Developed Rest API using Java/Spring MVC
Can we provide authentication for RestAPI? If yes, How?
Now I am struggling with authentication for RestApi. Can anyone send some examples regarding the same.
Accessing rest API through AJAX request.
Since you are already using Spring, you can use Spring security to provide security related functionality. This can give you one stop solution for your security needs. Common security mechanisms for Rest API's (basic, digest) and features are supported out of box and it's very easy to add your custom security too. For a start tutorial you can have a look here
Related
I'm just wrapping my head on Oauth2. I have a Spring boot app with its own users and roles system handled by Spring Security 5. Internally I use email to identify users, I want people who registered with their gmail addresses to be able to log in through Oauth2. Or, more generally, how do I make one of my users log in to my app using Oauth2? If you need code or more information just ask. Thanks in advance.
As far as I understood your question, you are looking for a general approach to authenticate users for using your Spring Boot application with the help of OAuth2 protocol.
In your case you will probably use Google as an authentication provider and your application as resource server, according to the OAuth2 standard wording. First at all to answer your general question, there are different ways of using OAuth2 to authenticate users. A good starting points are these links:
https://www.rfc-editor.org/rfc/rfc6749
https://auth0.com
To find the proper way of implementing OAuth2 for your usecase I recommend using this decision tree: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
For starting to implement OAuth2 in Spring Boot you can use several Spring Security projects with further documentation:
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html#boot-features-security-oauth2
https://docs.spring.io/spring-security-oauth2-boot/docs/current-SNAPSHOT/reference/htmlsingle/
I have a Rest API backend (Rest based) which I want to secure now. I have looked into both Spring Security (for which I know implementation) and Apache Shiro. After learning that how shiro has a easy to use API, I want to implement it. However, there are no clear authorization tutorials to do this as I wanted to implement not just Basic Auth but Digest Authentication to have a more secured api. I have read that shiro has support for it. Also, I want to store my username and passwords in a databse and not in the ini file of shiro as shown in examples. Can anyone help me with this implementation? I have used Spring Rest for my apis.
Any suitable tutorial will help.
There are no digest examples yet in the Shiro samples dir. It can be done, but you would need to dig it a bit (take a look how the BasicHttpAuthenticationFilter works)
As for storing your users in a Database (or anywhere for that matter) Shiro uses the term realm for this. Here is an example gist that uses the JdbcRealm.
This is my first question on StackOverflow and I hope someone can help me. :-)
I am planning to build a web-application (backend) with spring roo. For the backend I will use Spring and Hibernate/JPA. In the future I will implement a web client (JSF/Primefaces), a mobile client (Android) and a Windows App.
With spring roo it is easy to create a layered architecture with domain classes, repositories and services. This part is fun.
But now I am thinking about remoting and how to connect all the clients (web, mobile, windows) with my backend.
1.) What do you prefer for the remoting between client and backend? SOAP-Web Services or a REST-API (e.g. with JSON).
2.) If REST-API: How should the API look like for authentication/login functionality? REST is resource-oriented but how do you implement authentication with REST API?
At the moment I think a REST-API is a good idea. Because I am using spring it is easy to create a Spring MVC controller with REST support. But is this the correct way to implement a REST API for all the three devices? The web client e.g. should be implemented with JSF and Primefaces and I donĀ“t use spring MVC for the web layer.
3.)Can I nevertheless use Spring MVC controllers to build the REST API (together with JSF in the web layer)? Or is there a better way?
1.) What do you prefer for the remoting between client and backend? SOAP-Web Services or a REST-API (e.g. with JSON).
I don't have too much experience with SOAP-WS, but I have a ton of experience with REST-APIs using JSON. There are many implementations for mobile, web and server side clients that are fairly simple to implement.
2.) If REST-API: How should the API look like for authentication/login functionality? REST is resource oriented but how to implement authentication with REST API?
If you are already using spring, I recommend securing your API with Spring Security. You can use spring security even if you don't end up going with Spring MVC for your API implementation. There are many ways to secure a rest API with spring security, but I the simplest is to send the basic auth header with every request to a secure URI
3.)Can I nevertheless use Spring MVC controllers to build the REST API (together with JSF in the web layer)? Or is there a better way?
Spring MVC Controllers will work fine, but I would recommend going with RestEasy or Jersey. I find them to be more flexable.
I agree with #mad_fox. Additionally, i want to add another option regarding your question#2. If you dont want to use Spring security, you can write your own token based authentication mechanism using spring and basic java interceptors.
You can store the token in your browser local storage.
I just developed a simple restful web service by using Spring 4.0 and Hibernate 4.0, so it is without beans.xml file.
I would like to implement a Spring Security on the web service, since the roles will be performed on the HTTP functions GET, POST and DELETE, i.e. only admin who is allowed to DELETE, manager is allowed to do both POST and GET and the user can only GET data.
I'm looking for a detailed tutorial with example to implement Spring Security? or Do you think there is an easier security mechanism regardless it's strength?
I just found that they in Spring.io added a detailed tutorial with real example developed by Java 8 in their own website, so it is completely annotation-based, which helps for building a RESTful webservice with Spring, testing it and also securing it.
It is really awesome, located HERE
I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..