包装在虚拟会话中,并将其发送给serer。

谢谢, 玛希

解决方法

不!对客户而言,修改任何类型的会话信息(包括cookie)都是一个坏主意。应该只允许服务器这样做。

由于您的要求是检查特定网址上的用户角色,因此您可以设置自定义请求标头,并在控制器方法本身中进行检查:

示例代码:

@GetMapping("/polygons")
public String getPolygons(HttpServletRequest request) {     
    String userRole = request.getHeader("user-role");
    if(userRole != null && userRole.toLowerCase().equals("admin")) {
        System.out.print("Role provided: " + userRole);     
        // ...
        return "some-data";
    }           
    
    System.out.print("Role not provided!");
    return "error";
}

Postman client - set custom header

您还可以在发布请求的请求正文中设置用户角色。

public class RequestParams {
    private String userRole;
    // ...
}       

@PostMapping("/polygons")
public String getPolygons(@RequestBody RequestParams requestParams) {
    String userRole = requestParams.getUserRole();
    if(userRole != null && userRole.toLowerCase().equals("admin")) {
        System.out.print("Role provided: " + userRole);     
        // ...
        return "some-data";
    }           
    
    System.out.print("Role not provided!");
    return "error";
}

Set POST request body

如果您要检查多个URL上的用户角色,则应考虑编写servlet过滤器。

编辑:

我认为我过去也面临过类似的情况。我最终使用apache的httpclient库而不是resttemplate。

下面是一些示例代码:

private List<OrganizationDTO> getUserOrgUnits(String loggedInUserId,String token) {
    List<OrganizationDTO> userList = new ArrayList<OrganizationDTO>();      

    CloseableHttpClient httpClient = HttpClients.createDefault();
    HttpGet httpGet = new HttpGet(getUserOrgUnitsApiURL());
    try {
        // Setting header
        httpGet.setHeader("Authorization","Bearer " + token);
        httpGet.setHeader("Content-type","application/json");
        // Setting custom header
        httpGet.setHeader(USERID_HEADER_NAME,loggedInUserId);
        
        CloseableHttpResponse response = httpClient.execute(httpGet);
        String  result = EntityUtils.toString(response.getEntity());
        
        JsonNode node = null;
        ObjectMapper mapper = new ObjectMapper();
        node = mapper.readTree(result);
        Iterable<JsonNode> list = node.path("data");            
        for (JsonNode jsonNode : list) {
            OrganizationDTO dto = mapper.treeToValue(jsonNode,OrganizationDTO.class);
            userList.add(dto);
        }
    } catch (Exception e) {
        log.error("getUserOrgUnits: Exception.");
        e.printStackTrace();
    }                                       
    return userList;
}
javajavarest-clientresttemplatespring-bootspring-security