#EnableGlobalMethodSecurity vs #EnableWebSecurity - spring

I am developing a REST API using Spring 4. I would like to secure some of the endpoints using Spring Security, but based on what I've read this can be done with either #EnableGlobalMethodSecurity or #EnableWebSecurity. Unfortunately, the documentation that I have found for these don't clearly explain what they do (or how they compare). If I want to secure a Spring REST API with authentication and authorization based on data and relationships declared in a standard relational database, what is the recommended method for achieving this in Spring 4?

EnableWebSecurity will provide configuration via HttpSecurity. It's the configuration you could find with <http></http> tag in xml configuration, it allows you to configure your access based on urls patterns, the authentication endpoints, handlers etc...
EnableGlobalMethodSecurity provides AOP security on methods. Some of the annotations that it provides are PreAuthorize, PostAuthorize. It also has support for JSR-250. There are more parameters in the configuration for you
For your needs, it's better to mix the two. With REST you can achieve everything you need only by using #EnableWebSecurity since HttpSecurity#antMatchers(HttpMethod,String...) accepts control over Http methods

Related

Custom Spring Actuator Endpoint which has subsystem and can be added dynamically

I'm looking for a way to implement custom endpoints for a reactive application using Spring Boot 2.2.
The endpoints have some subsystems and perform specific resource operations on the subsystems. The URL paths look like:
/actuator/system1/subsystem_a
/actuator/system1/subsystem_b
/actuator/system2/subsystem_c
Furthermore, system1 and system2 are not both always deployed, so I'd like to add dynamically the endpoints of the deployed system only.
I know I can use ReactiveHealthContributorRegistry to add custom health check endpoints dynamically. Is there a similar way for a fully custom endpoint?
Thanks in advance.
It seems there is no way to construct such complex endpoints like what I asked in Spring Boot Actuator.
I finally decided to use RouterFunction and HandlerFunction referring to the following websites.
https://www.baeldung.com/spring-5-functional-web
https://spring.io/blog/2016/09/22/new-in-spring-5-functional-web-framework

Setup Spring Filter using annotation

I am really new to spring and wanted to make a simple web application that uses JWT based authentication.
I have an endpoint on my server (/token) that returns JWT tokens to my client.
These clients then make requests to my server using that token. I was wondering how I could implement something like this:
#Secured("Admin")
#RequestMapping("/users", method=RequestMethod.DELETE)
public #ResponseBody String deleteUsers(){
...
}
From what I could gather, I would need a filter that would validate my JWT token that is sent along with every request the client makes. Is there any way in which only requests that have a #Secured annotation are passed through that filter?
Spring Security maintains a filter chain internally where each of the filters has a particular responsibility and filters are added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them. If you have been using namespace configuration, then the filters are automatically configured for you and you don't have to define any Spring beans explicitly but here may be times when you want full control over the security filter chain, either because you are using features which aren't supported in the namespace, or you are using your own customized versions of classes.
link

Need for RestApi authentication

Developed Rest API using Java/Spring MVC
Can we provide authentication for RestAPI? If yes, How?
Now I am struggling with authentication for RestApi. Can anyone send some examples regarding the same.
Accessing rest API through AJAX request.
Since you are already using Spring, you can use Spring security to provide security related functionality. This can give you one stop solution for your security needs. Common security mechanisms for Rest API's (basic, digest) and features are supported out of box and it's very easy to add your custom security too. For a start tutorial you can have a look here

Authentication and authorization in Spring Data REST

I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..

Performing custom authorization in Spring annotated controller

I'm getting started at building REST APIs with Spring annotated controllers.
My question is very simple: how to perform authentication/authorization in a common place rather than the APIs?
Being an expert C# developer I usually create a custom FilterAttribute for my controllers in order to implement any required authentication code.
I'm not going to use #Secured attribute because I work on custom REST authorization based on custom HTTP headers. I have understood that #Secured works with predefined roles, or perhaps I didn't understand its usage well.
Does Spring offer annotations to perform early filtering of Controllers working on the HttpRequest?
There is a filter-based authentication and authorization plugin at the web container level, provided by Spring Security. However, you can also apply security annotations to the controllers. . . Behind the scenes this uses Aspect Oriented programming to modularize the security concern. Take a look at Spring Security and AOP.
Once you understand a little about the AOP side of things you can customize the authorization however you like - role-based, time of day, whatever - this can be driven by custom annotations.

Resources