问题描述

我们有 2 个不同的 Web 应用程序在同一个 tomcat 上运行.

We have 2 different web applications that are running on the same tomcat.

webapp#1，webapp#2.

webapp#1, webapp#2.

Webapp#1 正在通过这个服务方法连接到 webapp#2:

Webapp#1 is connecting to webapp#2 via this service method:

this.restTemplate.postForObject(url,
                                request,
                                responseType);

webapp#2 正在以下控制器中接收此请求:

webapp#2 is receiving this request in the following controller:

@RequestMapping(value = "/bla", method = RequestMethod.POST)
@ResponseStatus(value = HttpStatus.OK)
@ResponseBody
public ResponseDTO requestSomething(@RequestBody RequestDTO requestDTO, HttpServletRequest request) {

  return new ResponseDTO("Hello");
}

现在，我们有一个安全要求，我们在 webapp#2 中显示的这个控制器将只接收来自 webapp#1 的请求.

Now, we have a security requirement that this controller we are revealing in webapp#2 will only recieve requests from webapp#1.

实现这一目标的替代方案是什么?我们是否必须从 webapp#1 在 webapp#2 中创建一个新会话?如果是这样，凭据来自哪里?我们应该就预定义的事情达成一致吗?spring security 有没有办法解决这个问题?

What are our alternatives in achieving that? Do we have to create a new session in webapp#2 from webapp#1? if so where do the credentials comes from ? should we agree on something predefined? Does spring security have any way to solve this?

谢谢！

推荐答案

如果有人能告诉我在同一个容器中是否有一种特殊的(和好的)webapps 方式，我很高兴，但 AFAIK 这些是选项:

I'm happy if someone can tell me if there is a special (and good) way for webapps in the same container, but AFAIK these are the options:

选项 1:忽略它们在同一个 Tomcat 中

换句话说，就像两个 Web 应用程序位于两个不同的位置一样.例如，您可以使用 HTTP 基本身份验证；在客户端(webapp#1)添加 RestTemplate 的 Authorization 标头的 ClientHttpRequestFactory 实现是相当容易的，并且 Spring Security 内置了处理它的支持服务器端(webapp#2).使用基本身份验证，通信可以是无状态的，不需要会话.唯一的缺点是两个网络应用都需要知道凭据.

In other words, do it like the two webapps were on two different locations. For example, you can use HTTP Basic authentication; it is rather easy do a ClientHttpRequestFactory implementation that adds the Authorization header for RestTemplate on the client side (webapp#1) and Spring Security has built-in support for handling it on the server side (webapp#2). With Basic authentication, communication can be stateless and no session is required. Only disadvantage is that both web apps need to know the credentials.

选项 2:检查本地主机

这个想法是在 webapp#2 中检查请求来自哪里.将 ServletRequest.getRemoteAddr() 与 127.0.0.1(或任何其他环回地址)进行比较.如果要应用 Spring Security，则需要在安全链中创建自定义过滤器.优点:webapp#1 不需要任何凭据.缺点:根据您的服务器设置，这可能不安全！如果用户可以在机器上打开连接，它可以伪装成 webapp#1.如果机器上有某种代理，请格外小心.

The idea is that in webapp#2 check where the request comes from. Compare ServletRequest.getRemoteAddr() with 127.0.0.1 (or any other loopback address). If you want to apply Spring Security, you need create a custom filter in the security chain. Advantage: webapp#1 does not need any credentials. Disadvantage: Depending on your server setup, this can be unsafe! If a user can open connections on the machine, it can pretend to be webapp#1. Be extra careful if there is a proxy of some kind on the machine.

这篇关于Spring MVC - 2 个不同的 Web 应用程序试图相互交互(安全)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！