I need to authenticate a webhook post from a third party integration on my backend api server. The only thing I can define is the endpoint url they will call. It can't be dynamic once they have to register and the process takes 3 days. And we use a multi-tenant solution, so we have to authenticate with different schema on every call.
So the problem is that I have to create a filter for this webhook, so I can authenticate it through a value contained in the json of a post body.
So I defined a WebSecurityConfigurerAdapter and added a AbstractPreAuthenticatedProcessingFilter so I can intercept the request, read the value in the json body authenticated with the appropriate credentials.
I follow this tutorial Reading HttpServletRequest Multiple Times in Spring so I could be able to read InputStream from the request without erase it.
So my question about it are two.
1: Is there a better/easy approach so I can archive this result?
2: I guess this tutorial are missing something, because I'm getting null pointer at servlet when try to read the request (again, after I have already read at the filter).
Any guess would be appreciated, thanks in advance.
Are we allowed to know which 3rd party service?
PayPal/Stripe for example have docs already to explain how to verify the data.
If you can add metadata/custom fields to the webhook, you could sign it for example.
As far as checking the signature/verifying it, why not do this in the #Contoller=>#Service?
Related
So I have this situation.
I am coding inside a controller API in spring boot that gets a request with authorisation header.
I need to hit a token endpoint with this header to get the access token.
After this I need to hit an API with this toke to get some information.
Now one way of approaching this is to ,
Create a clients one to get the token .
Create another client to hit the actual API.
Then when my API received the request , then hit these above endpoints in succession to get
the job done. Also, need to take care of caching the token so that we dont end up doing this
every time.
Because this looks like a pattern I want to create a system where i can create one client kind of like the Spring WebCLient and that can take care of hitting the token uri when required.
But all documentation I am reading suggest providing a token url(which I have) and also clientid/secret in the configuration.(These I dont. I only have the incoming auth code).
Is there a programmatic way I can achieve the same with webclient ?
I'm working with Spring Boot and don't know how to design register confirmation process.
Is UUID the best choice to generate random token? I've seen that people write "no, it's not" but they don't explain why and what is better
A lot of people suggest also to avoid sending token via GET param because there is a risk that someone can steal it. They encourage to send POST requests with token in request body, but how to send POST request from email? Using ? But then my server should be able to process this request, but this type of request fits to REST application? Or meybe there is possibility to send POST request with json body from email?
I can't decide how to solve these problems.
UUID seems to be a perfectly fine solution for tokens. I don't see a problem with it.
Regarding question 2: If you have tokens, that would be used multiple times, then indeed using that token in GET requests is a really bad idea. However, for a registration confirmation, you usually only have tokens that are valid for one use. So as soon as someone used a token, you should mark this token as invalid. In that case, using it in a GET request doesn't impose any security risks. Also, the token itself should just be used to mark the user account, but it shouldn't allow automatic login of the user, once he clicked on the link. Then you should be fine.
I have a public website running from an eXist app. I am now developing an interface for logged in users to edit certain documents through HTML forms and AJAX. I've set up a module in eXist to receive AJAX POST requests through the eXist REST interface (ie. http://www.example.com/exist/rest/db/myapp/api/myxquery.xql). However this module does not seem to be aware of the fact that the user is already logged in!
How do I get the REST module to use the session/authentication of the logged in user?
Am I required to store the user/password in the browser to pass with each REST API request?
If this is not the preferred model for passing data from the browser under user/password, what is eXist's recommended solution?
Many thanks in advance.
(A variation on this question was asked two years ago but received no solutions.)
In order to use the REST-API from existdb you can only authenticate each request using HTTP Basic Authentication. Also mentioned in the question you referenced.
If you decide to handle AJAX request in your app's controller.xql you will need to:
Add routes for your AJAX requests to the controller
Make sure you call login:set-user for the user session to be picked up
Make sure the AJAX request sends the cookie:
For instance, the fetch function will send the authorisation cookie
only if send-authorization is true.
Look at the output-method and serialization settings, since you will likely want to respond in JSON-format. useful blog post about this
I have met a seemly easy, but actual pretty difficult situation for me, hope you can help.
WE need to provide secured rest api, but we have difference service, for example, authentication service, execution service. I now need to secure execution service.
I am using spring4 boot to boost, it seemed natural that using spring security, and then provide a customer userdetail service,but then when I start implement it, I met this big problem.
ExecutionService is not responsible for login purpose, so it won't provide a login form and consequently, it won't save token at all. What it needs to do is only checking header info, if it sees token in the header, it will use some decode algorithm to decode that token and then check if user is qualified to continue to not.
In all the posts on line regarding spring security, it all require a token storage, that means, user login first and then save token in memory, and then when user comes again, just check that token.
Can anyone help me to figure out,
1) how to use spring security to check request header info;
2) when see token in header, use a customized function to check validity of that header and then authenticate the user based on the checking result?
Thanks in advance
I have a small application written in Play! which allows user registration and adding some content for registered users which other registered users can view. I'd like to add some REST API to my application with [resteasy] module, and my question is: are there any best practices or known solutions for performing authentication with rest to allow users managing their own content using resteasy in Play! ?
What I'm thinking about now, are two solutions:
Client sends data and also sends his password and user name in some hashed or encoded form and this data is checked with credentials in database. If there is a match, request action occurs.
Client authenticates in the first place and is returned sessionId or something which he has to add to all requests (cookie?).
Any help is appreciated.
You have some related answers on how to approach security here and here.
Personally I would try to create some OAuth 2 authentication if the API is to be used by 3rd parties. If it is private usage (only your apps will call it) other methods plus SSL should suffice.