I am working on securing a REST API, here is the basic set up (Happy Path) I am working with:
1) UI will request to authenticate with another service, this service will return a JWT to the UI.
2) Once a user of the UI is done with their work, they will make a request to the REST API that I am tasked with securing using a JWT that is passed to me.
3) I will then ensure the JWT is legit, get the users roles and then determine if the user is authorized to access that endpoint (perform the requested function).
I am sure this is possible, but my past experience with Spring Security wasn't dealing with JWT or Authorization only.
Would it be a correct approach to implement Authentication and Authorization, get that working and then back out the Authentication part?
Thank you for your kind help!
I suggest that you take a look at the Spring Security OAuth2 project. It makes this kind of thing fairly easy.
In particular, have a look at this section about using JWT
Related
As we know the Spring Security OAuth 2.0 project has bee depreciated and now it's Spring Security 5.
My question is related with Authorisation Server for grant_type: authorization_code. Spring team is also working on standalone project for Authorization Server. So most of the codebase in Spring Security project is depreciated for Authorization Server.
Still, I've couple of questions for endpoints with authorization_code flow in Spring Security 2.0/5.
OAuth 2.0:
Can you please let me know, which endpoints are supported for below use cases in Authorization Flow:
Login Button: ask the customised authorization url from Authorization Server.
User logged-in: once end-user logged-in (authenticate), need to authorise with registered client application and provide the code in the callback URI.
Request For Access Token: once the code has been received in previous step, it should use the code to get the access token.
Please let me know which endpoints are meant to be used in Spring Security OAuth 2.0/5 for above use cases. Based on my research, I've found these endpoints:
/oauth/token: get the access token
/oauth/token_key: produces JWT encoded token values
/oauth/check_token: validate the access token
Can you please let me know which endpoint dedicated for authorisation before end-user authenticate in use case #1. And after end-user authentication in use case #2.
Any help would be appreciated.
Many Thanks,
Adnan
I want to implement in backend rest safely in oauth2 + jwt.
I want to implement the following authentication flow in spring boot, but I am not sure how to do it:
1. The user is authenticated.
2. That request is received and with that login and password a ws that validates the credentials is attacked.
3. If it is correct, a series of data and permissions are searched in the database
4. If it is correct, access is granted and the jwt token is generated
I'm lost with this and as much as I read I can't know how I can do it.
Any manual or post I can follow?
Are you running your own (a custom) Auth server or is the plan to allow users to authenticate via a provider such as Google, Facebook etc? If its the later, then you cannot expect to receive user / password credentials at all so you might have misunderstood the OAuth flow. You will typically receive an 'Authorization code' from the provider (e.g. Google).
Also, what do you mean by "a ws that validates the credentials is attacked"?
This Google use-case diagram depicts a common flow. It's part of this guide.
Either way, Spring Boot does not itself deal with OAuth / security, but it has a tight
integration with Spring Security which is a good security framework to use, especially as you're already using Spring. Spring Security can handle OAuth, JWT etc.
A couple of guides that may help to get you started:
https://www.baeldung.com/spring-security-oauth-jwt
https://spring.io/guides/tutorials/spring-boot-oauth2/
I need to create a SpringBoot RESTful API to be consumed either by a web project or a mobile app.
My question is how to secure it without the typically basic authorization that returns you a "jsessionid" to the web browser and mantains the session with it. It's not a problem for the web project, because it could store that jsessionid. But how about to secure the mobile app request to the API?
Sorry for my english. Thanks.
One of the architectural constraints of REST is that it must be stateless.
Your REST API must not have sessions that authenticate the client. Instead, the client should pass some sort of token, commonly placed in the Authentication HTTP Header.
JWT and OAuth 2.0 are both very popular ways of doing this, and you can absolutely use HTTP Basic Authentication with OAuth 2.0 if you wish.
Here's an article called Stateless Authenticaiton with Spring Security and JWT. Hopefully that will help!
You can use basic authentication. It work sending username and password on each request but don't need save the sessionid in the client.
Here are a sample application with basic authentication:
http://www.baeldung.com/spring-security-basic-authentication
If you don't save anything in the server session you don't need save the jsessionid in the client.
I'm about to implement a token based authentication system with Spring Boot and Json web token. I have a frontend app built with Angular. My understanding is that once authenticated, all API calls from the angular app will send the token to the server to be verified before a response is sent back.
I'm wondering then how Spring Security would fit into the picture. It seems like it is no longer necessary if I just use the server to verify the token every time the frontend makes a call.
My question is whether or not Spring Security is required in this instance and if it is, what role will/can it play?
I would like to know from the outset before diving in. Thanks!
How can I implement token-based authentication without cookies for my Spring Boot RESTful application (not MVC)? I've searched the web, but not found any good tutorials.
Create a Authentication filter and check the token in header there. Load the used based on the token from your user store and set it as the request principle.
Checkout the following for an example
Authentication Filter Example