使用 Firebase Auth 在 Spring 中对 API 请求进行身份验证

我已经使用 Firebase 身份验证令牌 (JWT) 验证对 API 的访问权限,该令牌作为承载令牌在 Http 授权标头内传递。使用自动配置可以很好地工作。现在我想从身份验证映射到数据库中的用户记录。我需要如何调整安全过滤器链?此配置由 spring boot 根据文档自动应用,并且可以被覆盖:


@Override

protected void configure(HttpSecurity http) throws Exception {

    http

            .authorizeRequests().anyRequest().authenticated()

            .and().oauth2ResourceServer().jwt();

}

我正在使用 Firebase 身份验证 UI 插入解决方案,该解决方案在成功身份验证时提供访问令牌。然后这个令牌被传递到我的 API。


慕莱坞森
浏览 151回答 1
1回答

慕桂英4014372

您可能需要做一些事情:编写一个安全过滤器来调用 FirebaseAuth 对 Bearer Token 进行身份验证。令牌经过身份验证后,将其放入 SecurityContext 中。类似于:public class FirebaseFilter extends OncePerRequestFilter {&nbsp; &nbsp; private static String AUTH_HEADER = "Authorization";&nbsp; &nbsp; @Override&nbsp; &nbsp; protected void doFilterInternal(HttpServletRequest request,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; HttpServletResponse response,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; FilterChain filterChain) throws ServletException, IOException {&nbsp; &nbsp; &nbsp; &nbsp; String authToken = request.getHeader(AUTH_HEADER).substring(7);&nbsp; &nbsp; &nbsp; &nbsp; if (!StringUtils.isEmpty(authToken)) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Authentication auth = getAuthentication(authToken);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; SecurityContextHolder.getContext().setAuthentication(auth);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; logger.debug("Successfully Authenticated");&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; filterChain.doFilter(request, response);&nbsp; &nbsp; }&nbsp; &nbsp; private FirebaseToken verifyIdToken(String idToken) {&nbsp; &nbsp; &nbsp; &nbsp; if (StringUtils.isEmpty(idToken)) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; throw new IllegalArgumentException("idToken is blank");&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; return FirebaseAuth.getInstance().verifyIdToken(idToken);&nbsp; &nbsp; }&nbsp; &nbsp; private Authentication getAuthentication(String idToken) {&nbsp; &nbsp; &nbsp; &nbsp; FirebaseToken token = verifyIdToken(idToken);&nbsp; &nbsp; &nbsp; &nbsp; assert token != null;&nbsp; &nbsp; &nbsp; &nbsp; return new FirebaseAuthenticationToken(token.getUid(), token);&nbsp; &nbsp; }}您将需要 UserDetailsService 的实现,我相信您已经有了。您将需要一个安全提供程序,它从安全上下文中获取身份验证,然后调用 UserDetailsService 来获取应用程序可能需要的任何信息。然后更新认证对象。类似于:@Componentpublic class FirebaseAuthenticationProvider implements AuthenticationProvider {&nbsp; &nbsp; private UserService userService;&nbsp; &nbsp; @Autowired&nbsp; &nbsp; public FirebaseAuthenticationProvider(UserService userService) {&nbsp; &nbsp; &nbsp; &nbsp; this.userService = userService;&nbsp; &nbsp; }&nbsp; &nbsp; public Authentication authenticate(Authentication authentication) throws AuthenticationException {&nbsp; &nbsp; &nbsp; &nbsp; if (!supports(authentication.getClass())) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return null;&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; UserDetails details = userService.loadUserByUsername(authentication.getPrincipal()&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;.toString());&nbsp; &nbsp; &nbsp; &nbsp; FirebaseToken token = (FirebaseToken) authentication.getCredentials();&nbsp; &nbsp; &nbsp; &nbsp; if (details == null) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; details = userService.registerUser(token);&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; return new FirebaseAuthenticationToken(details, token, details.getAuthorities());&nbsp; &nbsp; }&nbsp; &nbsp; public boolean supports(Class<?> authentication) {&nbsp; &nbsp; &nbsp; &nbsp; return (FirebaseAuthenticationToken.class.isAssignableFrom(authentication));&nbsp; &nbsp; }}
打开App,查看更多内容
随时随地看视频慕课网APP

相关分类

Java