I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.
All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.
I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:
Servlet Filters
Spring Security
Spring Data REST Handlers (how to access the HTTP headers?)
The best bet for you is Spring Security.
That would help you achieve authorization is much simpler manner.
Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.
Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )
RESTful Authentication via Spring
There is an alternate method as well..
Refer
http://www.baeldung.com/spring-security-authentication-provider
In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..
Related
i have a spring boot application that provides an API consumed by a frontend app (CRUD operation). This spring boot app is based on oauth2.0 authentication standard to verify the JWT access token received in the header of each API against an authorization server. I want to provide another API to be consumed by a backend (M2M usage). This API will rely on same database (same entities) but it will be slightly different (only Read operations are allowed here and responses contain more fields). Also this new API will rely on an another authorization server to verify the JWT token.
Firstly, i was thinking to provide both API with the same spring boot application, but it looks like it will a hack to support both (for instance issuer uri of the token are diferent, port can be different, path of API are different..).
So, I'm now thinking to separate the 2 APIS into 2 different spring boot application, so that the apps are isolated by nature, but i'm not sure it's a good practice at the end? For instance, what about the concurrency issues that can occur with such design ? In the opposite, can i build easily teh 2 spring boot apps that share the same code repo (some code should be common for both apps). Those are the questions i have, so any suggestion will be appreciated.
You can try with multiple authentication providers. Example given in following -
Java Spring Security config - multiple authentication providers
I wanna refactor a monolithic spring boot application basically a web app with login and functionalities for customers. We already have a Security implementation which works with a session id stored as a cookie but I dont have much knowledge about it at all and im completetly new to this topic. It seems JWT is a better solution for Microservices because of an independent authentication service.
So my questions are:
is it alot of work to create a JWT authentication service and exchange the session id implemenation? (since im doing it for my bachelor thesis and have a clear deadline)
can I stay at the session ids while using microservices?
are there maybe other ways to implement authentication?
is it alot of work to create a JWT authentication service and exchange
the session id implemenation? (since im doing it for my bachelor
thesis and have a clear deadline)
This question is hard to answer, as it depends how tightly coupled your particular implementation is. It's certainly not trivial.
can I stay at the session ids while using microservices?
Yes, but you need to figure out how to federate sessions across the microservices (i.e. how to get the information in the session from one service to the other). Overall, this represents a risk of tight coupling between services, so I'd recommend treating this as a transitionary step only.
are there maybe other ways to implement authentication?
As many as the day is long. That being said, without specific reason to do otherwise, I generally prefer to stick to the middle of the road.
Typical user sessions is not recommended in microservices.You should use Stateless architecture and tokens (Tokens stored in database or JWT).
It's better to use Spring Boot OAuth2.
You should implement an Authorization server and Resource servers with Spring Boot.
Authorization server:
Choose the token storage method (JWT,Jdbc,...)
Configure client details
Add a RESTful Api for user info or enable /oauth/check_token api.(Called by Resource servers)
Resource servers:
Set user-info-uri or token-info-uri in Spring boot OAuth2 properties.
Extends ResourceServerConfigurerAdapter class for securing url mappings.
I am developing a RESTful web service as a back-end layer for mobile application. This service receives combination of device id (as user id) an a pin (as password), and passes to another back-end service, that validates and returns the status of successful login along the user information, in case, the user is authorized. My service is not validating the user. And mobile sends sub sequent requests to my RESTful service.
So, please suggest, how can I make all this system(especially the RESTful) secured, using Spring security.
I am using a Tomcat server, Spring and Jersey
I recently implemented a method to secure my existing RESTful APIs in Spring. I have used a token based authentication model using OAuth2. In my project, I wanted to secure my API's in a way that every request is individually authenticated and authorised based on the token present in the header. If this is something you are looking for, then I would highly recommend you to take a look at the documentation here. If there is anything you are stuck at while implementing it. Please do let me know.
Also, you can find multiple projects for Spring and OAuth here
Developed Rest API using Java/Spring MVC
Can we provide authentication for RestAPI? If yes, How?
Now I am struggling with authentication for RestApi. Can anyone send some examples regarding the same.
Accessing rest API through AJAX request.
Since you are already using Spring, you can use Spring security to provide security related functionality. This can give you one stop solution for your security needs. Common security mechanisms for Rest API's (basic, digest) and features are supported out of box and it's very easy to add your custom security too. For a start tutorial you can have a look here
I have a Spring MVC application that uses Spring Security to handle user login authentication, which works fine.
Now I want to add some Ember.js and Angular.js code to the HTML pages that accesses the Spring RESTful web services (which just return JSON data).
How do I bind the user login authentication to the authentication for the RESTful web services? In other words, I want to make it so that the RESTful web services can only be accessed once a user has logged in. That way, the Angular.js and Ember.js libraries can access these RESTful web services securely from my user pages only without anyone else being able to directly call them.
I read on one other post that Spring Security was never meant to be used with a full Ajax framework, is that true? I hope this is not the case. I'd imagine that this type of thing must be pretty common now as there are so many AJAX client side frameworks that work based off accessing a JSON/RESTful API.
It is certainly not true that Spring Security was never meant to be or cannot be used in AJAX applications. I have two applications in production that use Spring Security as well as AJAX and more applications under development with the same mix.
If you are going to use EmberJS or AngularJS in an existing web application with Spring Security working, you should not face too many problems if you simply add the JavaScript library to your project. This is because once your users are authenticated, any normal HTTP requests will be treated as authenticated as well because the browser will ensure that session information is passed back and forth using cookies or URL parameters, as appropriate. You can see one of my working examples on Github for Spring Security and EmberJS integration.
The only thing you may need to worry about is CSRF tokens for form submissions using AJAX. The latest Spring Security documentation has a small section dedicated to this so you should not face too many problems getting that to work either. However, I would like to clarify that this particular issue is not specific to Spring Security. CSRF protection typically involves including a secure, randomly generated token with every HTTP POST request. The challenge arises from making existing JavaScript libraries aware of this token and how it should be included in HTTP POST requests. This would be a challenge in any application, not just those using Spring Security.
If however you will work with stateless clients, such as, mobile devices, you will be unable to rely on the default Spring Security mechanism of storing the user credentials in HTTP Session because HTTP requests will not have information to tie them to a session. This again is not specific to a Spring or Spring Security application because the constraint is imposed by the nature of the client and the client-server communication rather than any server-side technology. In such circumstances you will need to pass some authentication token in the HTTP headers for the application to maintain security state on the server side. I have a working example for this as well. If you need more details, there are articles on the web that explain how to do something like this with Spring Security.