I have a small problem at the moment. The problem is that my web service is RESTful. Consequently, I need a stateless session for Spring Security in order not to break REST conception. I want to get the current user information and since my Spring Security session is stateless I don't know how. I also wanted to use #PreAuthorized annotations, but, now, it's impossible too for the reasons, I wrote above. Honestly, I'm new to REST services and I would be grateful for a piece of advice.
Thank you in advance.
So the problem is in JSESSIONID. Spring use it as token in security filter chain to get UserDetails. But it's not good practice to use JSESSIONID for REST.
Briefly:
I suppose you should use Spring OAuth/OAuth2 for authorization. You will have to configure AuthorizationServerConfigurerAdapter and ResourceServerConfigurerAdapter. Then you will be able authenticate your user -> obtain access_token and refresh_token. After that you can use access_token for your REST requests, for example as HTTP header Authorization: Bearer access_token. When access_token become expired you should use refresh_token to refresh it. As usually you will be able to access UserDetails via SecurityContextHolder.
Hope it's useful for you.
Related
Looking for suggestions on how to go about with microservices authorisation.
I'm using the spring/spring boot for all them microservices
I'm able to authenticate via spring cloud gateway before reaching the actual microservices using JWT tokens however when it comes to authorisation i'm unsure on how to do it.
I would like handle the authorisation internally for each of the endpoints in the business microservice.
Is there a way to pass the JWT token to the microservice or do i need to call the authserver to get the roles within the user ?
Actually, both works.
You can put the roles in the token, when you need it, decode it. Or decode it in the gateway and pass it all the way.
If you don't want to put too much data in the token, you can call the auth server as needed.
As I can understand, OAuth2 framework needs a custom JWT authentication server and I have to create a custom security filter with JWT utility class for the filter-based JWT implementation.
However my question is, what is the best method to implement JWT on Spring Boot 2? filter-based authentication or OAuth2?
Is there any pros and cons based on nature of the clients and application?
As an example; Does OAuth2 authentication provide any advantage, if application manages different clients such as mobile, web, web service etc.?
Note: My question is related to the security of Spring-Boot REST API + web application.
I have found a discussion regarding the same matter and I’m extracting the important points below.
From the technical point of view, still I didn’t get a clear idea of which implementation, when and where, but it helps me to take a decision.
I personally hesitate to bring in OAuth when I only need JWT authentication. It feels confusing and honestly I do not want the additional complexity to use #EnableResourceServer etc. Maybe it's just a couple of lines of configuration but if feels like overkill.
Can someone show me why it's so difficult to set up an OAuth2 provider with JWT tokens? If you want JWT tokens all the code is already here. Why is it so hard to just use it?
Answer:
Maybe it's not difficult but 1) it feels unnatural to do so and 2) it can be easier.
Instead of using #EnableResourceServer and other setup I would like something much more easier like:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.jwt()
.loginUrl(new AntPathRequestMatcher("/api/login", "POST"))
.secret("my-super-duper-secret")
.claimsProvider(new MyClaimsProvider)
What you typically want set to for JWT is the login url (can be defaulted to /login), the secret and optionally some claimsProvider implementation. A default implementation should be provided out of the box adding the username and roles to the claims.
This way it would be very easy to setup JWT in Spring Security.
With OAuth2 there is a "refresh token", so you put the onus on the client to keep the access token live, and the authorization server can check the user account every time it is refreshed. If you start worrying about that kind of problem (which you should) then you will end up implementing something that is getting pretty close to OAuth2, at which point you might say "why didn't we just use OAuth2 in the first place?" Do you see my point?
Isn't the use case described in this issue conceptually different from the OAuth2 case? Here we have a password as an input and JWT token as an output, and JWT token is then used for accessing the resources. The JWT profile for OAuth 2 spec specifies a different case, where a JWT token is an input to the token service and the access token is an output, and access token is then used for accessing the resources.
It will be good to have just simple JWT token base authentication without OAuth which is sometimes complicated for small projects.
https://github.com/spring-projects/spring-security-oauth/issues/368
I am working on securing a REST API, here is the basic set up (Happy Path) I am working with:
1) UI will request to authenticate with another service, this service will return a JWT to the UI.
2) Once a user of the UI is done with their work, they will make a request to the REST API that I am tasked with securing using a JWT that is passed to me.
3) I will then ensure the JWT is legit, get the users roles and then determine if the user is authorized to access that endpoint (perform the requested function).
I am sure this is possible, but my past experience with Spring Security wasn't dealing with JWT or Authorization only.
Would it be a correct approach to implement Authentication and Authorization, get that working and then back out the Authentication part?
Thank you for your kind help!
I suggest that you take a look at the Spring Security OAuth2 project. It makes this kind of thing fairly easy.
In particular, have a look at this section about using JWT
I need to create a SpringBoot RESTful API to be consumed either by a web project or a mobile app.
My question is how to secure it without the typically basic authorization that returns you a "jsessionid" to the web browser and mantains the session with it. It's not a problem for the web project, because it could store that jsessionid. But how about to secure the mobile app request to the API?
Sorry for my english. Thanks.
One of the architectural constraints of REST is that it must be stateless.
Your REST API must not have sessions that authenticate the client. Instead, the client should pass some sort of token, commonly placed in the Authentication HTTP Header.
JWT and OAuth 2.0 are both very popular ways of doing this, and you can absolutely use HTTP Basic Authentication with OAuth 2.0 if you wish.
Here's an article called Stateless Authenticaiton with Spring Security and JWT. Hopefully that will help!
You can use basic authentication. It work sending username and password on each request but don't need save the sessionid in the client.
Here are a sample application with basic authentication:
http://www.baeldung.com/spring-security-basic-authentication
If you don't save anything in the server session you don't need save the jsessionid in the client.
I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..