有人告诉我,在使用单独的前端服务时,仅使用 JWT 而不使用 HttpOnly cookie 是不安全的。
正如这里建议的:
HttpOnly Cookie:https://www.ictshore.com/ict-basics/httponly-cookie/
我目前有一个可用的 JWT 系统,因此我正在尝试升级它以支持 cookie 实现。
我首先将我的 SecurityConfiguration 更改为以下内容:
private final UserDetailsService uds;
private final PasswordEncoder bcpe;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(uds).passwordEncoder(bcpe);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable();
http.addFilter(new CustomAuthenticationFilter(authenticationManagerBean()));
http.addFilterBefore(new CustomAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().logout().deleteCookies(CustomAuthorizationFilter.COOKIE_NAME)
.and().authorizeRequests().antMatchers("/login/**", "/User/refreshToken", "/User/add").permitAll()
.and().authorizeRequests().antMatchers(GET, "/**").hasAnyAuthority("STUDENT")
.anyRequest().authenticated();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception{ // NO FUCKING IDEA WHAT THIS DOES
return super.authenticationManagerBean();
}
从这里我尝试将实际的 cookie 实现插入到我的 …